--- title: SharkyCTF 2020 - [Forensic] Romance Dawn (100pts) author: Maltemo tags: CTF, sharkyCTF, PNG --- SharkyCTF 2020 - [Forensic] Romance Dawn (100pts) === Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/). [TOC] ## Statement of the challenge ### Description Whoops. It seems Luffy played with my picture and I'm not able to open it anymore. Please help me. Creator: 2phi ## TL;DR The challenge consisted in replacing all chunks header called EASY by IDAT to repair the png file. ## Analyze A png file was attached with this challenge : `7uffy.png`. The first thing I want to check is if the [magic number](https://en.wikipedia.org/wiki/Magic_number_(programming)) of the file hasn't been changed. For this, lets just check the type of file : ```bash= file 7uffy.png 7uffy.png: PNG image data, 1113 x 885, 8-bit/color RGBA, non-interlaced ``` Nice, so the problem isn't coming from there. There is a tool to help debug PNG errors : `pngcheck`. Let's use it : ``` pngcheck 7uffy.png 7uffy.back illegal (unless recently approved) unknown, public chunk EASY ERROR: 7uffy.png ``` So the problem is coming from the fact that a header chunk has been changed by the value `EASY`. The only thing we will need to repair is replacing EASY by the correct chunk header names. Let's take a look into the hexadecimal of the file : ``` xxd 7uffy.png | head 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR 00000010: 0000 0459 0000 0375 0806 0000 00a4 5424 ...Y...u......T$ 00000020: fd00 0000 0662 4b47 4400 0000 0000 00f9 .....bKGD....... 00000030: 43bb 7f00 0000 0970 4859 7300 000b 1300 C......pHYs..... 00000040: 000b 1301 009a 9c18 0000 0007 7449 4d45 ............tIME 00000050: 07e4 031a 002d 0960 f3dc 5400 0000 1d69 .....-.`..T....i 00000060: 5458 7443 6f6d 6d65 6e74 0000 0000 0043 TXtComment.....C 00000070: 7265 6174 6564 2077 6974 6820 4749 4d50 reated with GIMP 00000080: 642e 6507 0000 2000 4541 5359 78da ecdd d.e... .EASYx... 00000090: 4f8c 65c7 5d2f f0ba dd3d 33b6 e321 2f10 O.e.]/...=3..!/. ``` We already can spot that the EASY chunks are after the main headers of the PNG file (IHDR,pHYs), so we can asume that those headers were the IDAT header chunks. In addition, the length of the chunk of data is `0000 2000` is common for a IDAT chunk. :::info If you want to learn more about challenges with PNG to repair, checkout those other write-ups of mine : * https://maltemo.github.io/write-ups/picoCTF_2019_Forensic_c0rrupted.html * https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_We_are_Extr.html * https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_Song_of_My_People.html#Step-2--Correcting-the-PLTE-length-of-the-PNG-file * https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_Guillotine.html There are more detailed explanations about the structure of a PNG file. ::: The last part will be the editing of the PNG data. I will use `bless` to edit the file, but you can use other editors like `hexeditor`. ``` bless 7uffy.png ```  And then just replace all `EASY` data headers by `IDAT` (there were mutliples). After editing, let's check if the file is correctly constructed with `pngcheck` : ``` pngcheck 7uffy.png OK: 7uffy.png (1113x885, 32-bit RGB+alpha, non-interlaced, 99.3%). ``` Let's open it :  :::success And BOOM, we got the flag : The flag is __shkCTF{7uffy\_1s\_pr0ud\_0f\_y0u\_0a2a9795f0bdf8d17e4}__. ::: ## Flag The flag is __shkCTF{7uffy\_1s\_pr0ud\_0f\_y0u\_0a2a9795f0bdf8d17e4}__ ___ <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.