Root Me 的 medium 題 PNG - Least Significant Bit,本題敘述如下。
Uncle Scrooge does not only love gold, seems he also likes secrets. Find what is hidden in the image.
首先題目給了一個 png 檔案,然後題目名稱直接說是 LSB 於是就往這個方向檢查,首先我們來回顧一下甚麼是 LSB。
LSB(Least Significant Bit,最低有效位)是一種常見的隱寫術,主要用於在數位媒體中隱藏資訊,如圖片、音訊或影片。其核心概念是利用每個像素或取樣點的「最低位元」進行微小修改,以藏入秘密資料。由於最低有效位對整體資料的影響極小,視覺或聽覺上幾乎無法察覺變化,因此能在不破壞原檔品質的情況下隱藏訊息。
以圖片為例,每個像素通常由三個顏色通道(紅、綠、藍)組成,每個通道 8 位元,共 24 位。若僅修改每通道的最後一位,就能在一張 800×600 的圖片中藏入超過 140 KB 的資訊。解密時,只需依序讀取每個像素的最低位並重組成原始訊息即可。
LSB 的優點是實作簡單、容量大、隱蔽性高,但也有缺點,如容易被統計分析或影像壓縮破壞。目前在資訊安全、數位浮水印與 CTF(Capture The Flag)競賽中,LSB 仍是最經典的隱寫入門技術之一。
$ file ch9.png
ch9.png: PNG image data, 225 x 225, 8-bit/color RGB, non-interlaced
$ exiftool ch9.png
ExifTool Version Number : 12.40
File Name : ch9.png
Directory : .
File Size : 63 KiB
File Modification Date/Time : 2021:12:11 01:05:19+08:00
File Access Date/Time : 2025:10:11 22:45:29+08:00
File Inode Change Date/Time : 2025:10:11 22:45:22+08:00
File Permissions : -rw-rw-r--
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 225
Image Height : 225
Bit Depth : 8
Color Type : RGB
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Image Size : 225x225
Megapixels : 0.051
$ binwalk ch9.png
/home/lemon1001/.local/lib/python3.10/site-packages/capstone/__init__.py:380: UserWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html. The pkg_resources package is slated for removal as early as 2025-11-30. Refrain from using this package or pin to Setuptools<81.
import pkg_resources
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 225 x 225, 8-bit/color RGB, non-interlaced
41 0x29 Zlib compressed data, default compression
然後 binwalk 提取出的東西是亂碼
$ zsteg -a ch9.png
imagedata .. file: Microsoft Works 1-3 (DOS) or 2 (Windows) document \005\002\001\370\367\376\001\003\002\010\004\377\003\001\001
b3,rgb,msb,xy .. file: AIX core file fulldump 64-bit
b4,b,msb,xy .. file: MPEG ADTS, layer I, v2, 24 kHz, Monaural
b5,b,lsb,xy .. file: MPEG ADTS, layer II, v1, JntStereo
b5p,b,lsb,xy .. file: MPEG ADTS, layer I, v2, 24 kHz, Monaural
b6,bgr,msb,xy .. file: MPEG ADTS, layer I, v2, Monaural
b6p,b,lsb,xy .. file: , 32 kHz, Monaural
b7,bgr,lsb,xy .. file: , 48 kHz, Monaural
b7p,b,lsb,xy .. file: MPEG ADTS, layer II, v1, Monaural
b8,b,msb,xy .. file: ddis/ddif
b8,rgb,lsb,xy .. file: AIX core file 64-bit
b8,rgb,msb,xy .. file: RDI Acoustic Doppler Current Profiler (ADCP)
b1,r,lsb,xy,prime .. file: AIX core file fulldump 64-bit
b6,rgb,msb,xy,prime .. file: MPEG ADTS, layer I, v2, Monaural
b7,rgb,lsb,xy,prime .. file: , 48 kHz, Monaural
b7p,g,lsb,xy,prime .. file: AIX core file fulldump 32-bit
b8,bgr,msb,xy,prime .. file: RDI Acoustic Doppler Current Profiler (ADCP)
b6,bgr,msb,yx .. file: MPEG ADTS, layer I, v2, Monaural
b7,bgr,lsb,yx .. file: , 48 kHz, Monaural
b8,rgb,msb,yx .. file: RDI Acoustic Doppler Current Profiler (ADCP)
b1,b,lsb,XY,prime .. text: "E|Sa?&A|"
b2,r,lsb,XY,prime .. file: AIX core file fulldump 32-bit
b2,g,lsb,Xy,prime .. file: AIX core file fulldump 64-bit
b1,r,lsb,xY,prime .. file: MPEG ADTS, layer II, v1, Monaural
b1,b,lsb,xY,prime .. file: AIX core file fulldump
b4,g,lsb,xY,prime .. file: AIX core file fulldump 64-bit
b5p,g,lsb,xY,prime .. file: AIX core file fulldump 64-bit
b6p,g,lsb,xY,prime .. file: AIX core file fulldump 64-bit
b7p,r,lsb,xY,prime .. file: AIX core file fulldump 32-bit
b7p,g,lsb,xY,prime .. file: AIX core file fulldump 64-bit
看起來都沒有甚麼有用資訊,於是想辦法找其他工具來看看
所以今天也是偷懶的一天,要來用別人的工具暴力找了
https://gist.github.com/dhondta/d2151c82dcd9a610a7380df1c6a0272c
stegolsb bruteforce ch9.png
得到
TFdmMDdyc01iaUE2
然後 base64 就有解了
LWf07rsMbiA6
今天是夏提雅
然後優里演唱會好好聽喔
iThome鐵人賽
看影片追技術