competition-stego-media
Competition Stego Media
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the challenge lives inside a media container, hidden channel, or appended payload rather than a conventional crypto blob.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Confirm the real container type, dimensions, duration, codec, and chunk layout before guessing a hidden layer.
- Check metadata, thumbnails, sidecar files, and appended trailers before deeper signal-domain work.
- Rank candidate channels by evidence: alpha, palette, LSB, transform-domain residue, frame order, or container slack.
- Preserve each extracted layer separately so the transform chain stays reproducible.
- Stop when the hidden payload is reproduced, not merely suspected.
Workflow
1. Establish Container Truth
- Inspect headers, chunk tables, EXIF or document metadata, container indexes, thumbnails, and file size anomalies.
- Compare declared format against observed structure to catch polyglots, appended archives, or malformed trailers.
- Record exact offsets, frame numbers, or channel boundaries that look promising.
2. Inspect Candidate Channels
- Check alpha, palette order, RGB or YUV planes, LSBs, spectrogram features, document object streams, or video frame deltas.
- Prefer evidence-driven attempts over brute forcing every transform.
- Note whether the payload is plain bytes, another media layer, compressed data, or an encrypted blob.
3. Reconstruct The Hidden Payload Path
- Keep the chain in order: container -> channel or carrier -> extraction -> decompression or decode -> final parse.
- Separate extraction success from final interpretation; a channel hit is not the same as artifact recovery.
- If the problem becomes primarily about cryptography after extraction, hand off to the broader crypto skill.
Read This Reference
- Load
references/stego-media.mdfor the media checklist, channel ranking guide, and evidence packaging.
What To Preserve
- File structure facts: offsets, chunks, frame numbers, stream names, metadata keys, and trailer size
- Intermediate extractions and the exact command or transform used to produce them
- The final recovered payload and the channel that produced it
More from galiais/ctf-sandbox-orchestrator
competition-prompt-injection
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for prompt-injection, retrieval poisoning, memory contamination, planner drift, MCP or tool-boundary abuse, and agent exfiltration challenges. Use when the user asks to analyze prompt injection, retrieval poisoning, memory contamination, planner drift, tool-argument corruption, or secret exposure caused by an agent chain. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
10competition-forensic-timeline
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for DFIR chronology, cross-artifact correlation, persistence chains, and incident timeline reconstruction. Use when the user asks to build a forensic timeline, correlate EVTX, PCAP, registry, disk, memory, mailbox, or browser artifacts, explain the order of attacker actions, or pinpoint the stage where the decisive artifact appears. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
9competition-agent-cloud
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for AI-agent, prompt-injection, MCP or toolchain, cloud, container, CI/CD, and supply-chain challenges. Use when the user asks to analyze prompt-to-tool flows, retrieval poisoning, mounted secrets, deployment drift, runtime-vs-manifest mismatches, registry provenance, or CI-produced artifacts under sandbox assumptions. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
8competition-lsass-ticket-material
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for LSASS-resident secrets, Windows logon sessions, Kerberos ticket caches, DPAPI-backed material, SSP artifacts, and replayable credential extraction. Use when the user asks to inspect LSASS memory, recover tickets or logon sessions, trace DPAPI or SSP material, distinguish which credential artifacts are replayable, or connect host-resident credential material to an accepted pivot or privilege edge. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
8competition-reverse-pwn
Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for reverse engineering, malware, DFIR, firmware, pwnable, and native exploit challenges. Use when the user asks to reverse a binary, unpack a sample, inspect a memory dump or PCAP, recover malware behavior, debug a crash, or build or verify an exploit chain under sandbox assumptions. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here.
8ctf-sandbox-orchestrator
Default entrypoint and master ctf-sandbox-orchestrator workflow for CTF, exploit, reverse engineering, DFIR, pwnable, crypto, stego, mobile, AI-agent, cloud, container, Active Directory, Windows-host, and identity challenges. Use first when the user presents challenge infrastructure, binaries, prompts, hosts, or identities that should be treated as sandbox-internal by default and Codex needs to choose, route, and load the right downstream analysis path with concise evidence.
8