peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts)

--- title: peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts) author: Maltemo tags: CTF, peaCTF, Forensic, PNG --- peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts) === Written by [Maltemo](https://twitter.com/Maltemo), member of team [SinHack](https://sinhack.blog/). [TOC] ## Statement of the challenge ### Description No description, only a file ### File The file attached was `E.xrt` and contained raw data. ## Analysis :mag: I started by trying to understand what was the type of this file. I used the file command that do exactly this : ```shell= file E.xrt > E.xtr: data ``` Then I used the string command to search for the flag into the binary : ```shell= strings E.xtr IHDR sRGB gAMA fPLTE @@@((( xxx ppp000 XXX888 "tRNS pHYs IDATx^ T0g^ [...] )_UX lb7w A!xB IEND ``` :::warning `[...]` isn't in the file, just to show you a part of the result. Also, at this step I could have guess the answer. But I was too focused on getting a flag string. ::: I searched online software to open file with .xrt extension. It didn't give me much informations. I went on other challenges and learned new things. I came back and decided to use the command `xxd` to see what is inside the binary file: ```shell= xxd E.xtr | head 00000000: 8958 5452 0d0a 1a0a 0000 000d 4948 4452 .XTR........IHDR 00000010: 0000 0500 0000 02d0 0803 0000 018f a41d ................ 00000020: f200 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB....... 00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a... 00000040: 0066 504c 5445 ffff ffdf dfdf 7f7f 7f40 .fPLTE.........@ 00000050: 4040 2828 2800 0000 1818 1850 5050 f7f7 @@(((......PPP.. 00000060: f7af afaf 9797 9710 1010 6868 68e7 e7e7 ..........hhh... 00000070: 2020 2078 7878 9f9f 9f08 0808 bfbf bf8f xxx.......... 00000080: 8f8f c7c7 c7a7 a7a7 7070 7030 3030 6060 ........ppp000`` 00000090: 60cf cfcf b7b7 b758 5858 3838 38ef efef `......XXX888... ``` And I thought : >*"WAIT A MINUTE, It really looks like the format of a PNG image file header !"* [name=Maltemo] I searched on [wikipedia](https://en.wikipedia.org/wiki/Portable_Network_Graphics#Critical_chunks) and found the critical chunks of data similar to what I got in this header, except for the identifier PNG ascii string in the header. ## Solution :unlock: I edited the file with a console text editor (vim), and replaced the letters `XTR` by `PNG`. ![](https://i.imgur.com/BFwMcqO.png) :arrow_forward: ![](https://i.imgur.com/MjryMeU.png) I did a file command to check if the type changed correctly : ```shell= file E.xtr >E.xtr: PNG image data, 1280 x 720, 8-bit colormap, interlaced ``` So I opened the image and the flag was there ! ![](https://i.imgur.com/VUyNBgB.png) ### TL;DR The file was PNG image that has been modified. You need to change it back to PNG format. ### Flag :white_check_mark: The flag is **peaCTF{read_banned_it}** ___ <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/"><img alt="Creative Commons License" style="border-width:0" src="https://i.creativecommons.org/l/by-nc-nd/4.0/88x31.png" /></a><br />This work is licensed under a <a rel="license" href="http://creativecommons.org/licenses/by-nc-nd/4.0/">Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License</a>.

Read more

AperiCTF 2019 - [OSINT] Hey DJ (175 points)

SharkyCTF 2020 - [Web] Containment Forever (300pts)

SharkyCTF 2020 - [Forensic] Romance Dawn (100pts)

SharkyCTF 2020 - [Forensic] Pain In The Ass (200pts)