Description

We found this file. Recover the flag.

• Category: Forensics
• Points: 250

Hints

Try fixing the file header

Solution

• You need to download a file. The file type is unknown. `file` command output:

• Let’s have a look at the file header / magic numbers.

If you want learn more about the structure of a PNG file or just a quick refresher. I published a blog post recently titled “PNG file structure“.

• This is similar to the png signature. Have a look at the full list of file signatures here. Let’s change the file header to a PNG file signature via a hex-editor

• Open the file in a hex editor. Looking at the ASCII view I see that some critical chunks have their names changed. So we need to fix them.

• C”DR => IHDR

• .DET => IDAT

• I didn’t see any other chunk names altered. We can use a tool like pngcheck to check for errors in our png file.

• Running pngcheck again gives us this error.

• This means the length of a chunk is wrong somewhere in our image. To fix this we should inspect each of our chunks one by one.

Let’s start with the first IDAT chunk. Our objective is to fix the length. I created a diagram that might help you with this

According to figure 2.2, we take the first IDAT chunk. We need to find the length of the image data (IDAT chunk data). So we need to

1. Take the offset at the beginning and at the end of the chunk data.
2. Look at the difference (End offset – Begin offset) in hex format.
3. Add it to the length.

Now let’s have a look with pngcheck to see if there’s any other error

No errors were found, looks good so far. Let’s try opening the find now:

---

I hope you have learned something valuable. If you like this post please share it with your fellow hacker mates and if you have any questions & or suggestions please feel free to post them down in the comments. I’d love to hear and learn from you.

Have a great day guys 👋. See you in the next post.

---