DEADFACE2021 Logo

Author(s):

  • ThorMM

Category:

  • Forensics

Points:

  • 200

File(s):

  • 2311432@.jpg

Hint(s):

  • None

File 101

Challenge:

An email, containing a photo of pumpkin, was found in an employee's Gmail inbox. The photo looks normal, but looks can be deceiving sometimes.What secrets could it be holding?

Download image
SHA1: fbaa1ba13058c8c85281775ed9865f29fc9b820c

Solution:

While conducting simple checks with strings, exiftool, etc we identified a URL embedded in the file for a DropBox download:

$ strings 2311432@.jpg
...
"https://www.dropbox.com/s/io1kaqznal2c10y/corrupted.zip?dl=0"

Grabbing the file with wget and checking it with file identifies it as a Zip archive:

$ wget "https://www.dropbox.com/s/io1kaqznal2c10y/corrupted.zip?dl=0" -O "corrupted.zip"

$ file corrupted.zip

corrupted.zip: Zip archive data, at least v2.0 to extract

Listing the archive contents shows one file, FOR0x.png. However, the archive was encrypted:

$ unzip -l corrupted.zip 
Archive:  corrupted.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
     6932  2021-08-28 19:11   FOR0x.png
---------                     -------
     6932                     1 file

$ unzip corrupted.zip 
Archive:  corrupted.zip
[corrupted.zip] FOR0x.png password:

The fcrackzip utility, in combination with the rockyou wordlist was able to quickly recover the password:

$ fcrackzip -u -D -p /mnt/hgfs/CTF-Data/wordlists/rockyou.txt corrupted.zip

PASSWORD FOUND!!!!: pw == pumpkinpie

After extracting FOR0x.png from the archive any attempts to view the PNG image failed and the file utility didn't identify it as a PNG, but rather as simply "data". Looking at the file header shows the magic bytes have been overwritten with 2e2e 7878:

$ xxd FOR0x.png | head -n1
00000000: 2e2e 7878 0010 6a66 6966 0001 3835 2e00  ..xx..jfif..85..

Additionally, the string jfif can be seen in the beginning of the file, which would be found in a JPEG (JFIF/JFXX), not a PNG. Checking the file's footer confirms our suspicion as ff d9 is the signature for a JPEG trailer:

 xxd FOR0x.png | tail -n1
00001b10: 0000 ffd9                                ....

We used GHex to rewrite the JFIF signature (FF D8 FF 00 E0) and saved the file with a .jpg extension and opened it in a image viewer.

If we're being completely honest here… this image successfully trolled us and we spent extra cycles checking our file edits for mistakes. After multiple "do-overs" we finally spotted the flag in the lower right corner of the image… Well played, ThorMM.

Published:

Updated:

Leave a comment