PicoCTF 2022 Forensics walkthrough - Part 1

Ujjawal SainiUjjawal Saini
5 min read

In this article, we will attempt to solve picoCTF 2022 Forensics challenges 1 to 3.

Challenges

This post assumes you are familiar with what CTF is, if not then feel free to check out this introduction to CTF video by LiveOverFlow:

Intro to CTF

So, let's get started.

Challenge 1 - Enhance

Enhance

As we can see in the description that we are provided with a download link of an image file and no hints.

Let's start by firing up our terminal and grabbing the image using curl and open it.

imagedl1

curl -LO "https://artifacts.picoctf.net/c/137/drawing.flag.svg"

When opened:

imageopen1

It looks like there's nothing here. Let's try something else. Let's try to cat this image file.

Cat

cat drawing.flag.svg

Output:

<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->

<svg
   xmlns:dc="http://purl.org/dc/elements/1.1/"
   xmlns:cc="http://creativecommons.org/ns#"
   xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
   xmlns:svg="http://www.w3.org/2000/svg"
   xmlns="http://www.w3.org/2000/svg"
   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
   width="210mm"
   height="297mm"
   viewBox="0 0 210 297"
   version="1.1"
   id="svg8"
   inkscape:version="0.92.5 (2060ec1f9f, 2020-04-08)"
   sodipodi:docname="drawing.svg">
  <defs
     id="defs2" />
  <sodipodi:namedview
     id="base"
     pagecolor="#ffffff"
     bordercolor="#666666"
     borderopacity="1.0"
     inkscape:pageopacity="0.0"
     inkscape:pageshadow="2"
     inkscape:zoom="0.69833333"
     inkscape:cx="400"
     inkscape:cy="538.41159"
     inkscape:document-units="mm"
     inkscape:current-layer="layer1"
     showgrid="false"
     inkscape:window-width="1872"
     inkscape:window-height="1016"
     inkscape:window-x="48"
     inkscape:window-y="27"
     inkscape:window-maximized="1" />
  <metadata
     id="metadata5">
    <rdf:RDF>
      <cc:Work
         rdf:about="">
        <dc:format>image/svg+xml</dc:format>
        <dc:type
           rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
        <dc:title></dc:title>
      </cc:Work>
    </rdf:RDF>
  </metadata>
  <g
     inkscape:label="Layer 1"
     inkscape:groupmode="layer"
     id="layer1">
    <ellipse
       id="path3713"
       cx="106.2122"
       cy="134.47203"
       rx="102.05357"
       ry="99.029755"
       style="stroke-width:0.26458332" />
    <circle
       style="fill:#ffffff;stroke-width:0.26458332"
       id="path3717"
       cx="107.59055"
       cy="132.30211"
       r="3.3341289" />
    <ellipse
       style="fill:#000000;stroke-width:0.26458332"
       id="path3719"
       cx="107.45217"
       cy="132.10078"
       rx="0.027842503"
       ry="0.031820003" />
    <text
       xml:space="preserve"
       style="font-style:normal;font-weight:normal;font-size:0.00352781px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26458332;"
       x="107.43014"
       y="132.08501"
       id="text3723"><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.08501"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3748">p </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.08942"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3754">i </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.09383"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3756">c </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.09824"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3758">o </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.10265"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3760">C </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.10706"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3762">T </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.11147"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3764">F { 3 n h 4 n </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.11588"
         style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
         id="tspan3752">c 3 d _ 2 4 3 7 4 6 7 5 }</tspan></text>
  </g>
</svg>

Upon looking closely at the end of the output, we see that before every, </tspan> there's a little fragment of the flag. Let us now concatenate this and remove the spaces from between: Flag: picoCTF{3nh4nc3d_24374675}

Challenge 2 - File types

File types

Let's begin this challenge by downloading the linked PDF file.

Downloading PDF

curl -LO "https://artifacts.picoctf.net/c/324/Flag.pdf"

When I tried to open the linked Flag.pdf, I faced an error:

error

When I clicked on hint it said:

hint 1

It is possible for this file to not be a PDF, let us now check it using the "file" command in our Linux terminal. file command is used to determine file type.

File Flag

file Flag.pdf

Running this command revealed that this is not a PDF file, but it's a "shell archive text". Let us now try to rename it to .sh extension, give it executable permission and then try to execute it.

Executed 1

mv Flag.pdf Flag.sh chmod +x Flag.sh ./Flag.sh

It threw an error uudecode: command not found After doing a quick internet search I found Arch Linux's manual for uudecode and under package information found the package name: "extra/sharutils"

package sharutils

Let us now install it:

Installing sharutils

sudo pacman -S sharutils

Now after I re-executed the Flag.sh did ls, I found a new file named flag in my directory.

Executed 2

After again running file command on our new flag, it is revealed that it is current ar archive.

To extract it I then used binwalk: binwalk -e

binwalk

Which then created a folder named _flag.extracted which then contained a file named 64 which turned out to be gzip compressed data

64

Again, we can use binwalk to extract this file. Upon doing so, we got a folder _64.extracted which contained two files flag and flag.gz, both compressed data, one lzip and the other one gzip.

64 flag

I tried extracting the flag lzip file using binwalk -e flag, but it didn't work. So I tried extracting it using lzip command, and the output file flag.out turned out to be LZ4 compressed data

lzip

lzip -k -d flag

Then I extracted the lz4 data and then ran file command on the output file2.out, and it turned out to be LZMA compressed data

LZ4

lz4 -d flag.out flag2.out

Then the to extract the lzma file I executed lzma -d -k flag2.out But it gave me an error: lzma: flag2.out: No such file or directory So I renamed the flag2.out to flag2.lzma and ran the command again: lzma -d -k flag2.lzma Which successfully executed and created a new file named flag2 which then turned out to be lzop compressed data upon running file command.

LZMA

To extract the lzop file, I then installed the lzop package using sudo pacman -S lzop. After changing the name of the file flag2 to flag2.lzop I ran: lzop -d -k flag2.lzop -o flag3 Which then created the file named flag3 which turned out to be lzip compressed data and then again, to extract it I ran: lzip -k -d flag3 Which created flag3.out, XZ compressed data

lzip xz

Then after renaming flag3.out to flag4.xz, I extracted flag4.xz using the xz command, which created flag4 which turned out to be an ASCII text. mv flag3.out flag4.xz xz -d -k flag4.xz

xz

file 4

After running cat on flag4 which is an ASCII file, I got:

cat flag4

7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f6630725f3062326375723137795f37396230316332367d0a

So to decode it from hex I went over to CyberChef which gave me the flag:

CyberChef flag

picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_79b01c26}

Challenge 3 - Lookey here

Lookey here

Let's begin this challenge by downloading the linked anthem.flag.txt file.

C3 download

This time it is what it says, a text file.

After viewing it in using less I realised it's a very long text file, so I ran wc to count the lines: wc -l anthem.flag.txt Output: 2146 anthem.flag.txt

lines

So I ran grep to search through it if it contains our flag or not.

grep

grep pico anthem.flag.txt

And we've found the flag: picoCTF{gr3p_15_@w3s0m3_58f5c024}

0
Subscribe to my newsletter

Read articles from Ujjawal Saini directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ujjawal Saini
Ujjawal Saini

Data Scientist and Software Engineer. Privacy and Security Advocate.