Stegcracker Not Finding Known Password

Question

Stegcracker Not Finding Known Password

papafett opened this issue 6 years ago · comments

Hi,

I'm doing a hackthebox challenge and using stegcracker for some steg CTFs. Unfortunately it doesn't seem to be working for me, when I run it against an image I know the passphrase for (and put that in my list) it never gets it, I just get:


$ sudo /bin/stegcracker first.jpg guesses.txt
StegCracker - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2018 - Luke Paris (Paradoxis)

Attacking file 'first.jpg' with wordlist 'guesses.txt'..
\x1B[31mError:\x1B[0m Failed to crack file, ran out of passwords.

I've attached the files I'm using

guesses.txt

Luke Paris · Answer 1 · Fri Jul 20 2018 19:27:25 GMT+0800 (China Standard Time)

Thanks for the bug report, I'll try to look at it this weekend :)

Luke Paris · Answer 2 · Fri Jul 20 2018 19:28:47 GMT+0800 (China Standard Time)

@papafett Could you tell me which password it should be exactly? Makes it a bit easier to debug

Luke Paris · Answer 3 · Fri Jul 20 2018 19:39:35 GMT+0800 (China Standard Time)

Might be related to the fact guesses.txt doesn't end with a newline, as the read specs state:

The read utility shall read a single line from standard input.

By default, unless the -r option is specified, shall act as an escape character. An unescaped shall preserve the literal value of the following character, with the exception of a . If a follows the , the read utility shall interpret this as line continuation. The and shall be removed before splitting the input into fields. All other unescaped characters shall be removed after splitting the input into fields.

If standard input is a terminal device and the invoking shell is interactive, read shall prompt for a continuation line when it reads an input line ending with a , unless the -r option is specified.

The terminating (if any) shall be removed from the input and the results shall be split into fields as in the shell for the results of parameter expansion (see Field Splitting); [...]

Changing line 73 to the following might fix your problem:

done < <(grep "" $wordlist)

Luke Paris · Answer 4 · Wed Jul 25 2018 04:59:57 GMT+0800 (China Standard Time)

Tested & fixed

Wall of Sheep · Answer 5 · Wed Mar 27 2019 07:29:55 GMT+0800 (China Standard Time)

Did the following with the same issue noted above:

Updated to the latest:
pip3 install stegcracker -U --force-reinstall

steghide embed -cf image.jpg -ef secret.txt
created a password of "password" and several other words in it for testing.

created a file named dict.txt with the word "password" in it.
ran:
stegcracker image.jpg dict.txt
Error: Failed to crack file, ran out of passwords.

Tried downloading tom.txt and using a password from that file with a image.jpg and I get the same error.