Category: Forensics
Difficulty: Medium
https://play.picoctf.org/practice/challenge/415
Summary #
The challenge provided a file named challengefile, with unclear content due to unusual byte organization. The goal was to identify the file type, decode it correctly, and extract the flag.
Steps to Solve #
1. Initial File Analysis #
Checked the file type using file and exiftool:
$ file challengefile
challengefile: data
$ exiftool challengefile
ExifTool Version Number : 13.00
File Name : challengefile
Directory : .
File Size : 3.4 kB
File Modification Date/Time : 2024:12:09 18:24:10+02:00
File Access Date/Time : 2024:12:09 18:40:05+02:00
File Inode Change Date/Time : 2024:12:09 18:24:30+02:00
File Permissions : -rw-r--r--
Warning : Processing JPEG-like data after unknown 1-byte header
Output from exiftool revealed the presence of JPEG-like data, therefore we continue by inspecting its binary structure.
2. Header Inspection with hex editor (ghex)
#
Checking known file signatures (Wikipedia), we notice that the file header was inverted every 4 bytes.
- JPEG header:
FF D8 FF E0 00 10 4A 46 49 46 00 01 - File content:
E0 FF D8 FF 46 4A 10 00 01 00 46 49
3. Reversing the Byte Order #
I wrote requested from claude.ai a Python script to correct the byte order by swapping every group of 4 bytes and save the file as .jpg.
# Byte reordering
with open("challengefile", "rb") as infile:
data = infile.read()
# Process the data in chunks of 4 bytes
corrected = b"".join(data[i:i+4][::-1] for i in range(0, len(data), 4))
# Save the corrected data
with open("fixed_challengefile.jpg", "wb") as outfile:
outfile.write(corrected)
4. Extracting the Flag #
Opened the image file, which revealed the flag.
Tools Used #
fileandexiftool: To identify the file type and metadata.ghex: To analyze the binary structure.Python: For scripting the byte-order correction.