OpenStego
OpenStego (by Samir Vaidya) is a Java steganography application that embeds data with its RandomLSB algorithm: payload bits are scattered across pseudo-randomly chosen pixel LSB positions, optionally encrypted with AES. That randomization is why plain LSB scanners miss it.
What Aperi'Solve runs
Aperi'Solve attempts extraction with the password you provided on upload, trying both crypto algorithms OpenStego supports:
$ openstego extract -a randomlsb --cryptalgo AES128 -sf image -xd extracted -p "password"
$ openstego extract -a randomlsb --cryptalgo AES256 -sf image -xd extracted -p "password"
The AES256 attempt only runs if the AES128 one fails. Any extracted files are zipped and offered as a download on the result page.
Reading the output
Extracted file: ...— success; download the archive.OpenStego needs a password to work.— you left the password field empty and OpenStego printed its usage text instead of extracting; re-submit with a password.- A wrong password on a real OpenStego file fails differently from a file with no payload at all (invalid-password error vs corrupt/invalid stego data) — the former tells you to keep guessing passwords.
Using OpenStego locally
Running openstego with no arguments opens the GUI. The CLI equivalent
of what Aperi'Solve does (randomlsb is the default algorithm, so -a
can usually be omitted):
$ openstego extract -sf image.png -p password -xd outdir
Installing locally
Download the .deb or .jar from the
GitHub releases — Java
is required:
$ sudo dpkg -i openstego_0.8.6-1_all.deb # or: java -jar openstego.jar
Limitations
- RandomLSB needs a lossless carrier: OpenStego reads and writes PNG/BMP stego files. A JPEG upload will practically never contain an OpenStego payload — for JPEG try steghide, outguess or jpseek.
- Without the right password, an AES-encrypted payload is unrecoverable; there is no fast cracker comparable to stegseek for steghide.
Common CTF patterns
- A PNG challenge that name-drops OpenStego, or an
OPENSTEGOmarker showing up instrings/zsteg LSB dumps — the payload header starts with that magic string. - The password comes from the challenge context: description, metadata (check exiftool) or a previous stage.
- Distinguish errors: invalid-password means the file is an OpenStego carrier — go hunt for the password instead of switching tools.