SharkyCTF 2020 - [Forensic] Romance Dawn (100pts)

Written by Maltemo, member of team SinHack.

SharkyCTF 2020 - [Forensic] Romance Dawn (100pts)

Statement of the challenge

Description

Whoops. It seems Luffy played with my picture and I’m not able to open it anymore. Please help me.

Creator: 2phi

TL;DR

The challenge consisted in replacing all chunks header called EASY by IDAT to repair the png file.

Analyze

A png file was attached with this challenge : 7uffy.png.

The first thing I want to check is if the magic number of the file hasn’t been changed.

For this, lets just check the type of file :


file 7uffy.png 
7uffy.png: PNG image data, 1113 x 885, 8-bit/color RGBA, non-interlaced

Nice, so the problem isn’t coming from there.

There is a tool to help debug PNG errors : pngcheck.

Let’s use it :

pngcheck 7uffy.png
7uffy.back  illegal (unless recently approved) unknown, public chunk EASY
ERROR: 7uffy.png

So the problem is coming from the fact that a header chunk has been changed by the value EASY.

The only thing we will need to repair is replacing EASY by the correct chunk header names.

Let’s take a look into the hexadecimal of the file :

xxd 7uffy.png | head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 0459 0000 0375 0806 0000 00a4 5424  ...Y...u......T$
00000020: fd00 0000 0662 4b47 4400 0000 0000 00f9  .....bKGD.......
00000030: 43bb 7f00 0000 0970 4859 7300 000b 1300  C......pHYs.....
00000040: 000b 1301 009a 9c18 0000 0007 7449 4d45  ............tIME
00000050: 07e4 031a 002d 0960 f3dc 5400 0000 1d69  .....-.`..T....i
00000060: 5458 7443 6f6d 6d65 6e74 0000 0000 0043  TXtComment.....C
00000070: 7265 6174 6564 2077 6974 6820 4749 4d50  reated with GIMP
00000080: 642e 6507 0000 2000 4541 5359 78da ecdd  d.e... .EASYx...
00000090: 4f8c 65c7 5d2f f0ba dd3d 33b6 e321 2f10  O.e.]/...=3..!/.

We already can spot that the EASY chunks are after the main headers of the PNG file (IHDR,pHYs), so we can asume that those headers were the IDAT header chunks.

In addition, the length of the chunk of data is 0000 2000 is common for a IDAT chunk.

If you want to learn more about challenges with PNG to repair, checkout those other write-ups of mine :

https://maltemo.github.io/write-ups/picoCTF_2019_Forensic_c0rrupted.html
https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_We_are_Extr.html
https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_Song_of_My_People.html#Step-2--Correcting-the-PLTE-length-of-the-PNG-file
https://maltemo.github.io/write-ups/peaCTF_2019_Forensic_Guillotine.html
There are more detailed explanations about the structure of a PNG file.

The last part will be the editing of the PNG data.
I will use bless to edit the file, but you can use other editors like hexeditor.

bless 7uffy.png

And then just replace all EASY data headers by IDAT (there were mutliples).

After editing, let’s check if the file is correctly constructed with pngcheck :

pngcheck 7uffy.png 
OK: 7uffy.png (1113x885, 32-bit RGB+alpha, non-interlaced, 99.3%).

Let’s open it :

And BOOM, we got the flag : The flag is shkCTF{7uffy_1s_pr0ud_0f_y0u_0a2a9795f0bdf8d17e4}.

Flag

The flag is shkCTF{7uffy_1s_pr0ud_0f_y0u_0a2a9795f0bdf8d17e4}

This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.