Boney Boi Breakdance

Challenge:

We intercepted this image from a known DEADFACE affiliate. Some kind of tool was used to hide a file in this image. Unlike some of the other, easier images that used steganography, this one appears to require a passphrase. I bet it's somehow related to the image used to hide the file.

Solution:

Based on the challenge description I had a hunch Steghide was the tool used, and with the password being "…somehow related to the image" I began the task of building a relevant wordlist that could be used to brute-force Steghide. I performed a Google Image search and was led to the Wikipedia page for Danse Macabre which detailed the history of the picture. This seemed like a great for building a wordlist so I used DigiNinja's custom wordlist generator, CeWL, to scrape the Wikipedia page and compile a list of words.

I set options to instruct CeWL to scrape just that one page and to only collect words greater than 5 characters in length, which produced a list of 1,650 words.

$ cewl --depth 0 --min_word_length 5 -w words.txt https://en.wikipedia.org/wiki/Danse_Macabre

I then launched StegCracker to begin brute-forcing Steghide against the JPEG, using the custom wordlist.

$ stegcracker dance_of_death.jpg words.txt 

Error: Failed to crack file, ran out of passwords.

Well that was unexpected, apparently the password isn't in my custom wordlist. I manually reviewed the wordlist and noticed an abundance of capitalized words. I used dd to convert the wordlist to all lowercase characters:

$ dd if=words.txt of=lc_words.txt conv=lcase

27+1 records in
27+1 records out
14152 bytes (14 kB, 14 KiB) copied, 0.000288439 s, 49.1 MB/s

Then I relaunched StegCracker with the lowercase wordlist:

$ stegcracker dance_of_death.jpg lc_words.txt 

Successfully cracked file with password: wolgemut
Tried 982 passwords
Your file has been written to: dance_of_death.jpg.out

Success! Viewing the extracted file reveals the flag:

$ cat dance_of_death.jpg.out

flag{d4n53_m4c4br3_nuremberg}