Prompt
This file appears to be changed in some way. Can you recover the original?
Tutorial Video
Walk-Through
This challenge involves correcting the magic bytes / file signature of an image.
Based on the .jpeg in the filename, the file initially appears to be a jpeg. Additionally, when loading the file into cyberchef, the initial bytes also almost match the magic bytes for a jpeg file with exif data, which are: FF D8 FF E0 00 10 4A 46 49 46 00 01
. However, the last byte does not match. Also, no image thumbnail appears in previews and the file also fails to open in an image viewer.
0d
, but should be 01
to match the magic bytes for a jpeg fileBased on the prompt, we know that this file has been tampered with in some way. Running the strings recipe in cyberchef can help reveal some clues to determine what has happened - perhaps some of the unchanged portion of the file will point to the original file type.
By running online searches for these strings, we can find that JFIF
is used in the jpeg filetype, but also IHDR
and IDAT
are used in the png filetype. Based on this information, we can attempt to edit the raw file to replace the jpeg file signature with the png file signature (89 50 4E 47 0D 0A 1A 0A
). This can be done with a hexeditor, such as HexEd.it.
However, even after correcting the magic bytes and changing the file extension to .png, the file fails to open using an image viewer. Since the png file signature is 8-bytes long and the jpeg file signature is 12 bytes long, it is possible that the extra 4 bytes that remain from the jpeg file signature are causing errors when using an image viewer. To correct this, we can attempt to copy the 4 bytes following the png file signature from a known valid png file and see if that will correct the problem.
00 00 00 0D
49 46 00 0D
) that follow the png file signature with 00 00 00 0D
After making this final modification, the file will successfully open.
Questions
What is the original file type?
Run strings
on the file to find IHDR
and IDAT
, then search online for what filetypes contain those strings.
What is the flag?
Use a hex editor to set the first 12 bytes of the file to 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d
and rename the file to use the .png file extension. Then, open the file in an image viewer to reveal the flag.
©️ 2024 Cyber Skyline. All Rights Reserved. Unauthorized reproduction or distribution of this copyrighted work is illegal.