Broken Secrets

CATEGORY - FORENSICS

A file is attached to the challenge.

Introduction

This challenge provides a suspicious file that needs to be analyzed to extract a hidden flag. By investigating its structure, identifying corruption, and repairing it, we can uncover the secret message.

Steps

Step 1: Extracting and Searching for the Flag

After extracting the file, I navigated into the directory and ran a quick check using cat and grep to search for a possible flag.

find . -type f -exec cat {} \; | grep -a -i 'acectf'

However, this yielded no results, meaning the flag could be hidden, encrypted, or embedded elsewhere.

Step 2: Exploring the Directory Structure

The word directory looked interesting, so I navigated into it to investigate further.

Finding nothing useful there, I decided to explore the media directory, as media files often contain hidden data.

Step 3: Analyzing the Suspicious File

Inside media, I found a file that caught my attention. Running a few tests revealed that it might be a PNG file due to the presence of the IHDR chunk, a key indicator of PNG format.

However, there was a problem. Attempting to copy and rename the file to a .png extension didn’t work. I then tried using convert:

convert not_so_suspicious_file file.png

But this still resulted in an error. A quick Google search led me to suspect a corrupted file header.

Step 4: Identifying the Header Issue

The expected PNG file header should be:

89 50 4E 47 0D 0A 1A 0A

However, checking the file’s actual header revealed:

12 2E D4 A7 0D 0A 1A 0A

This confirmed that the first four bytes of the header were incorrect.

Step 5: Fixing the Corrupted PNG Header

To repair the file, I replaced the incorrect bytes with the correct PNG signature using the dd command:

printf '\x89PNG' | dd of=file.png bs=1 seek=0 count=4 conv=notrunc

This successfully restored the image.

Step 6: Extracting the Flag

Opening the repaired image revealed the hidden flag:

FLAG

ACECTF{h34d3r_15_k3y}