Magic Bytes

Prompt

This file appears to be changed in some way. Can you recover the original?

flag.jpeg6.9KB

Walk-Through

This challenge involves correcting the magic bytes / file signature of an image.

Based on the .jpeg in the filename, the file initially appears to be a jpeg. Additionally, when loading the file into cyberchef, the initial bytes also almost match the magic bytes for a jpeg file with exif data, which are: FF D8 FF E0 00 10 4A 46 49 46 00 01 . However, the last byte does not match. Also, no image thumbnail appears in previews and the file also fails to open in an image viewer.

The last highlighted byte is
The last highlighted byte is 0d, but should be 01 to match the magic bytes for a jpeg file

Based on the prompt, we know that this file has been tampered with in some way. Running the strings recipe in cyberchef can help reveal some clues to determine what has happened - perhaps some of the unchanged portion of the file will point to the original file type.

image

By running online searches for these strings, we can find that JFIF is used in the jpeg filetype, but also IHDR and IDAT are used in the png filetype. Based on this information, we can attempt to edit the raw file to replace the jpeg file signature with the png file signature (89 50 4E 47 0D 0A 1A 0A). This can be done with a hexeditor, such as HexEd.it.

image

However, even after correcting the magic bytes and changing the file extension to .png, the file fails to open using an image viewer. Since the png file signature is 8-bytes long and the jpeg file signature is 12 bytes long, it is possible that the extra 4 bytes that remain from the jpeg file signature are causing errors when using an image viewer. To correct this, we can attempt to copy the 4 bytes following the png file signature from a known valid png file and see if that will correct the problem.

The 4 bytes following the file signature in our valid sample png file are
The 4 bytes following the file signature in our valid sample png file are 00 00 00 0D
Replacing the 4 bytes (
Replacing the 4 bytes (49 46 00 0D) that follow the png file signature with 00 00 00 0D

After making this final modification, the file will successfully open.

Questions

What is the original file type?

Run strings on the file to find IHDR and IDAT, then search online for what filetypes contain those strings.

What is the flag?

Use a hex editor to set the first 12 bytes of the file to 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d and rename the file to use the .png file extension. Then, open the file in an image viewer to reveal the flag.

©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.