Here we have a challenge from this year SharifCTF called client01.

• Category: Forensics
• Points: 75

### Solution

As the only thing we get is the home page of some user, I decided to look in for some clues in different places.

As there’s nothing exciting in this process, let’s skip to the moment where in .thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/ there were still trashed messages talking about uploaded file on filehosting.org

Piece of message from Kosz or Trash.

That doesn’t tell much. Now I decided to take a look at the file using bless hex editor.

If you look closely, you’ll see slightly broken PNG header which is 89 50 4E 47 0D 0A 1A 0A. Let’s modify ours, by adding value 50, copying the whole hexdump from bless and creating a new file with the copied content.

Bless Hex Editor

### References

https://www.filesignatures.net/index.php?page=search&search=PNG&mode=EXT

Keep learning and stay safe! ~ W3ndige