Category: Forensics

Points: 50

Description:

Apply directly to the console
https://scoreboard.openctf.com/HeadOn-ac8890852965d787f7591bc10add61bb01efb5eb

File Download: HeadOn-ac8890852965d787f7591bc10add61bb01efb5eb

$ file blob 
blob: data

I also try running strings on the file, but I don’t find anything interesting.

Let’s try binwalk. If you have never heard of binwalk, it is a fantastic tool for solving forensics challenges. It goes through files of any type, looking for known magic cookies to help identify when one file type is embedded in another. For example, you may be given an ELF file, that has a jpeg embedded in it, binwalk will be able to find it, assuming the file is not encoded or encrypted in some way.

$ binwalk blob 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
9719          0x25F7          End of Zip archive

So the file contains the end of the zip, not the beginning. I then think about the challenge name and descrition, and realize HeadOn is referring to the file header. So while I could have pulled up the zip file specification documentation, this is a CTF, and solving the challenge quickly is most important. So I create a quick zip file so that I can compare the header of the the valid zip file with the invalid zip file header.

$ zip tmp.zip blob

Valid Zip Header (tmp.zip):

00000000: 504b 0304 1400 0000 0800 195e 044d ea3e  PK.........^.M.>

Invalid Zip Header (blob):

00000000: 0000 0000 1400 0000 0800 345b 044d 4921  ..........4[.MI!

Ok, so immediately I notice that the valid zip file starts with the bytes, 504b 0304 while the invalid zip file starts with 0000 0000. So simply use your favorite hex-editor, to change the first 4 bytes of blob to match with the first 4 bytes of tmp.zip. I used sublime-text, but I’ll also include a few lines of Python that can take care of this.

with open('blob', 'rb') as f:
    f.read(4)
    data = f.read()
patched_data = '\x50\x4b\x03\x04' + data
with open('blob_patched.zip', 'wb') as f:
    f.write(patched_data)

Now extract the zip file.

$ unzip blob_patched.zip 
Archive:  blob_patched.zip
  inflating: flag.pdf

And open flag.pdf in your preferred pdf viewer.

Flag

Flag{SDG7qJ734rIw6f3f90832r}

Botch

Security

Recent Posts

Links

Aug 12, 2018 - OpenCTF : HeadOn

Flag