An email, containing a photo of pumpkin, was found in an employee's Gmail inbox. The photo looks normal, but looks can be deceiving sometimes.What secrets could it be holding?
While conducting simple checks with
exiftool, etc we identified a URL embedded in the file for a DropBox download:
$ strings 2311432@.jpg ... "https://www.dropbox.com/s/io1kaqznal2c10y/corrupted.zip?dl=0"
Grabbing the file with
wget and checking it with
file identifies it as a Zip archive:
$ wget "https://www.dropbox.com/s/io1kaqznal2c10y/corrupted.zip?dl=0" -O "corrupted.zip" $ file corrupted.zip corrupted.zip: Zip archive data, at least v2.0 to extract
Listing the archive contents shows one file,
FOR0x.png. However, the archive was encrypted:
$ unzip -l corrupted.zip Archive: corrupted.zip Length Date Time Name --------- ---------- ----- ---- 6932 2021-08-28 19:11 FOR0x.png --------- ------- 6932 1 file $ unzip corrupted.zip Archive: corrupted.zip [corrupted.zip] FOR0x.png password:
fcrackzip utility, in combination with the rockyou wordlist was able to quickly recover the password:
$ fcrackzip -u -D -p /mnt/hgfs/CTF-Data/wordlists/rockyou.txt corrupted.zip PASSWORD FOUND!!!!: pw == pumpkinpie
FOR0x.png from the archive any attempts to view the PNG image failed and the
file utility didn't identify it as a PNG, but rather as simply "data". Looking at the file header shows the magic bytes have been overwritten with
$ xxd FOR0x.png | head -n1 00000000: 2e2e 7878 0010 6a66 6966 0001 3835 2e00 ..xx..jfif..85..
Additionally, the string
jfif can be seen in the beginning of the file, which would be found in a JPEG (JFIF/JFXX), not a PNG. Checking the file's footer confirms our suspicion as
ff d9 is the signature for a JPEG trailer:
xxd FOR0x.png | tail -n1 00001b10: 0000 ffd9 ....
GHex to rewrite the JFIF signature (
FF D8 FF 00 E0) and saved the file with a .jpg extension and opened it in a image viewer.
If we're being completely honest here… this image successfully trolled us and we spent extra cycles checking our file edits for mistakes. After multiple "do-overs" we finally spotted the flag in the lower right corner of the image… Well played, ThorMM.