peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts)
Written by Maltemo, member of team SinHack.
Statement of the challenge
Description
No description, only a file
File
The file attached was E.xrt and contained raw data.
Analysis 
I started by trying to understand what was the type of this file.
I used the file command that do exactly this :
Then I used the string command to search for the flag into the binary :
strings E.xtr
IHDR
sRGB
gAMA
fPLTE
@@@(((
xxx
ppp000
XXX888
"tRNS
pHYs
IDATx^
T0g^
[...]
)_UX
lb7w
A!xB
IEND
[...] isn’t in the file, just to show you a part of the result.
Also, at this step I could have guess the answer. But I was too focused on getting a flag string.
I searched online software to open file with .xrt extension.
It didn’t give me much informations.
I went on other challenges and learned new things.
I came back and decided to use the command xxd to see what is inside the binary file:
xxd E.xtr | head
00000000: 8958 5452 0d0a 1a0a 0000 000d 4948 4452 .XTR........IHDR
00000010: 0000 0500 0000 02d0 0803 0000 018f a41d ................
00000020: f200 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0004 6741 4d41 0000 b18f 0bfc 6105 0000 ..gAMA......a...
00000040: 0066 504c 5445 ffff ffdf dfdf 7f7f 7f40 .fPLTE.........@
00000050: 4040 2828 2800 0000 1818 1850 5050 f7f7 @@(((......PPP..
00000060: f7af afaf 9797 9710 1010 6868 68e7 e7e7 ..........hhh...
00000070: 2020 2078 7878 9f9f 9f08 0808 bfbf bf8f xxx..........
00000080: 8f8f c7c7 c7a7 a7a7 7070 7030 3030 6060 ........ppp000``
00000090: 60cf cfcf b7b7 b758 5858 3838 38ef efef `......XXX888...
And I thought :
“WAIT A MINUTE, It really looks like the format of a PNG image file header !”
Maltemo
I searched on wikipedia and found the critical chunks of data similar to what I got in this header, except for the identifier PNG ascii string in the header.
Solution 
I edited the file with a console text editor (vim), and replaced the letters XTR by PNG.
I did a file command to check if the type changed correctly :
file E.xtr
>E.xtr: PNG image data, 1280 x 720, 8-bit colormap, interlaced
So I opened the image and the flag was there !
TL;DR
The file was PNG image that has been modified.
You need to change it back to PNG format.
Flag 
The flag is peaCTF{read_banned_it}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
peaCTF 2019 (Round1) - [Forensic] We are E.xtr (350pts)
Written by Maltemo, member of team SinHack.
Statement of the challenge
Description
No description, only a file
File
The file attached was
E.xrtand contained raw data.Analysis
I started by trying to understand what was the type of this file.
I used the file command that do exactly this :
Then I used the string command to search for the flag into the binary :
[...]isn’t in the file, just to show you a part of the result.Also, at this step I could have guess the answer. But I was too focused on getting a flag string.
I searched online software to open file with .xrt extension.
It didn’t give me much informations.
I went on other challenges and learned new things.
I came back and decided to use the command
xxdto see what is inside the binary file:And I thought :
I searched on wikipedia and found the critical chunks of data similar to what I got in this header, except for the identifier PNG ascii string in the header.
Solution
I edited the file with a console text editor (vim), and replaced the letters
XTRbyPNG.I did a file command to check if the type changed correctly :
So I opened the image and the flag was there !
TL;DR
The file was PNG image that has been modified.
You need to change it back to PNG format.
Flag
The flag is peaCTF{read_banned_it}
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.