Hyperion Gray Stego Challenge

Hi! We are Hyperion Gray. We are a small team of software engineers, data scientists, and hackers creating clever solutions to hard problems


Hyperion Gray Stego Challenge

This crunchy little steganography challenge popped up on Twitter on 15 February 2019. I didn't crack it completely, but I think I got quite close.

Download the image from this link and blast off, stegonauts! Post your solutions in this thread. The first 3 finishers will get to pick their prize (t-shirt, poster, book).

I started by opening the image in Hex Fiend, and it appears to be a normal JPG image.

Running it through file, strings, and binwalk provided no additional information.

I ran the image through stegoVeritas, and located a couple of LSB decompositions that included a URL in the image:

>

The LSB (Least Significant Bit) analysis is based on the colour of a pixel (in RGB) being encoded into a single byte. The first bit (the LSB) can store additional information, but changing the pixel value by 1. So long as there isn’t too much information (going deeper into the byte and adding more to the pixel value) and there aren’t too many pixels affected, it’s not perceptible to the human eye.

The github repo provided contains a README markdown:

HGStegoChallenge
First to the finish gets a free shirt!
The following isn't relevant: Arire tbaan tvir lbh hc Arire tbaan yrg lbh qbja Arire tbaan eha nebhaq naq qrfreg lbh Arire tbaan znxr lbh pel Arire tbaan fnl tbbqolr Arire tbaan gryy n yvr naq uheg lbh

Don’t get too excited, that is just a Caesar cipher rickroll

It also contains a NothingToSeeHere.txt:

There is absolutely nothіng to see here.  Nothіng I tell yоu.  NOTHING!  Leave me alone.  Nо
cοokіes for you.  Thіs is just
some nоnsense І jarbled together!

And secretmap.jpg image (Hyperion Gray’s map of the dark web):

Opening this in Hex Fiend, it was clear that there were PKZIP headers and data at the end of the JPG. Isolating that data and renaming it map.zip produced a working ZIP archive containing the folder 53cr3t5 and the file hglogosteg.jpg

It’s Hyperion Gray’s logo and some image compare with the logo from their Twitter account shows some minor differences, primarily along the edges. Looking at the hex, the JPG header and footer look normal, but the header contains:
456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
which I’m given to understand means that stego encoded data is in the file. And looking at the file metadata, we can see it came from:
https://futureboy.us/stegano/encinput.html
https://futureboy.us/stegano/encode.pl

So, dropping it into https://futureboy.us/stegano/decinput.html we get nothing without a password. Where is the password???

I went back over the hex for clues and tried every logical password I could think of, without success. I even pounded on it with StegCracker and the rockyou wordlist without success.

I tried cloning the repo and looking at the logs, there were two versions of the secretmap.jpg.

git log -p

commit 5ef39de7bba1e8a283663c55ebb7dc66de84ec27 (HEAD -> master, origin/master, origin/HEAD)
Author: Carson Owlett <35844973+5C4R48Security@users.noreply.github.com>
Date: Fri Feb 15 10:46:48 2019 -0500

Update README.md

diff --git a/README.md b/README.md
index 008c1f3..e337aa3 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,10 @@
# HGStegoChallenge
First to the finish gets a free shirt!
+
+The following isn't relevant:
+Arire tbaan tvir lbh hc
+Arire tbaan yrg lbh qbja
+Arire tbaan eha nebhaq naq qrfreg lbh
+Arire tbaan znxr lbh pel
+Arire tbaan fnl tbbqolr
+Arire tbaan gryy n yvr naq uheg lbh

commit 60572be718defe8acce57b73059fcccfe8d6ebf0
Author: Carson Owlett <35844973+5C4R48Security@users.noreply.github.com>
Date: Fri Feb 15 10:31:01 2019 -0500

Add files via upload

diff --git a/secretmap.jpg b/secretmap.jpg
new file mode 100644
index 0000000..16ece1a
Binary files /dev/null and b/secretmap.jpg differ

commit 710753fd5c69928ff9e449590e569b0b4ea725c6
Author: Carson Owlett <35844973+5C4R48Security@users.noreply.github.com>
Date: Fri Feb 15 10:30:14 2019 -0500

Delete secretmap.jpg

diff --git a/secretmap.jpg b/secretmap.jpg
deleted file mode 100644
index 480d67f..0000000
Binary files a/secretmap.jpg and /dev/null differ

commit 4dcd1efef668e10eea2e80d5b95a7520662ffe6d
Author: Carson Owlett <35844973+5C4R48Security@users.noreply.github.com>
Date: Sun Feb 10 01:01:06 2019 -0500

Add files via upload

diff --git a/secretmap.jpg b/secretmap.jpg
new file mode 100644
index 0000000..480d67f
Binary files /dev/null and b/secretmap.jpg differ

commit 04aea2109a9fe2e7a81d4f57339607bd2a4cb2b6
Author: Carson Owlett <35844973+5C4R48Security@users.noreply.github.com>
Date: Sun Feb 10 00:36:54 2019 -0500

Create NothingToSeeHere.txt

diff --git a/NothingToSeeHere.txt b/NothingToSeeHere.txt
new file mode 100644
index 0000000..e8ca195
--- /dev/null
+++ b/NothingToSeeHere.txt
@@ -0,0 +1 @@
+There is absolutely nothіng to see here.  Nothіng I tell yоu.  NOTHING!  Leave me alone.  Nоcοokіes for you.  Thіs is justsome nоnsense І jarbled together!

commit 1025359893478c61365dc3e7dfbf3299ba4f0c29
Author: Carson Owlett <35844973+5C4R48Security@users.noreply.github.com>
Date: Thu Feb 7 22:04:04 2019 -0500

Initial commit

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..008c1f3
--- /dev/null
+++ b/README.md
@@ -0,0 +1,2 @@
+# HGStegoChallenge
+First to the finish gets a free shirt!

Reverting to the previous commit...

git checkout 4dcd1efef668e10eea2e80d5b95a7520662ffe6d

Note: checking out '4dcd1efef668e10eea2e80d5b95a7520662ffe6d'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

git checkout -b <new-branch-name>

HEAD is now at 4dcd1ef Add files via upload

The old secretmap also contains a PKZIP section with a folder 53cr3t5, but the image file is hyperiongraylogo.jpg and comparing the old and new logo images, there are differences in blocks throughout the image.

It too appears to be a stego encoded file, but it also requires a password…

My only remaining lead is the NothingToSeeHere.txt file. I’ve downloaded the original file from the repo, and there’s nothing in the metadata.

There is absolutely nothіng to see here.  Nothіng I tell yоu.  NOTHING!  Leave me alone.  Nо

cοokіes for you.  Thіs is just

some nоnsense І jarbled together!


It is a mix of Times New Roman & MS Gothic with varied kerning – Unicode characters define a paragraph break between No and cookies and line break between just and some.

These characters show up as MS Gothic in Word, and seem to be all of the wide-kerned characters:

TeaslulotoethnIeT!eealo. ryu. hsisstsossejarle

The remainder is Menlo in TextEdit and Times New Roman in Word with all of the more normal looking kerning:

hre is botey nhіng t see her.  Noіg  tll yоu.  NOHING  Lave m ne  Nо
cοokіes fo o  Tі  ju
me nоnen І bd together!

Let’s try a Baconian cypher using these two fonts:

There isabs olute lynot hіngt oseeh
ABABB BBABA BAABB ABBAA BBBBB ABBBB

ere.No thіng Itell yоu.NO THING! Leave
BBABB AABAB ABABB BBBBB ABBBB BABBB

meAlo ne.Nоc οokіe sfory ou.Thі sisju
BAAAA BBBBB BBBBB BBBAA BABAB AAABB

stsom e nоns enseІ jarbl edtog ether!
AAAAB BBBBA ABAAB AAABA ABBBB BBBBB

The spaces are all the same font, but the punctuation is not. The Unicode paragraph and line breaks are the wide-kerned font. So, punctuation and Unicode breaks are probably in, but spaces are probably not.

DISTINCT (AB and BA)

Including the spaces and punctuation
LUTLNPOIJTSPHCP ULMUSQRXWMNQYQ

Excluding the spaces and including punctuation
LTMPSVDPZFDBZCP UMTQNKQGGQ

Excluding spaces and punctuation
LTMPFLPXQVDBYCP UMTQUQIPKHQ

Including spaces and excluding punctuation
LUTWXHLVHBMJ ULMJIYUKYTW

(I=J U=V) (AB and BA)

Including the spaces and punctuation
MWUMOQPIKUTQHCQ WMNWTRSZYNORR

Excluding the spaces and including punctuation
MUNQTXDQFDBCQ WNUROLRR

Excluding spaces and punctuation
MUNQFMQZRXDBCQ WNURWRIQLR

Including spaces and excluding punctuation
MWUYZHMXHBNK WMNKIWLUY

No luck there, with either version of the logo image, and nothing sensible comes out of a Caesarian shift on any of these either.

Maybe it’s binary?

Using the letters only:
010111101010011011001111101111110110010101011111110111110111100001111111111111001010100011000011111001001000100111111111
MUNQFMQZRXDBKCQ LTMPFLPXQVDBJCP
101000010101100100110000010000001001101010100000001000001000011110000000000000110101011100111100000110110111011000000000
WFNUAREWARIQAADLBYRA UFMTAQEUAQIPAADKBWQA

Using letters, spaces, and punctuation
101000000101011001000110000001000000001000001101001001000000000001000010001000001011100100001000000000010101100010101100011110000001001100011101100000000000
UBLEMBACBUSAAQRAXEEACWFMPAJRAA WBMENBACBWTAARSAZEEACYFNQAKSAA
0101111110101001101110011111101111111101111100101101101111111111101111011101111101000110111101111111111010100111010100111000001111110110011100010011111111111
LUTLNPOIJTQPHCP MWUMOQPIKURQHCQ

Using letters and punctuation only
101000010101100100110000010000001000110101010000000010000101000011110000000000000011011010111001111000001101101110110000000000
UFMTAQENKAEFBAAGBWQA WFNUAREOLAEFBAAGBYRA
010111101010011011001111101111110111001010101111111101111010111100001111111111111100100101000110000111110010010001001111111111
LTMPSVDZFDBJCP MUNQTXDFDBKCQ

Nope…Not even double-checking them as Caeasar shifted…

Backwards? Nope

Treating the breaks as breaks? Nope

Just the letters in the "nothings"? Nope

Maybe it's Morse?
-.-....-.-.--..-..--.....-......-...--.-.-.-........-....-.-....----..-..-.........--.--.-.---..-----.....-..--.---.--..........
Nope

FINAL RESULTS

A greater appreciation for binary ciphers?

4 March 2019: @Spieeler was kind enough to post their write-up and put me out of my misery. The text of the NothingToSee.txt does indeed contain the password, and can be decoded using this site. I get a slightly garbled result from it:

tpisispalhingthis the password js t3g0iz1339

That's enough, though, to get the password as st3g0iz1337, with some trial and error. The first three competitors to solve it received instructions to hash their handle and a flag; the file now just provides:

Tweet "@HyperionGray all yor st3gos r belong to us! #hgstegochallenge"