PicoCTF - Master Challenge 2

Write-Ups

Posted on April 14, 2017 as PicoCTF 2017. 3 minutes read.

Missing Identity - 100 PTS

Turns out, some of the files back from Master Challenge 1 were corrupted. Restore this one file and find the flag.

We can try to scan the file for any pieces of strings, containing flag or clues for further approach.

[email protected] ~/Pobrane> strings file
.
.
.
fHS
>Pzd
J8Da
W+P.
8FQtf
Y)e^
IEND
flag.pngPK
nottheflag1.pngPK
J$L %
nottheflag2.pngPK
nottheflag3.pngPK
nottheflag4.pngPK
nottheflag5.pngPK
nottheflag6.pngPK
nottheflag7.pngPK

At the end of the provided output we can see 8 file names with additional PK letters appended to it. Quick google search shows us that PK are the initals of Phil Katz, co-creator of the ZIP file format and author of PKZIP. You can read more here.

As it's not that easy to just change the file name and extract from the archive, we will have to take a closer look at the structure of the file. I'm going to use Bliss hexeditor for Linux and hexdump for navigating the hexadecimal values.

[email protected] ~/Pobrane> hexdump -C file > texthexdump.txt

Now we can view the beginning (head) of the texthexdump.

[email protected] ~/Pobrane> head texthexdump.txt
00000000  58 58 58 58 58 58 00 00  08 00 22 44 7f 4a b4 8b  |XXXXXX...."D.J..|
00000010  e4 67 2b 90 00 00 1c 90  00 00 08 00 00 00 66 6c  |.g+...........fl|
00000020  61 67 2e 70 6e 67 00 66  40 99 bf 89 50 4e 47 0d  |[email protected]|
00000030  0a 1a 0a 00 00 00 0d 49  48 44 52 00 00 02 81 00  |.......IHDR.....|
00000040  00 00 3c 08 02 00 00 00  96 fa f7 6d 00 00 8f e3  |..<........m....|
00000050  49 44 41 54 78 9c ec fd  59 af 6c d9 96 1e 86 8d  |IDATx...Y.l.....|
00000060  31 9b d5 45 1f bb 3f 6d  b6 37 33 6f de ae ea 96  |1..E..?m.73o....|
00000070  cc 2a 56 d9 34 8b b2 20  1b 86 4c 91 80 21 d8 16  |.*V.4.. ..L..!..|
00000080  0c 43 06 fc e6 27 fd 0c  c2 80 fc e2 27 fa c1 10  |.C...'......'...|
00000090  6c 58 76 d1 86 21 c0 b2  45 53 02 2d 36 2e 56 cb  |lXv..!..ES.-6.V.|

We can clearly see the cause of the problem. Every file starts with the file signature, but this one has been overwritten with X characters. We can even view this error while trying to unzip this file.

[email protected] ~/Pobrane> unzip file
Archive:  file
file #1:  bad zipfile offset (local header sig):  0
  inflating: nottheflag1.png         
  inflating: nottheflag2.png         
  inflating: nottheflag3.png         
  inflating: nottheflag4.png         
  inflating: nottheflag5.png         
  inflating: nottheflag6.png         
  inflating: nottheflag7.png

Let's repair this with correct signature, which is 50 4B 03 04 00 00.

Editing in bless

We have everything for the last step - zip -F which will try to somehow repair the file.

[email protected] ~/Pobrane> zip -F file.zip --out new.zip
Fix archive (-F) - assume mostly intact archive
Zip entry offsets do not need adjusting
 copying: flag.png
	zip warning: Local Version Needed To Extract does not match CD: flag.png
 copying: nottheflag1.png
 copying: nottheflag2.png
 copying: nottheflag3.png
 copying: nottheflag4.png
 copying: nottheflag5.png
 copying: nottheflag6.png
 copying: nottheflag7.png

And here's our flag.

Flag

Now let's write this down and submit the flag.

Keep learning and stay safe!

~ W3ndige