search

Tabs&Spaces

CATEGORY - STEGANOGRAPHY

hashtag
Introduction

This challenge provides a ZIP file containing multiple files. Our goal is to analyze them and extract a hidden flag, which appears to involve whitespace-based steganography.

hashtag
Steps

hashtag
Step 1: Extracting and Inspecting the ZIP File

The challenge provides a ZIP archive. After extracting it, we see the following files inside:

A Python script is present, which appears to be for checking file integrity and isn't immediately useful.

hashtag
Step 2: Identifying an Anomalous File

Navigating into the files/ directory, I checked the contents of all files. One file stood out due to its different color and unusual file extension.

To make it easier to work with, I renamed the file to remove the extra . in its name.

hashtag
Step 3: Initial Steganography Checks

Since the file was a JPG image, I performed basic steganography checks:

  • Exiftool → No interesting metadata found.

  • Steghide (without passphrase) → Extracted a hidden text file named whitespace_flag.txt.

hashtag
Step 4: Analyzing whitespace_flag.txt

Opening whitespace_flag.txt in Sublime Text, I noticed that the content wasn't regular text. Instead, it appeared to contain whitespace-based encoding.

Searching online for whitespace steganography, I found tools like stegsnow. However, stegsnow didn't reveal any meaningful text, suggesting that another encoding method was used.

Upon closer inspection, I saw patterns of tabs (^I) and spaces (), which indicated binary encoding, where:

  • Tab (^I) = 1

  • Space () = 0

hashtag
Step 5: Converting Whitespace to Binary

To decode the message, I used the following command:

This converted the hidden text into a binary string:

hashtag
Step 6: Converting Binary to Text

For the final step, I converted the binary data to readable text using Perl:

hashtag
FLAG

PreviousCryptic PixelsNextHidden Marker

Last updated