Forensic - Invisible WORDs

picoCTF2023 May 8, 2023

picoCTF 2023

Catégorie : Forensic

📜Scenario

🔎Solve

First, download the file on your machine
Then check the tipe of file that it is

$ file output.bmp                                             
output.bmp: PC bitmap, Windows 98/2000 and newer format, 960 x 540 x 32, cbSize 2073738, bits offset 138

$ exiftool output.bmp                                             
ExifTool Version Number         : 12.57
File Name                       : output.bmp
Directory                       : .
File Size                       : 2.1 MB
File Modification Date/Time     : 2023:03:23 11:25:17+01:00
File Access Date/Time           : 2023:03:23 11:26:42+01:00
File Inode Change Date/Time     : 2023:03:23 11:25:17+01:00
File Permissions                : -rw-r--r--
File Type                       : BMP
File Type Extension             : bmp
MIME Type                       : image/bmp
BMP Version                     : Windows V5
Image Width                     : 960
Image Height                    : 540
Planes                          : 1
Bit Depth                       : 32
Compression                     : Bitfields
Image Length                    : 2073600
Pixels Per Meter X              : 11811
Pixels Per Meter Y              : 11811
Num Colors                      : Use BitDepth
Num Important Colors            : All
Red Mask                        : 0x00007c00
Green Mask                      : 0x000003e0
Blue Mask                       : 0x0000001f
Alpha Mask                      : 0x00000000
Color Space                     : sRGB
Rendering Intent                : Proof (LCS_GM_GRAPHICS)
Image Size                      : 960x540
Megapixels                      : 0.518

So, this is a bitmap file.
But i find something interresting when I analyse header...

$ od -bc output.bmp
0000000 102 115 212 244 037 000 000 000 000 000 212 000 000 000 174 000
          "B   M" 212 244 037  \0  \0  \0  \0  \0 212  \0  \0  \0   |  \0
0000020 000 000 300 003 000 000 034 002 000 000 001 000 040 000 003 000
         \0  \0 300 003  \0  \0 034 002  \0  \0 001  \0      \0 003  \0
0000040 000 000 000 244 037 000 043 056 000 000 043 056 000 000 000 000
         \0  \0  \0 244 037  \0   #   .  \0  \0   #   .  \0  \0  \0  \0
0000060 000 000 000 000 000 000 000 174 000 000 340 003 000 000 037 000
         \0  \0  \0  \0  \0  \0  \0   |  \0  \0 340 003  \0  \0 037  \0
0000100 000 000 000 000 000 000 102 107 122 163 000 000 000 000 000 000
         \0  \0  \0  \0  \0  \0   B   G   R   s  \0  \0  \0  \0  \0  \0
0000120 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000
         \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0  \0
*
0000160 000 000 000 000 000 000 000 000 000 000 002 000 000 000 000 000
         \0  \0  \0  \0  \0  \0  \0  \0  \0  \0 002  \0  \0  \0  \0  \0
0000200 000 000 000 000 000 000 000 000 000 000 070 147 120 113 225 122
         \0  \0  \0  \0  \0  \0  \0  \0  \0  \0   8   g   "P   K" 225   R
0000220 003 004 306 030 024 000 316 075 000 000 020 112 010 000 157 126
        003 004 306 030 024  \0 316   =  \0  \0 020   J  \b  \0   o   V
0000240 022 025 020 026 157 126 162 076 346 310 016 072 244 011 325 132

As we can see the header of this image we see PK file header, it mean that is a zip file.
But there are some garbage bits before the PK header, we need to remove them.
To do this I used a python script

with open('output.bmp', 'rb') as f:
    f.seek(140)  # Move the file pointer to byte 140
    data = f.read()  # Read the remaining bytes from the file starting from byte 140

    # Create a sequence of indices starting from 0 and incrementing by 4 up to the length of f
    indices = range(0, len(data), 4)

    # Create a list of byte strings, where each element is a slice of f that starts at the current index x
    # and extends to the next index x+2
    byte_strings = [data[i:i+2] for i in indices]

    # Write the list of byte strings to a file
    with open('output.txt', 'wb') as f:
        for byte_string in byte_strings:
            f.write(byte_string)

    print('File written successfully.')  # Output success message

This script is extracting every second byte from the BMP image file and writing the extracted bytes to a new binary file.
You should know that the resulting file may have a different format than the original BMP file.

$ file output.txt
output.txt: Zip archive data, at least v2.0 to extract, compression method=deflate

Finally we get the ZIP file that we noticed at the beginning

$ binwalk -e output.txt
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, compressed size: 169392, uncompressed size: 448642, name: ZnJhbmtlbnN0ZWluLXRlc3QudHh0
169576        0x29668         End of Zip archive, footer length: 22

We can extract now the text file

$ cat ZnJhbmtlbnN0ZWluLXRlc3QudHh0 | grep pico
At that age I became acquainted with the celebrated picoCTF{w0rd_d4wg_y0u_f0und_5h3113ys_m4573rp13c3_8a06cf5f}

And got the flag !

Extract zip
extract_zip.py
734 Bytes
download-circle

Tags

Shaym

Recommended for you