Question:
The flag is in this image. What is it? Format: fastctf{flag}
Hint:
The magic is missing, don't believe the image now.
Answer:
fastctf{PNGesus}
In
this challenge, a given image file contains a flag and you must find
it in there. This leads to many possibilities. Is it stego? Is it
hiding in the strings? How is it in the image? These are good
questions to ask. Trying to open the image should give you message
from your image viewer saying it is unsupported.
So
this file format is not supported. What kind of file is this exactly?
This is where the “file” command comes to the rescue. You can use
the file command in Linux of Cygwin (a Linux emulator for Windows).
file
file7.jpeg
It
appears “file” has failed us, since it only recognizes it as
data. If this file is a JPEG, it should have some metadata that
Exiftool can see.
Exiftool
responds with very little useful information, other than stating
there is a file format error, which would explain why our picture
viewer failed to display the image. As with all CTF challenges, it is
always good to run the strings and binwalk commands. Our hint tell
us, “The magic is missing, don't believe the image now.”, and
from strings we find the string “what’s the magic number?”.
A
magic number is a binary sequence in the header of every file used to
identify the file. All files should include a magic number, and the
operating system examines this and the extension to determine the
file type. All JPEG files should start with the binary sequence “FF
D8 FF” since it is their magic number. Using a hex editor, we can
examine the header of the file and change it if we need to. HxD is a
free, simple, and easy to use Hex editor for Windows
(https://mh-nexus.de/en/hxd/).
Bless is an alternative hex editor for Linux. Opening file7.JPEG
reveals our issue.
The
magic number should be at the very start of the file, but instead all
we see are zeros. Someone has removed the header from this file,
which explains why the
file command could not identify it.
We can add “FF D8 FF” to the start of the file and it should
display properly. After editing the file and opening it, we see this:
Now
the image file will not open at all. Our extension and header both
match, so why is this happening? Let’s look back at our hint: “The
magic is missing, don't believe the image now.”. So the magic
number was missing, but it turns out that this not actually a JPEG
file at all. To determine the original format of the file can be
tricky if both the header and extension have been edited. Usually
checking strings is our best bet. However, it was stated both in the
question and hint that this was an image file. In that case we can
continue to try different headers and matched extensions until the
file opens properly. Common image formats include:
- FormatMagic NumberJPEG/JPGFF D8 FFPNG89 50 4E 47 0D 0A 1A 0AGIF47 49 46 38 37 61 or 47 49 46 38 39 61BMP42 4DTIFF49 49 2A 00
For
a list of magic numbers and associated file formats, check out:
https://en.wikipedia.org/wiki/List_of_file_signatures.
File7.JPEG
is actually a PNG image, and if we edit the header and extensions to
reflect that, the image will properly open.
Now
we can see the flag is “fastctf{PNGesus}. In hindsight I may have
made this challenge a little too tricky. Beyond the magic number
there is still data chunks that you could have examined to determine
that it was a PNG file (“IHDR” is a critical first chunk, file
ends with “IEND” chunk). You can read more about the PNG file
structure here:
http://libpng.org/pub/png/spec/1.2/PNG-Structure.html.
No comments:
Post a Comment