CTF Methodology - Steganography :: BITFRAGMENT — Passionate about making a difference

always run strings filename first and try to grep for the flag format for a quick easy win;
try running binwalk filename to see if there are any files embedded in the image. You can find from text files, to other images, to whole archives. Note that for PNG files it is normal to contain two zlib compressed data entries;
- if you find any hidden data by running binwalk, run foremost filename to extract said data from the image;
run steghide info filename to display info about whether the file has any embedded data. If the answer is yes, you can try running steghide extract -sf filename to extract said data. This only supports jpeg files;
- if the file asks for a password in order to extract info, it is always a good idea to try and brute force it with stegcracker. For example: stegcracker filename wordlist;
run exiftool filename to show metadata hidden in the file. Sometimes it can earn you a quick flag;
run exiv2 filename - it’s basically the same as exiftool but it can sometimes reveal more;
use java -jar stegsolve.jar to play with image colour scales and extract data from it. It can inverse colours, change planes, run xor against the image, and much more. A very powerful tool which you can get from here;
your bread and butter tool for png files is gonna be zsteg. Run zsteg -a filename to reveal hidden data. Most of the times this is the go-to tool which can reveal a plain text flag or an encoded one in base64, caesar or other popular encodings/ciphers. Note that Zsteg only works for PNG files;
jsteg is also a very neat tool that works very much like zsteg but for JPG files. You can install it by following the instructions below. It requires slink to function properly. Always check the releases page to wget the latest version.

wget -O /usr/bin/jsteg https://github.com/lukechampine/jsteg/releases/download/v0.3.0/jsteg-linux-amd64
chmod +x /usr/bin/jsteg
wget -O /usr/bin/slink https://github.com/lukechampine/jsteg/releases/download/v0.2.0/slink-linux-amd64 
chmod +x /usr/bin/slink

sometimes, images are encoded using Piet programming. Piet is a stack-based esoteric programming language in which programs look like abstract paintings. They will often look like this - more info can be found here. To decode these, you can use an online decoder such as this one;
another cool tool is stegsnow which is used for whitespace steganography often found in text files. If you have a stego challenge and are presented with a .txt file, give it a shot.
steganography doesn’t always have to be about image/text files. You can also find steganography in .wav files for example. For .wav, if you get phone-like sounding files it may be an indication of DTMF steganography for which you can use multimon-ng
- if you can’t solve it with frequency analysis and DTMF decoding it may be that it is a LSB (last significant bite) steganographic challenge. For LSB you can use wav-steg.py. For example: wav-steg.py -r -s file.wav -o output.out -n 1 -b 1000.
if all else fails, why not try to reverse search the image on the internet and check for any differences between what you got and the original image. You can do a reverse search on TinEye, download the original image, and run diff to check for differences:

diff -a ctf-image.jpeg original-image.jpg | hexdump -C

Stay tuned for more CTF Methodology blog posts.