Misplaced_Forenscis_50pts
Don't know file type after just seeing hex values.
Using binwalk, figured out that this file's type is 'zip' and its pw.
Then it gave us 'Article1.jpg'
Though can't open now.
By seeing hex values, you can know this is 'Word file' not a ZIP
There's a flag.
flag: SBCTF{n1c3_c4rv1n6_w3ll_d0n3}
Nice Duck!_Forenscis_100pts
Wireshark - Export - HTTP object list
In movie.mp4,
there's a flag.
flag: SBCTF{1n53cur3_commun1c471on}
Splitted flag_Forenscis_200pts
You can see this' signature that "PNG" not "BMP"
But still cant' open rightly.
Then you can find another PNG signature at offset 0x73706
So I splited them -> Splited flag1.png and Splited flag2.png -> Still can't open
Now, I see. There're some strange points
This is another normal PNG file's hex value
So now you can know
1) PNG file's signature is "89 50 4E 47 0D 0A 1A 0A (‰PNG....)" not, "89 70 6E 67 0D 0A 1A 0A (‰png....)".
so you should change to right signature.
2) PNG should have 3 chunk: IHDR, IDAT, IEND
like this:
But about Splited Flag1.png:
There's "SB" instead of "IHDR"
So you should edit "53 42 2E 2E" to "49 48 44 52" ("SB.." to "IHDR")
When you edit same with 'Splited Flag2.png', you can see it.
But still can't about 'Splitled Flag1.png'.
When you open it with 010 editor, you can see there's chunk problem: IDAT, IEND.
We know that we can see the word "IDAT" and "IEND". It means, there's something worng about format.
So first, about IHDR chunk.
This is IHDR chunk format of Splited Flag2.png (normal png).
Threre's
- 4 bytes length: 00 00 00 0D (13)
- 4 bytes signature: 49 48 44 52 (IHDR)
- 13 bytes chunk data: 10h ~ 2Ch
- 4 bytes CRC check: AC 05 28 A9
Otherwise, about Splited Flag1.png. Those squares are 'width', 'height', 'CRC', 'IDAT's size'
Yes. There's no 5 bytes of 'Chunk data':
- Bit depth 1 byte
- Color type 1 byte
- Compression method 1 byte
- Filter method 1byte
- Interlace method 1 byte
Also, the 'height' is weirdly long. So I will do:
- Copy width and height values of 'Splited Flag2.png' to 'Splited Flag1.png'
- Add 5 bytes Chunk datas of 'Splited Flag2.png'
- Finally, Edit CRC check value
1)
2)
Actually you can see the pic now
3)
Finally, there's a flag.
flag: SBCTF{!-l0v3-d1g1t@l_f0r3n}
CRC calculator site:
On-line CRC calculation and free library - Lammert Bies
On-line CRC calculation sheet. Free CRC routines downloadable. Covers CRC-16, CRC-32, CRC-CCITT, DNP, Sick and other routines.
www.lammertbies.nl
or try:
import zlib
s = b'[ascii input]'
print(hex(zlib.crc32(s)))import binascii
filename = "crc"
buf = open(filename,'rb').read()
buf = (binascii.crc32(buf) & 0xFFFFFFFF)
print("%08X" % buf)
'Wargame > CTF' 카테고리의 다른 글
| Shakti CTF 2020_Cryptography (0) | 2020.12.05 |
|---|---|
| Shakti CTF 2020_WEB Exploitation (0) | 2020.12.05 |
| Shakti CTF 2020_Pwn Connect (0) | 2020.12.05 |
| Shakti CTF 2020_Misc Wooooww (0) | 2020.12.05 |
| Shakti CTF 2020_Steganography Invisible (0) | 2020.12.04 |