Secrets
Description
Author: clides
Being the APT (advanced persistent troll) he is, clides continued to play around with Claudio Pacheco's laptop without him knowing. He even gained access to Claudio's friend's device. On that device, he found this strange looking file and he wants to know what it contains.
Can you help clides retrieve hidden info from this file?
Analysis
We are given a file without extension
└─$ file BxM_Foren3
BxM_Foren3: dataUsing exiftool shows us
File Type : BMP
File Type Extension : bmp
MIME Type : image/bmpLet's change the extension and try to open it
└─$ mv BxM_Foren3 BxM_Foren3.bmp
└─$ display ./BxM_Foren3.bmp 
Image is distorted and contains a fake flag (from sarcasm). So where is the flag? Since file looks damaged we should restore it.
The easiest way is to fix image files are to compare them to "not broken" images.
I have outlined interesting bytes, interesting because it says DEAD (has to do something with damage to file) and it repeats twice. I replaced the values from the right (image) and when we reopen image something changes!
Ok.. The colors are fixed but image is still distorted. What did we change to effect image?
Let's look at the BMP anatomy here
1. First part which we changed was The offset
| Offset hex | Offset dec | Size | Purpose | | 0A | 10 | 4 bytes | The offset, i.e. starting address, of the byte where the bitmap image data (pixel array) can be found. |
2. The second part Header Size
| Offset (hex) | Offset (dec) | Size (bytes) | OS/2 1.x BITMAPCOREHEADER | | 0E | 14 | 4 | The size of this header (12 bytes) |
Solution
After fiddling around the bits and bytes I found that manipulating the 3rd & 4th byte shift the image vertically. The best bytes that worked are The offset = 01 00 03 00
PS
Looks like I found a "not intended" way to solve the challenge.
Similar challenge can be found on PicoCTF, tunn3l_v1s10n writeup with "intended" (or correct) way to solve it.
Last updated