atan
Posted on March 29, 2019
In my quest to promote CTFs within the dev.to community, here's a writeup that demonstrates what solving a challenge may look like.
The Task
This challenge was published by user RedK on the CTFLearn platform. (Link here login required) The details are as follows!
F1l3 M1X3R
I think my amazing photo was hit by a mixer and now it is not working. Help me fix it? https://mega.nz/#!Ds0mWaCJ!4uKfJeJwhupG7Tvx8ReTBP1reFgdzRLE3YrN0l-5Jrg hint: visit: https://en.wikipedia.org/wiki/List_of_file_signatures Programming might be useful in this challenge.
Feel free to download and attempt this challenge out before reading how I solved it :)
First steps
After downloading the file fl4g.jpeg
, the first thing I did was try to open it.
Obviously that didn't work out. The hint in the challenge description lead me to assume that the image's file signature must have been tampered with. Let's take a look at the first few bytes of fl4g.jpeg
and compare it to the expected file signature for .jpeg files.
Here's the expected file signature.
FF D8 FF E0 00 10 4A 46 49 46 00 01
I use the xxd
command and fl4g.jpeg
as an argument to get a hex dump of the first 12 bytes.
$ xxd -l 12 fl4g.jpeg
00000000: e0ff d8ff 464a 1000 0100 4649 ....FJ....FI
At first glance, I saw that the hex values were present, but just in the wrong order.
Using a hex editor (I used 0xed), I deleted the first twelve bytes and replaced it with the correct signature.
$ xxd -l 12 modified_fl4g.jpeg
00000000: ffd8 ffe0 0010 4a46 4946 0001 ......JFIF..
Thinking I was done, I opened the file again expecting to be rewarded only to find that the file still wouldn't open....😞
Brainstorming
Fixing the signature didn't work, BUT because the values were all present only scrambled, I decided to take a look at the original file again and noticed a pattern. Every four bytes was reversed in order! FF D8 FF E0
had been reversed to read E0 FF D8 FF
and so on for every four bytes of the signature. Fixing just the signature wouldn't get anywhere because it's possible this reversing had happened to the entire file! I wrote a short script to reverse every four bytes of the image in order to test my hypothesis.
The script!
with open("fl4g.jpeg", "rb") as file:
BUF = 4
bytes_rev = b""
bytes_read = bytearray(file.read(BUF))
while bytes_read:
bytes_rev += bytes_read[::-1]
bytes_read = file.read(BUF)
with open("modified_fl4g.jpeg", "wb") as newfile:
newfile.write(bytes_rev)
To break this down:
with open("fl4g.jpeg", "rb") as file:
Here we open fl4g.jpeg
with the rb
mode to indicate that we are reading a file in binary mode.
BUF = 4
bytes_rev = b""
bytes_read = bytearray(file.read(BUF))
BUF
is set to 4 to indicate that the buffer for each time we read from the file will be four bytes. bytes_rev
is set to an empty bytestring so we have a place to store the reversed bytes. The file is then read from and stored as a bytearray
into bytes_read
.
while bytes_read:
bytes_rev += bytes_read[::-1]
bytes_read = file.read(BUF)
Next up we loop as long as bytes_read is True
. bytes_rev
is appended the reversed bytearray of 4 bytes using slice notation. bytes_read
then reads the next set of four bytes from file
with open("modified_fl4g.jpeg", "wb") as newfile:
newfile.write(bytes_rev)
Finally, we open a new file and write our bytes to it
Outcome?
Running the script produced a modified_flag.jpeg
file with every four bytes reversed.
I opened the file and....
The flag is revealed! I took the liberty to censor out the flag text so that you can try it yourself if you'd like!
Posted on March 29, 2019
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.