[ Write-Up ] [ HackCon15 ] [ Forensics ] Surprise , MF
So , here comes a write-up on the forensics problem that had appeared in the HackCon 15 , conducted by IIIT , Delhi !
Challenge name : Suprise , MF
Category : Forensics
Points : 75
Level : 10 ( Hard )
This was a basic level forensics problem. a .jpg image is given in the link. ( Though , in the CTF , it was mentioned as ' hard ' ! )
Image :
https://drive.google.com/file/d/0Bz_1QrQ5MHz2MXY2ZExzOWpvUmc/view?usp=sharing
The image opened up , but showed nothing ( Totally blank image !) . The ' file ' command on terminal , comes in handy , when it comes to forensics. It gives the type of the file.
So , on doing :
Now , we know that , the file is a zip file . But , to open it as a zip file , we need to change the file signature to that of a zip file . ( changing file signature is different from changing the file extension )
For this , we need the file signature for a zip . Googling for it gets us easily enough to waht we need .
( http://www.garykessler.net/library/file_sigs.html ) - Link to a file signature table .
Here , we find :
So , now we need to change the first six bits of the file to this value , so that it can be opened as a zip file.
For this , we can use a tool called ' Bless Hex Editor ' , which is basically , a hex editor ( There are many hex editors you can choose from ).
Once the image is loaded , it looks like this . Now , we need to change the first 6 bits with the values as that of the zip file .
Now we have replaced the first 6 bits with :
1F 8B 08
Let's save this file as a new zip and try opening it .
The file opens as a zip file !
But , now we have another file within , called ' password.jpg ' . Let's extract this file .
We get a simple jpg image as below :
Let's go on and check out this image's hexcode :
On going to the end of the hex dump , we get our flag message !