Hidden in Plain Graphic

We're given a .pcap file and tasked with extracting a flag. Sounds easy, right? Let’s dive in.

We opened the plain_zight.pcap file using Wireshark, our trusty network forensics tool. Now here’s the thing, there were a lot of packets flying around in there. SIP, SSH, HTTP… even some malformed DNS packets.

But one packet stood out like a black sheep. Literally, there was one packet that appeared highlighted in black in Wireshark. No kidding, like it was wearing a hoodie and avoiding eye contact.

Now, I know saying “because it was black” sounds sus, so here’s the proper technical justification:

In Wireshark, dark/red/black highlights are used to indicate anomalies like TCP retransmissions, duplicate ACKs, or malformed packets. These are often interesting in forensic or CTF contexts because they can signify hidden or unusual data transfers.

In our case, it was a TCP retransmission on port 80 (HTTP), which could indicate a file being resent, possibly our treasure.

We right-clicked that shady packet and selected Follow > TCP Stream.

Boom, a wall of gibberish... but hold on, at the very top, we saw the magic bytes:

.PNG

That’s right, we were looking at raw PNG data being transferred over HTTP. We saved the stream’s contents as raw bytes.

and gave it a cool name: sus.png, because we’re professionals who watch Among Us memes.

Now let’s poke at this file.

We ran a few standard commands:

strings sus.png

Just noise. No flags.

exiftool sus.png

Nothing out of the ordinary. Just normal metadata: PNG file, 512x512, RGB+Alpha. At this point, it was feeling like this image was just playing hard to get.

zsteg sus.png

That’s our flag right there, hiding in the least significant bits (LSBs) of the RGB values in the image.

Flag: umcs{h1dd3n_1n_png_st3g}

PreviousFORENSIC NextREVERSE ENGINEERING

Last updated 8 months ago