ctf-stegolisted

# CTF stego methodology ## 0. CRITICAL — never `Read` an unvalidated image Per CLAUDE.md: reading a corrupt image poisons the conversation. Validate first: ```bash run_tool("file", "/path/to/image") run_tool("identify", "/path/to/image") # ImageMagick # or run_script: # from PIL import Image; img = Image.open(path); print(img.size, img.mode) ``` Only `Read` the image after both checks pass. ## 1. Triage every input ```bash file <file> xxd <file> | head -30 exiftool <file> # metadata — flag often hides here strings <file> | grep -i "ctf\|flag\|key\|pass" | head binwalk <file> # multi-file polyglots ``` Always check metadata first. ~30% of intro stego is just `exiftool`. ## 2. Image (PNG / JPG / BMP / GIF) | Technique | Tool / approach | | --- | --- | | LSB in pixels | `zsteg` (PNG/BMP), `stegsolve` | | EOF data after IEND/EOI | `binwalk -e`, manual hex | | JPG specific | `steghide extract -sf <file>` (often with empty pass), `stegseek` for brute | | PNG color planes | `stegsolve` (visual layer toggle) | | LSB matching, custom | `zsteg -a`, then write custom Python with PIL | | Polyglot (file with valid headers for multiple formats) | `binwalk`, `foremost` | | File appended after IEND chunk (PNG) | `pngcheck -v`, manual carve | | Modified/extra chunks | `pngcheck -v`, `pngcsum` | | Width/height tampering (PNG) | edit IHDR width/height, recalc CRC — `tweakpng` style | ```bash # zsteg covers most LSB cases for PNG/BMP zsteg -a image.png # ste