---
title: peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts)
author: Maltemo
tags: CTF, peaCTF, Forensic, PNG
---
peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts)
===
Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/).
[TOC]
## Statement of the challenge
### Description
No description, only a file
### File
The file attached was `E.xrt` and contained raw data.
## Analysis :mag:
I started by trying to understand what was the type of this file.
I used the file command that do exactly this :
```shell=
file E.xrt
> E.xtr: data
```
Then I used the string command to search for the flag into the binary :
```shell=
strings E.xtr
IHDR
sRGB
gAMA
fPLTE
@@@(((
xxx
ppp000
XXX888
"tRNS
pHYs
IDATx^
T0g^
[...]
)_UX
lb7w
A!xB
IEND
```
:::warning
`[...]` isn't in the file, just to show you a part of the result.
Also, at this step I could have guess the answer. But I was too focused on getting a flag string.
:::
I searched online software to open file with .xrt extension.
It didn't give me much informations.
I went on other challenges and learned new things.
I came back and decided to use the command `xxd` to see what is inside the binary file:
```shell=
xxd E.xtr | head
00000000: 8958 5452 0d0a 1a0a 0000 000d 4948 4452 .XTR........IHDR
00000010: 0000 0500 0000 02d0 0803 0000 018f a41d ................
00000020: f200 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0066 504c 5445 ffff ffdf dfdf 7f7f 7f40 .fPLTE.........@
00000050: 4040 2828 2800 0000 1818 1850 5050 f7f7 @@(((......PPP..
00000060: f7af afaf 9797 9710 1010 6868 68e7 e7e7 ..........hhh...
00000070: 2020 2078 7878 9f9f 9f08 0808 bfbf bf8f xxx..........
00000080: 8f8f c7c7 c7a7 a7a7 7070 7030 3030 6060 ........ppp000``
00000090: 60cf cfcf b7b7 b758 5858 3838 38ef efef `......XXX888...
```
And I thought :
>*"WAIT A MINUTE, It really looks like the format of a PNG image file header !"*
[name=Maltemo]
I searched on [wikipedia](https://en.wikipedia.org/wiki/Portable_Network_Graphics#Critical_chunks) and found the critical chunks of data similar to what I got in this header, except for the identifier PNG ascii string in the header.
## Solution :unlock:
I edited the file with a console text editor (vim), and replaced the letters `XTR` by `PNG`.
![](https://i.imgur.com/BFwMcqO.png) :arrow_forward: ![](https://i.imgur.com/MjryMeU.png)
I did a file command to check if the type changed correctly :
```shell=
file E.xtr
>E.xtr: PNG image data, 1280 x 720, 8-bit colormap, interlaced
```
So I opened the image and the flag was there !
![](https://i.imgur.com/VUyNBgB.png)
### TL;DR
The file was PNG image that has been modified.
You need to change it back to PNG format.
### Flag :white_check_mark:
The flag is **peaCTF{read_banned_it}**
___
<a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.