How to hide a file inside another file
Assume the following scenario! you are a spy and you want to hide your files! Since you are an expert spy you know that just making your…
Assume the following scenario! you are a spy and you want to hide your files! Since you are an expert spy you know that just making your files hidden in the OS level is not a very sufficient way to hide them! In this article, I will show you another way which is not the most clever but is easy to implement, and learning new things is always a fun activity to do!
Select a container file
We need a file that we will hide in a file, let's use this file! a kitten image! who would suspect such a sweet kitten?
https://upload.wikimedia.org/wikipedia/commons/b/bc/Juvenile_Ragdoll.jpg
Secrets everywhere!
Now we will create a file with our super secret message, and create a file named message.txt with the following content
This is my super secret messageNow compress the file with the following command
zip --password yourpassword message.zip message.txt- The password option creates a password-secured zip file, this option is not required but can provide an extra layer of security
Merge the two files into one
To merge the two files into one we can use the cat command, you might wonder why to use an image file and not something else. The reason is that an image file that has a hidden file inside does not raise any suspicions since the file image is still viewable!
cat Juvenile_Ragdoll.jpg message.zip > cat.jpgNow a file cat.jpg has been created and we are ready!
How to extract the hidden file
To extract the hidden file exists numerous ways! but let's work only with two of them, the first one is with the use of binwalk , binwalk is a tool that searches for file signatures inside a file and if detects one it extracts the file
❯ binwalk -e cat.jpg
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, EXIF standard
12 0xC TIFF image data, little-endian offset of first image directory: 8
33192 0x81A8 TIFF image data, little-endian offset of first image directory: 8
3590426 0x36C91A Zip archive data, encrypted at least v1.0 to extract, compressed size: 44, uncompressed size: 32, name: message.txt
3590636 0x36C9EC End of Zip archive, footer length: 22We can see that it detected the zip file inside the image file and automatically created a directory with the name of _cat.jpg.extracted with two files, one zip that contains the zip file we hide and message.txt which is empty because the zip file is password-protected.
cd _cat.jpg.extracted
❯ find .
.
./36C91A.zip
./message.txtFinding hidden files manually
Now let's talk about the second way! do you know why we compressed the message file? One reason apart from security is that a specialized file like a zip contains header bytes (magic numbers) that can help us identify from where the zip file starts and this is how we can manually identify and extract the zip, first, we need to convert the file to a hex dump
hexdump -v -e '/1 "%02X "' cat.jpg > cat.hexTo make things easier let's suppose that we know that we are looking for a zip file, the hex signature of zip files is 50 4B 03 04 . This means that files compressed with pkzip algorithm start from these bytes, so since we know that there are two files merged one after the other if we take all bytes starting from the signature we should extract the zip file! Let's do this
cat cat.hex | grep -o '50 4B 03 04.*' | tr -d ' ' > message.hexThis command will generate a hex dump of the second file, the zip file, now we need to convert it to binary!, we can do this with xxd
cat message.hex | xxd -r -p > message.zipLet's try to unzip the file, it will ask for a password and the output will be message.txt which was the file that originally we wanted to hide
unzip message.txtConclusion
I hope that you enjoyed this article and was easy to read to understand, probably you will not use such methods in your day to day job but I think its nice to learn exciting new things! :)