Another BSides CTF Write-up

There have been a trickle of challenges coming out between the BSides Chicago and BSides Detroit events.  This last one was pretty fun, and I got to write some Powershell to solve it.

The challenge title was Flipping Out.

We get lots of references to the so-bad-it’s-good movie, Hackers.  I saw it in the theater and gave it the MST3K treatment with my friends.

The only thing we get to start is a jpg image.  But it seems to take up more disk space than an image this size should….

Scanning through the binary data, I found a “PK” header, indicating a zip file is there.  I fired up HxD, my hex editor of choice, and separated out the bytes.

Now I had a zip file which I could open to find image1.jpg, but it does not contain the flag

image1

Again, the file size is suspect.  The zip file is 187kb, but the single file inside shows a packed size of 95kb.  So I know there’s more data that is not being shown yet.  After investigating a few different paths I ended up reading the specification for the zip file format to try and tease out what was going on in the file.

Then the obvious thing jumped out.

I had seen the binary of the zip ended in ‘KP’, but at that point I assumed it was a normal terminator for the zip file.

It’s not.  Then the title of the challenge made perfect sense, and I knew what to do.

I found the midpoint of the file where the first zip ended, and the end of the second one was reversed onto it, cut out the reversed bytes and saved them to a file.  Now I just had to reverse the whole thing and since I’ve been working with Powershell, I decided to stick with that.

[byte[]]$byte = Get-Content hackerz-rev -Encoding byte;
[byte[]]$flip = New-Object byte[] $byte.Length;
$j=0;
for($i=($byte.length-1);$i -gt 0; $i--){
$flip[$j] = $byte[$i]; $j++;
};
[System.IO.File]::WriteAllBytes('C:\Users\rcassara\Desktop\files\bsidesctf\flipped.zip', $flip);

I had saved my backwards bytes to ‘hackerz-rev’, so in the first line, I read that into a byte array.  Then I created a second array of equal length, and simply copied each byte over in reverse order.

The final line writes out the bytes to a zip file.

Opening the new zip I saw what I expected, a single file named gpj.egami (the challenge writer reversed the name so the mirror-image wouldn’t be as obvious when looking at strings in the binary).  Opened the file as a jpg and…

image1_6

 

sw1tch posted his method of solving this, which involves no coding at all (unless you consider writing RegEx coding)

Advertisements

One response

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s