Warmup Forensics

warming up the forensics skillsss!!!

Additional Information: We did not manage to solve this challenge during the CTF, but we tried it after the event was over, and we managed to solve the challenge!

Forensics Warmup!!! This challenge should take you less than 133.7 seconds to solve!

This is an interesting challenge that we faced. We were given a file named broken and as always, we ran the file and binwalk command to find out more about the file.

file broken

Unfortunately, the file command did not give us any fruitful result. 😢

However, the binwalk command did give us something! It tells us that it is a Zlib compressed data 🤔

binwalk broken

Naturally, we uncompress the file and extracted the contents out! We received a file named 5B and 5B.zlib

binwalk -e broken

We continued uncompressing the zlib file only to find out that there is ANOTHER zlib file inside of 5B.zlib.

Key Information: This was our pivotal moment, as we decided to approach this challenge differently.

We got really skeptical at this point as we doubt that it could be another challenge similar to Gift From Russia. 🤔

Since this challenge falls under the category of Forensics. We began looking into the file header of broken file.

We used the xxd command, which creates a hex dump of a given file. (What is xxd)

xxd broken | head

Things starts to get really interesting! As shown above, the file header is not valid for the computer to recognize, e.g. STANDCON22.

Now the next question we had was;

What would be the right file header/signature?

On the third line, we noticed the word sRGB and after some Googling, we found out that this broken file is a supposed to be a png file! (More information on sRGB and PNG) 🤯

We fired up our hex editor and fixed the file header (thanks to the list of File Signatures on Wiki)

• PNG File Signature

  • 89 50 4E 47 0D 0A 1A 0A

We saved our changes and renamed our file from broken to broken.png

mv broken broken.png

We tried opening the file but we received an error stating that the file is corrupted.

We did some Googling and found this amazing write-up on how to fix png files using pngcheck and PCRT.

• pngcheck

  • Verifies the integrity of PNG, JNG and MNG files

• PCRT

  • A tool to help check if PNG image correct and try to auto fix the error. It's cross-platform, which can run on Windows, Linux and Mac OS.

We renamed our broken.png back to broken and used pngcheck to see what is wrong with the file, and it turns out that our image dimensions (width, height) has been set to zero! 😲

pngcheck broken

We used exiftool for confirmation whether the image is indeed set to 0x0

exiftool broken

After confirming, we immediately ran the PCRT tool to try and fix the image.

python PCRT.py -i broken

Unfortunately, this did not work. We waited for quite some time for it to "fix" the image, but nothing was happening, and we became Thanos for a moment.

Fine, I'll do it myself - Thanos

huhuhu, you thought i ran out of memes after Grey Cat The Flag 2022?!

We decided to fix the dimensions on our own. With some Googling, we found an interesting LinkedIn post on hex editing the Width and Height of png files.

hex editing width & height

As it turns out, the one highlighted in Red is the Width, and highlighted in Green is the Height.

Hexadecimal to Decimal convert

• 07 80 - 1920 pixels

• 04 38 - 1080 pixels

Et voila! We managed to fix the image and get the flag!! Also a cute dolphin! 🎉

Flag: STANDCON22{W@RMUP_lia00000}

Challenge Files

3MB

broken