Category: Forensics
Difficulty: Medium
https://play.picoctf.org/practice/challenge/432
Summary #
The challenge involved modifying the timestamps of a provided image file (original.jpg) to match a precise time: 1970:01:01 00:00:00.001+00:00. The goal was to adjust all relevant EXIF metadata and an embedded epoch timestamp to meet the challenge criteria.
Steps to Solve #
1. Preparing the File #
Download and rename the file:
$ wget https://artifacts.picoctf.net/c_mimas/91/original.jpg
$ mv original.jpg original_modified.jpg
2. Adjust EXIF Metadata #
Use exiftool to set the required timestamps in EXIF metadata:
$ exiftool -SubSecCreateDate='1970:01:01 00:00:00.001' \
-SubSecDateTimeOriginal='1970:01:01 00:00:00.001' \
-SubSecModifyDate='1970:01:01 00:00:00.001' original_modified.jpg
3. Handle Samsung:TimeStamp #
This tag isn’t writable via exiftool, but the value is derived from an embedded epoch timestamp. Inspect the file in ImHex:
- Navigate to the end of the file, where you’ll see this string:
Image_UTC_Data1700513181420 - Replace the numeric portion (
1700513181420) with0000000000001to represent 1970:01:01 00:00:01 in epoch time.
Save the file to apply the changes.
4. Verify Changes #
Check the Samsung:TimeStamp value:
$ exiftool -Samsung:TimeStamp original_modified.jpg
5. Submit the Modified Image #
Submit the image to the challenge server and check the results:
$ nc -w 2 mimas.picoctf.net 63599 < original_modified.jpg
$ nc -d mimas.picoctf.net 62542
Checking tag 7/7
Timezones do not have to match, as long as it's the equivalent time.
Looking at Samsung: TimeStamp
Looking for '1970:01:01 00:00:00.001+00:00'
Found: 1970:01:01 00:00:00.001+00:00
Great job, you got that one!
You did it!
picoCTF{...redacted...}