[Incognito CTF 3.0] Not Steganography

Not Steganography

exiftool of the image:

Image Width                     : 271828
Image Height                    : 271828
Bit Depth                       : 1
Color Type                      : Palette
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Palette                         : (Binary data 6 bytes, use -b option to extract)
Image Size                      : 271828x271828
Megapixels                      : 73890.5

As we can see we have a huge 271828x271828 Noninterlaced that we can open, even if pngcheck says it’s ok.

Hex Analysis

At first look we see a lot of nullbytes on the image but at the address 0x00443C90 we have data until the address 0x00447F8F. The flag has to be on this portion of memory so i extracted the header of the image from 0x00000000 to 0x0000004F, the data we found before from 0x00443C90 to 0x00447F8F and the footer from 0x0088BBC8 to 0x0088BBE8. After i got those 3 portions of file i’ive concatenated them. We know that the image is Noninterlaced so the pixels data are saved from left to right and from top to bottom, by knowing this we assume that from a squared image we removed some rows on top and bottom.

Width and Height and qrCodes

Now we have an image with data but we still cant see it because the dimensions are messed up, the original dimensions were 271828x271828 so now we have to “guess” the new one. We can not touch the width cause it will mess with offset of new lines and we lose our image so the only think we can try is the height. after few tries we get the right dimensions (271828x199) and in this image we can see a qrCode. (I’ve changed the palette colors too because a red on blue qrcode hurted my eyes so i made it B&W) From the first qrCode we get an ASCII qrCode that has the solution in it


so the final flag is ictf{size_matters}