Steganography - It's outside the box

A few months ago I take part to a CTF, like usually I learned a lot of cool tricks and tips. But there was one steganography challenge which I found awesome.
I use to search in the exifs of a picture, check relevant strings, or try binwalk and other tools on it… But this is another way to hide informations in a picture (or from a picture, you’ll see).

I will try to show you as good as possible how this works, and even how to create that challenge by your own :)

First of all, this is for PNG images only, it works with GIFs as well and JPG I don’t think so.

We only had a picture like this one :
In The Box
(This isn’t the image from the challenge I did)

There is no hidden stuff in the picture above, because this technique corrupts the image data. If you wanna try to solve the challenge anyway, I uploaded it on gofile.

When you see a suspicious PNG image, I recommend to verify that it is actually a PNG image and that everything works fine. You can use PNGCheck to do that.

As you can see here, there is a CRC error for the IHDR Chunk.Because he calculated the CRC checksum as CBD6DF8A but he found (and it should be) C798A151 in the PNG data.
PNGCheck Result CRC error in IHDR Chunk
If you wanna learn more about PNG Headers, I recommend this. To learn more about other headers, for GIF or JPG images, take a look at this article.
Also, you won’t be able to open the picture in Linux, due to that error.
CRC error on linux

The best thing to do now will be fixing that image, I can tell you two different methods in order to do that. It depends on if you wanna learn something or if you just wanna use tools that do some obscure things…
Anyway, I’m gonna start with the coolest one !

The cool method

So, as PNGCheck says, it found CBD6DF8A as checksum in the image data, but it computed another checksum.
You probably want to know what image data is and what that checksum is about.

The image data is reprensented in hexadecimal here, I created a transparent 10x10 pixel image to show you what it looks like.
10x10 pixel transparent image
you can use this website to do that

The middle bloc is the data in hexadecimal, that’s what we are looking for.
Each image has a signature to identify what image it is (PNG, JPG, GIF, …) and dome chunks.
Our PNG image contains a first chunk called IHDR chunk, and it contains
| | |
|——————— |——— |
| Width | 4 bytes |
| Height | 4 bytes |
| Bit depth | 1 byte |
| Color type | 1 byte |
| Compression method | 1 byte |
| Filter method | 1 byte |
| Interlace method | 1 byte |

It can be represented like this for a better comprehension:
PNG Signature
stolen from here

The rest of the data isn’t relevant for us in this case.

If you look at the different informations in the IHDR chunk, you can see a CRC checksum at the end with a size of 4 bytes. This checksum is computed using the data in the IHDR chunk.
In our picture this chunk is corrupted, to repair it we just have to replace the expected checksum (C798A151) with the computed one (CBD6DF8A).
Before
After

Now the image should be repaired.
But we still have no information about hidden data…

As I told you, the CRC checksum is computed using data like the height, width, bit depth, etc..
If the CRC checksum changed, that means that one (ore more) of these parameters changed too.
The easyest thing to verify are the dimensions of the image.

Dimensions Bytes
These bytes define the image dimensions.
since it is a square, obviously the bytes are the same. The size, in hexadecimal, is 1F4.
To convert that to decimal, you can use a hex to decimal converter like this one.
1F4 is equal to 500pixels.
Hex to decimal
If we take a look at the iamge dimensions, indeed, it is 500x500 pixels
Image Dimensions

So, we want to increase these dimensions, we just have to convert a decimal value to hex.
I am gonna choose twice the initial size, 1000px.
Decimal to Hex

And replace 1F4 from the height with 3E8 in out image. I choose only the height here, because I already know what data I have to change. Otherwise I would play around a little bit, to find out what I have to change.

New height bytes
Now, save the image.

And…
OutBox
Awesome.

The fast method

Of course, there are some tools to do all this much faster.
If you have an error with a PNG image, you can try to fix it using PCRT.
It is very easy to use.
PCRT

Once you fiwed the errors, there is an nice tool called TweakPNG to examine and modify PNG images.

You just have to load the image and change the dimensions in the IHDR chunk.
TweakPNG example

How to make one

Another fun thing is to re create a challenge.
This part is very easy, take an image and place your hidden content on it.
Now you know how to change the image dimensions, you can reverse the process and decrease the wanted dimensions.
But, please don’t use this method to hide sensitive data, that’s security by obscurity and so it’s not safe. Encrypting your data is always the best solution, however you can combine both.

If you wonder if you can send that image to a friend.
Only if the CRC chunk is repaired, you can upload your image on imgur and share it.
The hidden data will remain in the image. If you try to upload it to instagram, or messenger it won’t work.