Steganography Cheatsheet for CTF Beginners

Steganography is the art of concealing messages in plain sight — hiding data in files that appear normal. In Capture The Flag (CTF) contests, stego challenges often hide flags inside images, audio, videos, PDFs, or metadata.

Step-by-Step File Analysis

Basic Commands

file target.jpg strings target.jpg | head -n 50 xxd target.jpg | head hexdump -C target.jpg | head

Check the file’s true type, readable strings, and hex patterns. You may discover plaintext flags, passwords, or data headers.

Metadata Extraction

exiftool target.jpg

Extract EXIF comments, timestamps, GPS info, and hidden metadata.

Also try:

exiv2 target.jpg

For direct metadata manipulation or cleanup.

Embedded File Discovery

Binwalk – File Carving Tool

binwalk -Me target.jpg

Key Options:

• -e: Extract embedded files

• -M: Recursive extraction

• -z: Carve data blocks without extraction

• -R: Raw hex pattern match (e.g., \x1f\x8b for gzip)

• -E: Entropy scanning

• -W: Hex diff mode

Use dd if you manually need to extract embedded segments.

Example: Extracting Hidden Files from an Image

Let’s walk through a practical use case with a stego challenge:

Step 1:
Start with a quick string check:

strings PurpleThing.jpeg | grep {

No flag found via visible strings.

Step 2:
Now inspect with binwalk:

binwalk PurpleThing.jpeg

Output:

DECIMAL HEXADECIMAL DESCRIPTION ----------------------------------------------------------------------------
 0 0x0 PNG image, 780 x 720, 8-bit/color RGBA, non-interlaced 41 0x29 Zlib compressed data, best compression 153493 0x25795 PNG image, 802 x 118, 8-bit/color RGBA, non-interlaced

We clearly see embedded PNG and Zlib data.

Step 3:
Extract the hidden files using:

binwalk -D 'image:png' PurpleThing.jpeg

This creates a folder named _PurpleThing.jpeg.extracted/, containing extracted files like 25795.png.

Step 4:
Open that file and boom — the flag is there:

ABCTF{b1nw4lk_is_us3ful}

Image Steganography

Visual Tricks

1. Open image and observe — flag may be painted in.

2. Use GIMP: adjust brightness, contrast, curves, color levels.

3. Use ImageMagick to compare images:

compare original.png modified.png diff.png

Bit-Level Tools

Stegsolve -

Use stegsolve to identify QR codes, LSB data, or color-filtered patterns.

A great GUI tool that covers a wide range of analysis, some of which is covered by the other tools mentioned above and a lot more including color profiles, planes, Color maps, strings.

Example Challange: Looks like a blank image

Solution: Opening the image in Stegsolve and clicking through the planes gives us a flag. Image below.

Extraction Tools

Example:

steghide extract -sf secret.jpg stegseek secret.jpg rockyou.txt

Online Tools

• StegOnline

• Steganography Online

• Image Steganography

• FotoForensics

• AperiSolve – Multi-layer analyzer

• Image ELA – Error level analysis (detects manipulations)

Audio Steganography

Useful Tools

Use sonic-visualiser with linear/log scale spectrogram + contrast filters.

Sonic Visualizer is a great tool to find hidden messages in audio files.

Remember that just because it’s a mp3 does not mean it’s going to have an answer in the spectrogram. I am going to show you one more Spectrogram with a flag in it.

Video Steganography

Frame & Audio Extraction

ffmpeg -i video.mp4 frame_%04d.png

• Analyze individual frames using zsteg, stegsolve.

• Open audio separately in Audacity for reverse/LSB tricks.

Tool:
hipshot — Convert video/photo series into long-exposure-style images to reveal stego data.

PDF Stego

Text & Metadata

pdfinfo file.pdf pdftotext file.pdf output.txt

Crack Protected PDFs

pdf2john file.pdf > hash.txt john --wordlist=rockyou.txt hash.txt

Network-Based Challenges

Wireshark

Sometimes you’ll get .pcap files. Open them in Wireshark and follow the TCP or HTTP stream to uncover credentials or base64-encoded data.

• Right-click a packet → Follow → TCP Stream

  

Look for anything readable—sometimes even the flag itself!

Advanced Tricks & Scripts

Convert Binary to Image

convert -depth 8 -size 300x300+0 gray:data.raw output.png

View strange binary blobs visually.

Invert Pixel Colors (Python)

import Image
if __name__ == '__main__':
    img = Image.open('input.png')
    in_pixels = list(img.getdata())
     out_pixels = list()

    for i in range(len(in_pixels)):
        r = in_pixels[i][0]
        g = in_pixels[i][1]
        b = in_pixels[i][2]
        out_pixels.append( (255-r, 255-g, 255-b) )

    out_img = Image.new(img.mode, img.size)
    out_img.putdata(out_pixels)
    out_img.save("output_inverted.png", "PNG")

the image looks like it’s just a random noise we should make sure of it. We can, in fact, measure its randomness. Pixels of each color can appear in each place of the image with equal chance. If it’s false for some colors, we certainly want to look at them. Here is a script for that, and the results appears below:

$ php solve.php image.png
MAX disp: 1492.41; AVG: 92.82
GAP: 351.61 ± 200
DONE.

OSINT & Comparisons

• TinEye: Reverse search

• Use ImageMagick or diff-pixel tools for overlays

• Compare layers in Adobe/GIMP if image has metadata for layer stacking

Tool Index (Summary)