[CTF NDH 2016 Quals] Write-Up – Steganalysis : Stegano-Sound

03
Apr
2016
  • Google Plus
  • LinkedIn
  • Viadeo
Posted by: Yann C.  /   Category: Cryptanalyze / Cryptography / Cryptology / / / /   /   1 Comment

Write-up of the challenge “Steganalysis – Stegano Sound” of Nuit du Hack 2016 CTF qualifications.

The weekend of 04/01/2016 is pre-qualification for the Nuit du Hack 2016 as a Jeopardy CTF. Having had the opportunity and the time to participate with some colleagues and friends, here’s a write-up resolution of the challenges which we could participate.

  • Category: Steganalysis
  • Name: Stegano-Sound
  • Description : Homer Simpson is being looked after by the cops, following a bank robbery. We intercepted a conversation between him and Marge Simpson, but the quality is very bad. We believe they exchanged about a secret related to some “ndh” event.
  • URL : http://static.quals.nuitduhack.com/simpsons.wav
  • Points : 150

Listening to the wav file, the voices of the Simpsons are audible and understandable. There is noise, however, in the background, which seem to be repeated periodically.

We can choose our best tool for audio file analysis, particularly for spectral data visualization. In this context, the free tool “Sonic Visualiser” (currently version 2.5) allows these spectrals analysis better than Audacity, especially for audio steganography.

We open “Sonic Visualiser” and we load our file “simpsons.wav”. It appears thereafter spectrum via “Pane / Add Spectrogram / Mixed”

Visualisation du spectre

Spectral visualisation

 

Oh ! A cute smiley!

But what follows our smiley? These small bars that seem to repeat almost all along the trail, would that cause noise that periodically is meant to listen to the sound clip?

Zoom a bit on the spectrum:

Zoom spectre

Zoom spectral

 

This looks suspiciously like an alphabet … Yes, but which? In what language these symbols in the form of “points” must be translated?

Could this be the braille? It would be this, especially as the smiley wear glasses which is a strong indication! Seek a correspondence table of the alphabet in Braille:

Alphabet Braille

Alphabet Braille

Promising! Let’s start translating our spectral track:

Traduction braille

Traduction braille

String translated :

#6634428777744499577744499568833

Given this number string prefixed with # (indicating a number), the link is quickly made with the era before the smartphone including SMS. Yes, this code corresponds to an SMS. It’s time to get out our good old Nokia 3210:

Nokia_3210

Win ! Flag : #NDHATSIXJRIXJMUE

Greeting to nj8, St0rn, Emiya, Mido, downg(r)ade, Ryuk@n and rikelm, ? // Gr3etZ

Sources & ressources :

  • Google Plus
  • LinkedIn
  • Viadeo
Author Avatar

About the Author : Yann C.

Consultant en sécurité informatique et s’exerçant dans ce domaine depuis le début des années 2000 en autodidacte par passion, plaisir et perspectives, il maintient le portail ASafety pour présenter des articles, des projets personnels, des recherches et développements, ainsi que des « advisory » de vulnérabilités décelées notamment au cours de pentest.