PicoCTF 2022 Forensics walkthrough - Part 1
In this article, we will attempt to solve picoCTF 2022 Forensics challenges 1 to 3.
This post assumes you are familiar with what CTF is, if not then feel free to check out this introduction to CTF video by LiveOverFlow:
So, let's get started.
Challenge 1 - Enhance
As we can see in the description that we are provided with a download link of an image file and no hints.
Let's start by firing up our terminal and grabbing the image using curl and open it.
curl -LO "
https://artifacts.picoctf.net/c/137/drawing.flag.svg
"
When opened:
It looks like there's nothing here. Let's try something else. Let's try to cat this image file.
cat drawing.flag.svg
Output:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="210mm"
height="297mm"
viewBox="0 0 210 297"
version="1.1"
id="svg8"
inkscape:version="0.92.5 (2060ec1f9f, 2020-04-08)"
sodipodi:docname="drawing.svg">
<defs
id="defs2" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.69833333"
inkscape:cx="400"
inkscape:cy="538.41159"
inkscape:document-units="mm"
inkscape:current-layer="layer1"
showgrid="false"
inkscape:window-width="1872"
inkscape:window-height="1016"
inkscape:window-x="48"
inkscape:window-y="27"
inkscape:window-maximized="1" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1">
<ellipse
id="path3713"
cx="106.2122"
cy="134.47203"
rx="102.05357"
ry="99.029755"
style="stroke-width:0.26458332" />
<circle
style="fill:#ffffff;stroke-width:0.26458332"
id="path3717"
cx="107.59055"
cy="132.30211"
r="3.3341289" />
<ellipse
style="fill:#000000;stroke-width:0.26458332"
id="path3719"
cx="107.45217"
cy="132.10078"
rx="0.027842503"
ry="0.031820003" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:0.00352781px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26458332;"
x="107.43014"
y="132.08501"
id="text3723"><tspan
sodipodi:role="line"
x="107.43014"
y="132.08501"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3748">p </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.08942"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3754">i </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.09383"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3756">c </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.09824"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3758">o </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.10265"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3760">C </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.10706"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3762">T </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.11147"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3764">F { 3 n h 4 n </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.11588"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3752">c 3 d _ 2 4 3 7 4 6 7 5 }</tspan></text>
</g>
</svg>
Upon looking closely at the end of the output, we see that before every, </tspan>
there's a little fragment of the flag. Let us now concatenate this and remove the spaces from between: Flag: picoCTF{3nh4nc3d_24374675}
Challenge 2 - File types
Let's begin this challenge by downloading the linked PDF file.
curl -LO "
https://artifacts.picoctf.net/c/324/Flag.pdf
"
When I tried to open the linked Flag.pdf, I faced an error:
When I clicked on hint it said:
It is possible for this file to not be a PDF, let us now check it using the "file" command in our Linux terminal. file command is used to determine file type.
file Flag.pdf
Running this command revealed that this is not a PDF file, but it's a "shell archive text". Let us now try to rename it to .sh
extension, give it executable permission and then try to execute it.
mv Flag.pdf
Flag.sh
chmod +x
Flag.sh
./
Flag.sh
It threw an error uudecode: command not found
After doing a quick internet search I found Arch Linux's manual for uudecode and under package information found the package name: "extra/sharutils"
Let us now install it:
sudo pacman -S sharutils
Now after I re-executed the Flag.sh
did ls
, I found a new file named flag
in my directory.
After again running file
command on our new flag
, it is revealed that it is current ar archive
.
To extract it I then used binwalk: binwalk -e
Which then created a folder named _flag.extracted
which then contained a file named 64
which turned out to be gzip compressed data
Again, we can use binwalk
to extract this file. Upon doing so, we got a folder _64.extracted
which contained two files flag
and flag.gz
, both compressed data, one lzip and the other one gzip.
I tried extracting the flag
lzip file using binwalk -e flag
, but it didn't work. So I tried extracting it using lzip
command, and the output file flag.out
turned out to be LZ4 compressed data
lzip -k -d flag
Then I extracted the lz4
data and then ran file
command on the output file2.out
, and it turned out to be LZMA compressed data
lz4 -d flag.out flag2.out
Then the to extract the lzma
file I executed lzma -d -k flag2.out
But it gave me an error: lzma: flag2.out: No such file or directory
So I renamed the flag2.out
to flag2.lzma
and ran the command again: lzma -d -k flag2.lzma
Which successfully executed and created a new file named flag2
which then turned out to be lzop compressed data
upon running file
command.
To extract the lzop
file, I then installed the lzop
package using sudo pacman -S lzop
. After changing the name of the file flag2
to flag2.lzop
I ran: lzop -d -k flag2.lzop -o flag3
Which then created the file named flag3
which turned out to be lzip compressed data
and then again, to extract it I ran: lzip -k -d flag3
Which created flag3.out
, XZ compressed data
Then after renaming flag3.out
to flag4.xz
, I extracted flag4.xz
using the xz
command, which created flag4
which turned out to be an ASCII text. mv flag3.out flag4.xz
xz -d -k flag4.xz
After running cat
on flag4
which is an ASCII file, I got:
7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f6630725f3062326375723137795f37396230316332367d0a
So to decode it from hex I went over to CyberChef which gave me the flag:
picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_79b01c26}
Challenge 3 - Lookey here
Let's begin this challenge by downloading the linked anthem.flag.txt
file.
This time it is what it says, a text file.
After viewing it in using less I realised it's a very long text file, so I ran wc
to count the lines: wc -l anthem.flag.txt
Output: 2146 anthem.flag.txt
So I ran grep
to search through it if it contains our flag or not.
grep pico anthem.flag.txt
And we've found the flag: picoCTF{gr3p_15_@w3s0m3_58f5c024}
Subscribe to my newsletter
Read articles from Ujjawal Saini directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Ujjawal Saini
Ujjawal Saini
Data Scientist and Software Engineer. Privacy and Security Advocate.