Stats
Actions
Tags
From cybersec-toolkit
Solves steganography CTF challenges using tools for images (zsteg, steghide), audio (spectrograms), video (frame extraction), and text (zero-width characters).
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersec-toolkit:ctf-stegoThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Per CLAUDE.md: reading a corrupt image poisons the conversation. Validate first:
Read an unvalidated imagePer CLAUDE.md: reading a corrupt image poisons the conversation. Validate first:
run_tool("file", "/path/to/image")
run_tool("identify", "/path/to/image") # ImageMagick
# or run_script:
# from PIL import Image; img = Image.open(path); print(img.size, img.mode)
Only Read the image after both checks pass.
file <file>
xxd <file> | head -30
exiftool <file> # metadata — flag often hides here
strings <file> | grep -i "ctf\|flag\|key\|pass" | head
binwalk <file> # multi-file polyglots
Always check metadata first. ~30% of intro stego is just exiftool.
| Technique | Tool / approach |
|---|---|
| LSB in pixels | zsteg (PNG/BMP), stegsolve |
| EOF data after IEND/EOI | binwalk -e, manual hex |
| JPG specific | steghide extract -sf <file> (often with empty pass), stegseek for brute |
| PNG color planes | stegsolve (visual layer toggle) |
| LSB matching, custom | zsteg -a, then write custom Python with PIL |
| Polyglot (file with valid headers for multiple formats) | binwalk, foremost |
| File appended after IEND chunk (PNG) | pngcheck -v, manual carve |
| Modified/extra chunks | pngcheck -v, pngcsum |
| Width/height tampering (PNG) | edit IHDR width/height, recalc CRC — tweakpng style |
# zsteg covers most LSB cases for PNG/BMP
zsteg -a image.png
# steghide brute (jpg/wav/bmp)
stegseek image.jpg rockyou.txt
# Multi-tool sweep
stegsolve image.png # GUI, manual layer toggle
| Technique | Tool |
|---|---|
| LSB in samples | wavsteg, custom python |
| Steghide payload | steghide, stegseek |
| Spectrogram (visual hidden in freq domain) | audacity view spectrogram, sonic-visualiser |
| DTMF tones | multimon-ng -a DTMF, manual tone analysis |
| Morse | listen by ear, then morse-decoder or manual |
| SSTV (slow-scan TV in audio) | qsstv, slowrx |
# Spectrogram via sox
sox audio.wav -n spectrogram -o spec.png
# Then validate spec.png before reading (see step 0)
# DTMF
multimon-ng -a DTMF audio.wav
# Extract frames
ffmpeg -i video.mp4 -vf fps=1 frames/frame_%04d.png
# Per-frame stego
for f in frames/*.png; do zsteg -a "$f" 2>/dev/null | grep -i "flag\|ctf"; done
# Audio track
ffmpeg -i video.mp4 -vn audio.wav
# Then audio analysis
| Technique | Tool |
|---|---|
| Zero-width characters | zwsp-steg, manual unicode inspect |
| Whitespace stego | snow, stegsnow |
| Homoglyph substitution | unicode normalize + diff |
| Base-N nested encodings | ciphey, manual |
| Bacon / null cipher | manual + dcode.fr |
# Show every character including invisibles
python3 -c "import sys; [print(repr(c), hex(ord(c))) for c in open(sys.argv[1]).read()]" file.txt
pdf-parser, peepdf, qpdf --qdf — check streams, annotations, JS, attachmentsoletools (olevba, oleid), oledump, unzip the .docx/.xlsxzbarimg, zxing — also try partial QR reconstructionexiftool + strings + binwalk -e always firstzsteg -a (PNG/BMP) OR stegseek (JPG)stegsolve GUI for visual analysiszsteg existsRead before validation (see step 0)Use the writeup-template skill.
npx claudepluginhub 26zl/cybersec-toolkit --plugin cybersec-toolkitDetects and extracts hidden data in images, audio, and video files using steganalysis tools like StegDetect, zsteg, and steghide. Useful for digital forensics and insider threat investigations.
Detects and extracts hidden data from images, audio, and media using steganalysis tools like zsteg, steghide, binwalk, ExifTool for digital forensics investigations.
Detects and extracts hidden data in images, audio, and media files using steganalysis tools like zsteg, steghide, binwalk, ExifTool for digital forensics.