"a collection of 47 pictures in an art gallery" definitely not stego
Here is the final art collection!
This is not stego since we've given you the answer in the hints and we don't want to frustrate anyone. However, this is very solvable without hints, so try avoiding hints first!
Download collection.zip below! collection.zip
This is supposed to be just a fun steganography challenge, judging by it’s point value and the three given hints. Since we want to have fun here, let’s ignore the hints and see how one could solve this without them.
If you are familiar with steganography, it should be clear that our goal is to find the flag that is somehow hidden in the files they gave us. We were given 47 images and they seem to be the ones from each challenge.
Most steganography challenges give you one image and the flag is hidden in there, but since we have a lot more images it could very well be that the flag is spead over all of those. Maybe the flag is 47 characters long and each image contains one character. If that’s the case, we know that the first six images will form uiuctf but we are still not sure that we are on the right track.
Let’s do some experiments in the hope that we see something interesting.
When I see a PNG in a steganography challenge, my go-to tool is stegoveritas which will try many techniques to see if there is something hidden. But we were given 47 challenge artworks so I didn’t expect to see anything useful from the output of this program when I ran it against the first image. Checking the results from every image will take me a very long time so now I had to think of something different.
Since these images are the ones from the challenge page, we can quickly check if the ones from the challenge are modified to contain a flag by just checking the difference. In my favourite place - the bash terminal 🙂
Download ahorsewithnonames.png from the challenge page and compare:
$ curl <https://2022.uiuc.tf/themes/core/static/img/challenge-art/ahorsewithnonames.png> -o theonefromthepage.png
$ md5sum ahorsewithnonames.png theonefromthepage.png
0b0abbc08799445aa7d7c096f778ba2f ahorsewithnonames.png
2daa66c0a4a5221d8b4c17ab2014b721 theonefromthepage.png
$ sudo apt install openimageio-tools
$ idiff ahorsewithnonames.png theonefromthepage.png
Comparing "ahorsewithnonames.png" and "theonefromthepage.png"
Mean error = 5.13193e-07
RMS error = 0.000461874
Peak SNR = 66.7095
Max error = 0.415686 @ (0, 0, B) values are 0.117647, 0.0901961, 0.458824, 1 vs 0.117647, 0.0901961, 0.0431373, 1
1 pixels (0.000494%) over 1e-06
1 pixels (0.000494%) over 1e-06
FAILURE
A one pixel change, what a coincidence!
Now, I assume that this pixel has been modified to contain the first character of the flag. Let’s see if this is indeed the case.