> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-6/steganography/trick-0038/information-gathering-steganography-password-recovery.md).

# Password Recovery

## Chaining Web Fuzzing Result to Steganography

Use a string discovered through web parameter fuzzing as the passphrase for extracting data from an image using steganography. For instance, if a string like 'You have to be mad' is identified via web fuzzing a specific parameter, use this string when prompted by the steganography tool.

The basic command structure for extracting data using steghide is:

```bash
steghide extract -sf <image_file_name>
```

The `-sf` flag specifies the stego file, which is the image file containing the hidden data. After executing this command, the terminal will prompt you to enter the passphrase. You should enter the passphrase that was used during the embedding process, which in this scenario is the string discovered through web fuzzing.

For example, if the image is `thm.jpg`:

```bash
steghide extract -sf thm.jpg
# Enter the discovered string 'You have to be mad' when prompted for the passphrase.
```

Entering the correct string will allow extraction of the hidden data (e.g., `hidden.txt`). This technique requires chaining information from different challenge sources.

For example, in a challenge involving a `.png` image, the command might look like this:

```bash
steghide extract -sf deadface.png
```

When prompted for the passphrase, enter the passphrase obtained from the previous step, such as one discovered through web fuzzing.

Similarly, for a `.jpg` image challenge:

```bash
steghide extract -sf challenge.jpg
```

It will ask for a passphrase; enter the passphrase that was found from the previous step. This process extracts the hidden file using the correct passphrase.

***

## Steganography & Password Cracking

Download the image file, potentially found via web reconnaissance:

```bash
wget http://[target_ip]:[python_port]/hacker-with-laptop_23-2147985341.jpg
```

Use `stegseek` to detect and extract hidden data. Stegseek is a tool that can be used to brute-force stegged data, especially in jpeg files. It is designed to be fast and to handle password-protected files. It can often automatically find and extract password-protected archives if a dictionary attack is successful. If a password is found, stegseek will automatically extract the hidden file.

```bash
stegseek hacker-with-laptop_23-2147985341.jpg /usr/share/wordlists/rockyou.txt
```

Alternatively, you can explicitly specify the stegged file using `-sf` and the output file name using `-xf`:

```bash
stegseek -sf hacker-with-laptop_23-2147985341.jpg -xf backup.zip /usr/share/wordlists/rockyou.txt
```

If `stegseek` successfully identifies and extracts a file (e.g., a zip archive) and you did not specify an output name with `-xf`, it will create a file named after the image with an `.out` extension. Rename this output file for clarity:

```bash
mv hacker-with-laptop_23-2147985341.jpg.out backup.zip
```

Extract the hash from the password-protected archive using `zip2john`. zip2john converts zip archives to a format suitable for use with John the Ripper.

```bash
zip2john backup.zip > hash
```

Finally, crack the extracted hash using `john` with a suitable wordlist. John the Ripper is a fast password cracker, available for many operating systems. It works by identifying hash types and then trying password guesses in various formats. Wordlist mode is one of the most common and effective ways to crack passwords using John the Ripper, where it takes a list of potential passwords (a wordlist) and hashes each word to see if it matches the target hash. The `rockyou.txt` file is a widely known wordlist containing millions of leaked passwords, often found compressed (`rockyou.txt.gz`) in penetration testing distributions like Kali Linux.

```bash
john hash -w=rockyou.txt
```

***

## Steganography - Password from Image Colors

Use `binwalk` to scan the image for embedded files, typically looking for ZIP archives or other common file headers. Binwalk is a tool designed for analyzing firmware images, scanning them for embedded file systems and executable code, as well as analyzing embedded files and executable code within firmware images.

```bash
binwalk brokentv.jpg
```

If `binwalk` identifies embedded files, especially archives like ZIP files, you can use the extraction flag to automatically extract them.

```bash
binwalk -e brokentv.jpg
```

For recursive extraction of nested file systems or archives found within the initial scan, the `-M` flag can be used in conjunction with `-e`.

```bash
binwalk -Me brokentv.jpg
```

If an embedded archive (like a ZIP) is found and is password-protected, the password might be derived from the image's visual properties. Analyze the image's dominant or unusual colors. Obtain the hex code for a relevant color (e.g., using a color picker tool or image editor). Convert the hex code directly to ASCII text. Use this resulting ASCII string as the password to extract the embedded archive. Often, hints within the file or its contents (like directory names within the archive) can point towards the color analysis method.

A Python script can be used for converting a hex string to its ASCII representation:

```python
def hex_to_ascii(hex_string):
    """Converts a hexadecimal string to its ASCII representation."""
    try:
        # Ensure the hex string has an even number of characters
        if len(hex_string) % 2 != 0:
            hex_string = '0' + hex_string # Pad if necessary

        ascii_string = bytes.fromhex(hex_string).decode('ascii')
        return ascii_string
    except ValueError as e:
        return f"Error converting hex to ASCII: {e}"

# Example usage:
# hex_data = "414243" # Hex for "ABC"
# ascii_output = hex_to_ascii(hex_data)
# print(ascii_output)
```

Use the resulting ASCII string obtained from the color's hex code as the potential password for the extracted archive.
