peaCTF 2019 (Round2) - [Forensic] Guillotine (1200pts)
Written by Maltemo, member of team SinHack.
Statement of the challenge
Description
This unknown file, hail-hydra, seems to have lost part of its head! Would you be able to Frankenstein the file back together for me? I do remember some specific information about the file. It is 2679x1724 pixels, and has an AlphaTrueColor color space.
File
hail_hydra
Analyzing the file
Let’s begin ! We already know that the file is corrupted, so we can assume that a file bash command won’t give us further information.
Now we open the file with an hexadecimal editor :
We can already spot a critical chunk name of a PNG file : IDAT
Little reminder :
A PNG file is composed of different chunks of data, some must exist and other are optional.
The critical chunks are (in order):
IHDR (Image HeaDeR) : General informations about the image (length, width, color type)PLTE (PaLeTtE) : Palettes of colors of the image (not always needed)IDAT (Image DATa) Beginning of image dataIEND (Image END) End of image data
A chunk of data is always composed of :
| Length of the data chunk |
Chunk type |
Chunk data |
CRC |
| 4 bytes |
4 bytes |
Length bytes |
4 bytes |
Thanks to this reminder, we can now guess that we will have to add :
- The standard chunk that helps to recognize a PNG file
- A IHDR chunk
- Potentially a PLTE chunk
- And after the IDAT chunk of data, the IEND chunk to finish the file.
Those are the main documentations/sources I used to learn all this stuff :
Fixing the file
Let’s start by creating the header chunk.
From the wikipedia PNG format page, everything is explained, so here is the header chunk :
89 50 4E 47 0D OA 1A 0A
Explanation copy pasted from wikipedia :
| Values (hex) |
Purpose |
89 |
Has the high bit set to detect transmission systems that do not support 8-bit data and to reduce the chance that a text file is mistakenly interpreted as a PNG, or vice versa. |
50 4E 47 |
In ASCII, the letters PNG, allowing a person to identify the format easily if it is viewed in a text editor. |
0D 0A |
A DOS-style line ending (CRLF) to detect DOS-Unix line ending conversion of the data. |
1A |
A byte that stops display of the file under DOS when the command type has been used—the end-of-file character. |
0A |
A Unix-style line ending (LF) to detect Unix-DOS line ending conversion. |
IHDR chunk
| length IHDR |
IHDR |
IHDR data chunk |
CRC |
| 00 00 00 0D |
49 48 44 52 |
?? |
?? |
IHDR data chunck :
| Purpose |
Value |
| Width |
00 00 0A 77 => 2679 |
| Height |
00 00 06 BC => 1724 |
| Size of color bytes |
08 or 10 |
| Color type |
06 => AlphaTrueColor color space |
| Compression method |
00 |
| Filter method |
00 |
| Enlacement method |
00 |
Table’s source (wikipedia) then adapted to our case.
From the color type, we already know that we won’t have to use a PLTE chunk (PLTE must be created with color type 3, see the link before).
We will use pngcheck at the end with option v (verbose) to get the correct CRC.
pngcheck -v hail_hydra_modified.png
File: hail_hydra_modified.png (58575 bytes)
chunk IHDR at offset 0x0000c, length 13
2679 x 1724 image, 32-bit RGB+alpha, non-interlaced
CRC error in chunk IHDR (computed c3695c43, expected 0000e49a)
ERRORS DETECTED in hail_hydra_modified.png
And there it is, the last part missing, the CRC : c3695c43
I won’t explain entirely what is CRC, but briefly, it checks if there were any modifications or corruption in the data. It is calculated from the data. This is why we need to compute it, it’s unique.
Final IHDR chunk
| length IHDR |
IHDR |
IHDR data chunk |
CRC |
| 00 00 00 0D |
49 48 44 52 |
00 00 0A 77 00 00 06 BC 08 06 00 00 00 |
C3 69 5C 43 |
IEND chunk
The IEND chunk is always the same because it doesn’t contain any data, so the length stays the same, the chunk type too and the CRC isn’t affected.
| LENGTH |
NAME DATA CHUNCK |
CRC |
00 00 00 00 |
49 45 4E 44 |
AE 42 60 82 |
Modifying the hexadecimal of the file
The last step will be to edit the incomplete image from an hexa editor tool.
I personaly use bless, but there are other like hexeditor, emacs in hex editor mode, etc.
Let’s add the header chunk with the IHDR at the beginning of the file :
Then at the end of the file, we add the IEND chunk :
And we obtain this picture, giving us the flag (at first not, because the creator of the challenge forgot some upper case letters 
).
TL;DR
We need to repair a PNG file where the header, the IHDR and the IEND chunk are missing.
Flag
The flag is peaCTF{Just_A_Flesh_Wound}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
peaCTF 2019 (Round2) - [Forensic] Guillotine (1200pts)
Written by Maltemo, member of team SinHack.
Statement of the challenge
Description
This unknown file, hail-hydra, seems to have lost part of its head! Would you be able to Frankenstein the file back together for me? I do remember some specific information about the file. It is 2679x1724 pixels, and has an AlphaTrueColor color space.
File
Analyzing the file
Let’s begin ! We already know that the file is corrupted, so we can assume that a
filebash command won’t give us further information.Now we open the file with an hexadecimal editor :
We can already spot a critical chunk name of a PNG file : IDAT
Little reminder :
A PNG file is composed of different chunks of data, some must exist and other are optional.
The critical chunks are (in order):
IHDR(Image HeaDeR) : General informations about the image (length, width, color type)PLTE(PaLeTtE) : Palettes of colors of the image (not always needed)IDAT(Image DATa) Beginning of image dataIEND(Image END) End of image dataA chunk of data is always composed of :
Thanks to this reminder, we can now guess that we will have to add :
Those are the main documentations/sources I used to learn all this stuff :
Fixing the file
Let’s start by creating the header chunk.
Header chunk
From the wikipedia PNG format page, everything is explained, so here is the header chunk :
89 50 4E 47 0D OA 1A 0AExplanation copy pasted from wikipedia :
8950 4E 470D 0A1A0AIHDR chunk
IHDR data chunck :
00 00 0A 77=> 267900 00 06 BC=> 172408or1006=> AlphaTrueColor color space000000Table’s source (wikipedia) then adapted to our case.
From the color type, we already know that we won’t have to use a PLTE chunk (PLTE must be created with color type 3, see the link before).
We will use
pngcheckat the end with option v (verbose) to get the correct CRC.And there it is, the last part missing, the CRC :
c3695c43I won’t explain entirely what is CRC, but briefly, it checks if there were any modifications or corruption in the data. It is calculated from the data. This is why we need to compute it, it’s unique.
Final IHDR chunk
IEND chunk
The IEND chunk is always the same because it doesn’t contain any data, so the length stays the same, the chunk type too and the CRC isn’t affected.
00 00 00 0049 45 4E 44AE 42 60 82Modifying the hexadecimal of the file
The last step will be to edit the incomplete image from an hexa editor tool.
I personaly use
bless, but there are other likehexeditor,emacsin hex editor mode, etc.Let’s add the header chunk with the IHDR at the beginning of the file :
Then at the end of the file, we add the IEND chunk :
And we obtain this picture, giving us the flag (at first not, because the creator of the challenge forgot some upper case letters
).
TL;DR
We need to repair a PNG file where the header, the IHDR and the IEND chunk are missing.
Flag
The flag is peaCTF{Just_A_Flesh_Wound}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.