# Warmup Forensics

{% hint style="info" %}
**Additional Information:**  We did not manage to solve this challenge during the CTF, but we tried it after the event was over, and we managed to solve the challenge!
{% endhint %}

> Forensics Warmup!!! This challenge should take you less than 133.7 seconds to solve!

This is an interesting challenge that we faced. We were given a file named `broken` and as always, we ran the `file` and `binwalk` command to find out more about the file.

```bash
file broken
```

![](/files/ALpSfztiY2ZqVqeJAbV4)

Unfortunately, the `file` command did not give us any fruitful result. :cry:

However, the `binwalk` command did give us something! It tells us that it is a Zlib compressed data :thinking:

```bash
binwalk broken
```

![](/files/LMgifcnJRs1ZZYtZcB7m)

Naturally, we uncompress the file and extracted the contents out! We received a file named `5B` and `5B.zlib`

```bash
binwalk -e broken
```

![](/files/C7KFr9a4f9sxlmQsJVSa)

We continued uncompressing the **zlib** file only to find out that there is **ANOTHER** zlib file inside of `5B.zlib`. 

{% hint style="info" %}
**Key Information:** This was our pivotal moment, as we decided to approach this challenge differently.
{% endhint %}

We got really skeptical at this point as we doubt that it could be another challenge similar to [Gift From Russia](/ctfs/2022/standcon-2022/gift-from-russia.md). :thinking:

Since this challenge falls under the category of **Forensics**. We began looking into the file header of `broken` file. 

We used the `xxd` command, which creates a hex dump of a given file. ([What is xxd](https://www.tutorialspoint.com/unix_commands/xxd.htm))

```bash
xxd broken | head
```

![](/files/fvhURirtlKAaJZn1fIaP)

Things starts to get really interesting! As shown above, the [file header](https://pinpointlabs.com/what-are-file-headers-signatures/) is not valid for the computer to recognize, e.g. `STANDCON22`. 

Now the next question we had was;

> What would be the right file header/signature?

On the **third** line, we noticed the word `sRGB` and after some Googling, we found out that this `broken` file is a supposed to be a `png` file! ([More information on sRGB and PNG](http://www.libpng.org/pub/png/spec/1.2/png-1.2-pdg.html)) :exploding\_head: 

We fired up our hex editor and fixed the file header (thanks to the [list of File Signatures](https://en.wikipedia.org/wiki/List_of_file_signatures) on Wiki) 

![](/files/5FGJaM5CVop0kVVIEuW4)

* PNG File Signature
  * `89 50 4E 47 0D 0A 1A 0A` 

![](/files/MtPHUammavvHiD2TnmnE)

We saved our changes and renamed our file from `broken` to `broken.png`

```bash
mv broken broken.png
```

We tried opening the file but we received an error stating that the file is corrupted. 

We did some Googling and found this amazing [write-up](https://ctftime.org/writeup/14396) on how to fix `png` files using [pngcheck](http://libpng.org/pub/png/apps/pngcheck.html) and [PCRT](https://github.com/sherlly/PCRT).

* **pngcheck**
  * Verifies the integrity of PNG, JNG and MNG files
* **PCRT**

  * A tool to help check if PNG image correct and try to auto fix the error. It's cross-platform, which can run on Windows, Linux and Mac OS.

We renamed our `broken.png` back to `broken` and used `pngcheck` to see what is wrong with the file, and it turns out that our image dimensions (width, height) has been set to zero! :astonished:

```bash
pngcheck broken
```

![](/files/j1SOoweKZjyeyGCuLw9U)

We used `exiftool` for confirmation whether the image is indeed set to 0x0

```
exiftool broken
```

![](/files/lUKYSrXDeI4qSN2QeMbF)

After confirming, we immediately ran the PCRT tool to try and fix the image. 

```python
python PCRT.py -i broken
```

![](/files/TOCzobzwGs2WaeRANfUs)

Unfortunately, this did not work. We waited for quite some time for it to "fix" the image, but nothing was happening, and we became **Thanos** for a moment.

> Fine, I'll do it myself - Thanos

![huhuhu, you thought i ran out of memes after Grey Cat The Flag 2022?!](/files/LfwARq6lw9fUwRN8BVwz)

We decided to fix the dimensions on our own. With some Googling, we found an interesting [LinkedIn post](https://www.linkedin.com/pulse/hex-editing-width-height-png-files-ciaran-mc-ardle/) on hex editing the **Width** and **Height** of `png` files. 

![hex editing width & height](/files/QwphaVWpJWL59OUwdo1R)

As it turns out, the one highlighted in <mark style="color:red;">**Red**</mark> is the **Width**, and highlighted in <mark style="color:green;">**Green**</mark> is the **Height.**

Hexadecimal to Decimal convert

* `07 80` - 1920 pixels
* `04 38` - 1080 pixels

**Et voila!** We managed to fix the image and get the flag!! Also a cute dolphin! :tada:

![](/files/tF9gZ2fzZBvz7T8xs2x8)

**Flag:** `STANDCON22{W@RMUP_lia00000}`

## Challenge Files

{% file src="/files/Xu9dNA8C2mrC92opaaZQ" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nitrozeus.gitbook.io/ctfs/2022/standcon-2022/warmup-forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.