“An email, containing a photo of pumpkin, was found in an employee’s Gmail inbox. The photo looks normal, but looks can be deceiving sometimes. What secrets could it be holding?”
This is my second year doing the DEADFACE CTF. I think this is a great CTF for all sort of levels. I haven’t done a CTF in a while, and I was able to remember a few things.
In this challenge, first thing I always do when dealing with images, is to check the good old strings:
Somewhat with a surprise, I found a link. This is a medium-high score challenge, so I wasn’t really expecting to find anything. However, this is just the tip of the iceberg.
We can see its a Dropbox link, that leads to a “corrupted.zip” file. When you follow the link , we can see that there is another image in it. However, given the name “corrupted,” I am already guessing it won’t just let me get it.
And as expected, the zip file is password protected. There is a few brute force tools out there for zip files. I haven’t done anything like this for a while, and I thought I could just use the classic zip2john. But I decided to do a little research, maybe for something different and simpler to use.
I came to face another tool name fcrackzip. Seems just simpler, and with a less step to take to accomplish what I needed.
Using the rockyou wordlist, I found the password. Once we get the file, it’s corrupted. We can’t open it. I assumed it wouldn’t be this easy.
I check the file to see if this is indeed an .png file. Maybe the headers are corrupted?
It just shows me that contains data… Maybe, so I checked to see what the headers tells me.
After checking the headers (and tail) of the file, I realize what I am dealing with here.
We have a “jfif” header line, but that doesn’t seem correct. You can refer JFIF as a JPEG file format. Looking at the bottom of the file signature, we see “ffd9” which is a JPEG signature.
With a quick research, I can see what the header should look like for a JFIF file:
We need to have start looking like this : FF D8 FF E0 S1 S2 A4 46 49 46 00 … (S1 and S2 are ignored here. So the job here is to fix the header of the file.
Additionally, we need to change the extension of the file:
Now, everything seems to be good to go and we can proceed to open the file.
At first, I was like “ What do you mean can’t open this file?…” Until I actually focused on the bottom right of the file…
Nice one lol
flag{Easy_Right}
