Forensics, picoCTF

picoCTF: c0rrupt writeup


We found this file. Recover the flag.

  • Category: Forensics
  • Points: 250


Try fixing the file header


  • You need to download a file. The file type is unknown. `file` command output:
Figure 1.0
  • Let’s have a look at the file header / magic numbers.
Figure 1.1: Looks like a PNG file signature
Figure 1.2: PNG file signature

If you want learn more about the structure of a PNG file or just a quick refresher. I published a blog post recently titled “PNG file structure“.

  • This is similar to the png signature. Have a look at the full list of file signatures here. Let’s change the file header to a PNG file signature via a hex-editor
Figure 1.3
  • Open the file in a hex editor. Looking at the ASCII view I see that some critical chunks have their names changed. So we need to fix them.

  • C”DR => IHDR
Figure 1.4
Figure 1.5
Figure 1.6: Fixing the IHDR chunk we get the image info

  • .DET => IDAT
Figure 1.7
Figure 1.8
  • I didn’t see any other chunk names altered. We can use a tool like pngcheck to check for errors in our png file.
Figure 1.9: pngcheck CRC error
Figure 1.9: Expected
Figure 2.0: Computed
  • Running pngcheck again gives us this error.
Figure 2.1
  • This means the length of a chunk is wrong somewhere in our image. To fix this we should inspect each of our chunks one by one.
Figure 2.2: [Recap] Format of a single chunk

Let’s start with the first IDAT chunk. Our objective is to fix the length. I created a diagram that might help you with this

Figure 2.2
Figure 2.3: Offset of a selected position in Bless hex editor

According to figure 2.2, we take the first IDAT chunk. We need to find the length of the image data (IDAT chunk data). So we need to

  1. Take the offset at the beginning and at the end of the chunk data.
  2. Look at the difference (End offset – Begin offset) in hex format.
  3. Add it to the length.

Figure 2.4: Length before
Figure 2.5: Length after

Now let’s have a look with pngcheck to see if there’s any other error

Figure 2.6

No errors were found, looks good so far. Let’s try opening the find now:

Figure 2.7: Fixed image

I hope you have learned something valuable. If you like this post please share it with your fellow hacker mates and if you have any questions & or suggestions please feel free to post them down in the comments. Iā€™d love to hear and learn from you.

Have a great day guys šŸ‘‹. See you in the next post.

Notify of
Inline Feedbacks
View all comments
Share via
Copy link
Powered by Social Snap