Deep Down There's something in the water... — UMass Cybersecurity CTF

Challenge

Provided file: CHALL.gif

This challenge gave a small animated GIF. The important clue was that it was an indexed-color format, so the hidden content could live in palette indices rather than in EXIF, appended data, or classic LSB channels.

Recon

Basic triage showed a normal GIF with no obvious extra payload:

file CHALL.gif
# GIF image data, version 89a, 100 x 70

exiftool CHALL.gif
# GIF Version : 89a
# Image Size  : 100x70
# Frame Count : 12

So the file was a GIF89a, size 100x70, with 12 frames.

Standard file-level checks did not reveal anything useful, which pushed the investigation toward the GIF's indexed-color structure. The task already had extracted frames and helper images under:

• ./tasks/umasscybersec/Deep Down There's something in the water.../frames/
• ./tasks/umasscybersec/Deep Down There's something in the water.../indexviz/
• ./tasks/umasscybersec/Deep Down There's something in the water.../analysis/

The analysis directory included a montage and separated glyph view, which helped confirm that the hidden text sat inside the water region.

Analysis

The key idea is palette-index steganography in a GIF.

In an indexed image, a pixel does not directly store RGB values. It stores a palette index. If two palette entries are visually identical or nearly identical, the picture can look unchanged to the eye while still encoding different information through index choice.

That is exactly what happened here:

• the GIF palette contained duplicate-looking / near-duplicate colors
• those indices were used selectively in the water region
• when one suspicious index was recolored independently, hidden red text appeared

For this kind of task, preserving palette information is critical. A naive RGB conversion destroys the distinction between equal-looking palette entries. Pillow can avoid that problem with:

...