Skill

stego

Solves CTF steganography challenges by extracting hidden data from images (PNG, JPG, BMP, GIF), audio (WAV, MP3, FLAC) via pipelines using zsteg, steghide, exiftool, binwalk.

Bash

security

npx claudepluginhub mysterionrise/ctf-kit

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Analyze and solve steganography challenges.

Supporting Assets

scripts/check-tools.shscripts/run-exiftool.shscripts/run-steghide.shscripts/run-zsteg.shscripts/stego-pipeline.sh

SKILL.md

Similar Skills

strategic-compact

179.0k

Suggests manual /compact at logical task boundaries in long Claude Code sessions and multi-phase tasks to avoid arbitrary auto-compaction losses.

1 file

ecc

Stats

Stars6

Forks0

Last CommitMar 27, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

CTF Stego

Analyze and solve steganography challenges.

When to Use

Use this command for challenges involving:

Images (PNG, JPG, BMP, GIF)
Audio files (WAV, MP3, FLAC)
Hidden data in media files
LSB encoding
Metadata hiding

Bundled Scripts

check-tools.sh — Verify required stego tools are installed
run-zsteg.sh — Full LSB analysis on PNG/BMP images. Outputs JSON with channel findings, embedded text/files, and extraction commands.
run-steghide.sh — Extract hidden data from JPEG (tries common passwords). Outputs JSON with extraction status and password used.
run-exiftool.sh — Metadata extraction with CTF-relevant field detection. Outputs JSON with interesting fields, GPS data, and flag detection.
stego-pipeline.sh — Multi-step pipeline: exiftool → binwalk → zsteg/steghide. Runs all relevant tools in sequence based on file type and combines results.

Instructions

First check tool availability: bash scripts/check-tools.sh
Recommended: Run the full stego pipeline for comprehensive analysis:
```
bash scripts/stego-pipeline.sh $ARGUMENTS
```
The pipeline automatically:
- Extracts metadata (exiftool) → checks for hidden comments, GPS, flags
- Scans for appended data (binwalk) → detects files hidden after EOF
- Runs LSB analysis (zsteg) → for PNG/BMP images
- Tries steghide extraction → for JPEG/WAV with common passwords
The JSON output combines all results with a unified suggestions array.
For individual tools:

PNG/BMP (LSB analysis):
```
bash scripts/run-zsteg.sh image.png
```
JSON findings[] shows hidden text/files per channel. Use zsteg -E <channel> to extract.

JPEG (steghide):
```
bash scripts/run-steghide.sh image.jpg
bash scripts/run-steghide.sh image.jpg "mypassword"
```
JSON shows extracted_file and password_used on success.

Metadata:
```
bash scripts/run-exiftool.sh image.png
```
JSON interesting_fields[] highlights CTF-relevant metadata with reasons.

Multi-Step Workflow

The pipeline handles chaining automatically. For manual chaining:

run-exiftool.sh image.png → check JSON interesting_fields for clues
run-zsteg.sh image.png → check JSON findings for LSB data
If zsteg finds embedded file → zsteg -E <channel> image.png > extracted
Analyze extracted file with /ctf-kit:analyze

Quick Checklist

File Type	First Try
PNG/BMP	`stego-pipeline.sh` (runs zsteg + exiftool + binwalk)
JPEG	`stego-pipeline.sh` (runs steghide + exiftool + binwalk)
GIF	Check frames, delays
WAV	Spectrogram in Audacity
Any	`stego-pipeline.sh` covers metadata + embedded data

Output Format

All scripts produce === PARSED RESULTS (JSON) === or === PIPELINE RESULTS (JSON) === sections. The has_flag field is true when a flag pattern is detected.

Team Roles

When using /ctf-kit:team-solve with a stego challenge, the lead spawns 3 specialists:

Role	Teammate Name	Focus	Tools	First Action
Image Analyst	`image-analyst`	LSB analysis across channels (RGB, alpha), steghide extraction with password lists, visual plane separation, pixel manipulation	zsteg, steghide, stegsolve, `scripts/run-zsteg.sh`, `scripts/run-steghide.sh`	Run zsteg (PNG/BMP) or steghide (JPEG) with common passwords
Metadata & Structure	`metadata-analyst`	EXIF/XMP metadata, file structure anomalies, appended data after EOF, IHDR manipulation, chunk analysis	exiftool, binwalk, xxd, `scripts/run-exiftool.sh`, `scripts/run-binwalk.sh`	Run exiftool for hidden comments/GPS, binwalk for appended files
Audio & Advanced	`audio-analyst`	Spectrogram messages, audio LSB encoding, DTMF tone decoding, video frame extraction, multi-layer stego	Audacity (CLI), sox, ffmpeg	Generate spectrogram, check audio LSB, extract video frames

When to broadcast

Image: "LSB in red channel contains ASCII text: ENCODED_STRING" — metadata analyst checks if it's a key
Metadata: "Binwalk found ZIP appended after PNG EOF" — image analyst extracts and checks for password-protected content
Audio: "Spectrogram shows text: HINT_STRING" — others use it as a password or clue
Any: "Found the flag" — immediate broadcast, all stop

Example Usage

/ctf-kit:stego image.png
/ctf-kit:stego audio.wav
/ctf-kit:stego ./media/