# RaziCTF Digital Forensics Challenge ### Name: Can you see through the crowd ###### tags: `CTF` `RaziCTF` `Digital Forensics` `tshark` `Wireshark` `base64 to image` `corrupt PNG headers` ### Challenge Description > look precisely :) this challenges flag starts with RAZICTF >  ### Solution Starting the challenge, we are provided an IP address to connect using netcat: > nc 130.185.122.69 12478 I got a prompt to enter something, and whatever you enter there is a unending response from the server (the crowd).  The response are base64 encoded strings, decoding the first few results into: > RaziCTF{7!s_is_N0t_4_FL@9} a troll and some invalid base64 input. Due to the unending response, my next step was to listen to traffic on that IP address, capture a few packets (actually 100 in this case) and analyze with Wireshark. I used the command below to achieve this: `tcpdump -i wlan0 -nn -s0 -vv -c 100 -w - host 130.185.122.69 | wireshark -k -i -` Looking through the packets in Wireshark, after the bunch of trolls there was another base64 encoding of a PNG file > iVBORw0KGgoAAAANUmF6aQAABAAAAAJACAMAAAAkS+TnAAAAWlBMVEX////v7+/b29sODg4GBgb9/f309PQAAAD+/v75+fmTk5O+vr48PDxnZ2cyMjJFRUWcnJxwcHDl5eUYGBglJSVPT0/FxcWIiIjNzc20tLR7e3taWlqnp6fU1NQbZo6ZAAAgAElEQVR42uza2WLbNhYAUMkxGUqyG1mttTjU/ > <--! snip due to long output --> Then using [cyberchef](https://gchq.github.io/CyberChef/) magic's function to decode the string, I got a PNG image file which is corrupted.  Downloaded the image and used [PNG Check & Repair Tool](https://github.com/sherlly/PCRT), I noticed the IHDR chuck is lost  Looking through the hexdump of this corrutpt image with xxd, we could verify that the IHDR chunk was replaced with `Razi`: ``` xxd -p image.png > verify.png ```  > Note that 52 61 7a 69 is hex for Razi By changing that corrupt chunk to the proper hex, which is the hex for IHDR, 49 48 44 52 and uploading the editing hex file to cyberchef, then using the Render image from hex function, we are able to get the flag.  ### Flag > RAZICTF{CORRUPT3D_IM4G3S_ARE_LOV3LY}