sCTF Q1 2016 - Failed CompressionCategory: writeups
Tags: forensics sctf-2016
Forensics - 80 Points
I was trying to compress some files, but I think I messed it up?
file: [compressed.zip] (not available)
When you try to open the ZIP file, every ZIP programs tell you that it’s not a valid archive file. With an HexEditor we can see that it’s not a ZIP file because it doesn’t have known Magic Byte
Also I noticed that there were lots of PNG/IHDR signature and JPG/JFIF signature.
So I excluded the
APNG option and thought that maybe the archive was a concatenation
of PNG and JPG files.
Unfortunately every file’s header was changed so we extraced with Binwalk the
start position and end position of every PNG file (based on IHDRpos -12byte and IENDpos +5byte)
and JPEG file (based on JFIFpos -6byte and the JPG EOF
So I wrote a script to extract with
dd every single image fixing the Magic Byte (loaded from a file).
And finally I found a flag, in the sea of memes