Shockz
SHOCKZ
bash -i >& /dev/tcp/localhost/1337 0>&1

Pentesting & Red Team Lead | Offensive Security Engineer | Developer | Ethical Hacker | HTB & THM Player

Posts about Cybersecurity, CTF's, Ethical Hacking and other projects


Massacre - Hack The Box Challenge

2 minute read

  2 minute read

massacre htb

This is the image:

massacre htb 1

This is one of the two most difficult challenges for stego on this website and with good reason.

For this challenge we will have to use a python script in my case.

After doing a long long research, I realized that some subpixels of each pixel (RGB value) doesn’t end with 0, so …

1. The script skips the no relevant rgb values:

for rgb in pixels:  # Skipping zero rgb's
        if rgb != (0, 0, 0):
                nozero.append(rgb)

2. Process just the octals which isn’t end with 0:

for i in nozero:
        if i[0] % 10 != 0 or i[1] % 10 != 0 or i[2] % 10 != 0:  # Some numbers don't end with 0, so we'll want it

3. Then extract the LSB (least significant bit), generating a new RGB value, convert it to binary and finally gets the ASCII char represents by the binary number converted to decimal:

            r = '{:08b}'.format(i[R] % 10)[6:8] # Get the last 2 bits of the octal obtained by doing module 10, and convert them to binary
            g = '{:08b}'.format(i[G] % 10)[5:8] # Get the last 3 bits ----
            b = '{:08b}'.format(i[B] % 10)[5:8] # Get the last 3 bits ----
            str = r + g + b # All the bits represents a binary number
            i = chr(int(str[:8], 2))  # ASCII char from each 8 bits number converted to decimal
            message = message + i   # Joins each char to a message

4. Then only the flag is searched in the message formed by all the characters:

regex = re.compile("(HTB{.*})") # Creating the pattern to find the flag inside the message
found = regex.search(message)   # Searching that regex in the message

Finally it everything was ok, we’ll get the flag.

Actually this script takes very little time thanks to the filters that were implemented and optimizations.

Autopwn

#!/usr/bin/env python3

from PIL import Image
import re

R = 0; G = 1; B = 2

img_name = 'massacre.png'

try:
    img = Image.open(img_name)   # Return an Image object
except:
    print ('Put massacre.png file on this directory')
    exit(1)

pixels = list(img.getdata())    # Gets the image's data
nozero = []

print("Extracting non zero pixels...")
for rgb in pixels:  # Skipping zero rgb's
        if rgb != (0, 0, 0):
                nozero.append(rgb)
message = ""

print("Getting the message...")
# Getting the last digit from the RBG tuples
for i in nozero:
        if i[0] % 10 != 0 or i[1] % 10 != 0 or i[2] % 10 != 0:  # Some numbers don't end with 0, so we'll want it

            r = '{:08b}'.format(i[R] % 10)[6:8] # Get the last 2 bits of the octal obtained by doing module 10, and convert them to binary
            g = '{:08b}'.format(i[G] % 10)[5:8] # Get the last 3 bits ----
            b = '{:08b}'.format(i[B] % 10)[5:8] # Get the last 3 bits ----
            str = r + g + b # All the bits represents a binary number
            i = chr(int(str[:8], 2))  # ASCII char from each 8 bits number converted to decimal
            message = message + i   # Joins each char to a message

print("Looking for the flag...")
regex = re.compile("(HTB{.*})") # Creating the pattern to find the flag inside the message
found = regex.search(message)   # Searching that regex in the message

if found:
    print(found.group(1))   # Shows the match
    exit(0)
else:
    print ("Nothing works")
    exit(1)

Byee