Forensics - File types - writeup
description
This file was found among some files marked confidential
but my pdf reader cannot read it, maybe yours can.
You can download the file from here.
writeup
Let’s download the file!
1
| wget https://artifacts.picoctf.net/c/329/Flag.pdf
|
lets see what file we got here…
1
| Flag.pdf: shell archive text
|
Looks like this is a shell archive file (.shar)
lets rename the file to a proper file extension first.
Now I will try to simply execute it.
I get the following output:
1
2
3
4
5
6
| x - created lock directory _sh00046.
x - extracting flag (text)
./Flag.shar: 119: uudecode: not found
restore of flag failed
flag: MD5 check failed
x - removed lock directory _sh00046.
|
Looks like I am missing uudecode
After a quick google search I found out that I need to install sharutils
So lets install it quick
After running the file Flag.shar again I get a new file called ‘flag’
with a lot of nonsense:
1
2
3
4
5
6
7
8
9
10
11
12
| !<arch>
flag/ 0 0 0 644 1024 `
4�4i�ѵ��F�DѣCC �M4hɦ�Sd��Y�6��"��������ש����5�h���{����������N��▒▒4���Ѡ2
0!�a� �0�6�▒2F����&���2&�� �
��y ڀ��
�^��r�e�▒�L�ʿ��H"72�\U#f�*������qCa}�s6��
`�K�I�{Wx�#W5�+f�и-�#i���G�£vV�#��%
�G>.���Z8ѬL×��9�%)�`��1�CxyR��=��9nf�q�!��h����f우��T��6�� ��݆������F�&�ؘbB��uu�!��"`e9P�Q����K3F�Q�k�C���)8
���
!��F5'(5��3�L�@� ��H���,�hQ&▒�
k��.Th2�D����`�>;<���▒��"�(HH�]���q
TRAILER!!!
|
Cheking with the file command what that file actually is we can see that it is an ‘ar archive’
1
2
| file flag
flag: current ar archive
|
So lets rename the file to flag.ar
check the file type again…
1
2
3
| file flag.ar
flag.ar: cpio archive
|
rename the file to .cpio
lets extract that cpio archive
We successfully extracted a new file called ‘flag’
lets see what that is now:
1
2
3
| file flag
flag: bzip2 compressed data, block size = 900k
|
Lets extract that with bunzip2 real quick
We got a file ‘flag.out’
lets see what it is:
1
2
| file flag.out
flag.out: gzip compressed data, was "flag", last modified: Tue Mar 15 06:50:51 2022, from Unix, original size modulo 2^32 327
|
Lets rename it to a proper file extension again
Now I will try to extract that gzip file
We got a new file flag
lets see what it is this time:
1
2
| file flag
flag: lzip compressed data, version: 1
|
lets extract it using lunzip
we get a new file flag.out
lets see what we have now…
1
2
| file flag.out
flag.out: LZ4 compressed data (v1.4+)
|
lets rename it to a proper file extension first…
now i will try to extract it…
1
2
3
| lz4 -d flag.lz4
Decoding file flag
flag.lz4 : decoded 264 bytes
|
lets check again….
1
2
| file flag
flag: LZMA compressed data, non-streamed, size 253
|
lets rename it to a proper file extension first ….
lets decompress it again….
lets check again….
1
2
| file flag
flag: lzop compressed data - version 1.040, LZO1X-1, os: Unix
|
lets extract it ….
1
2
3
4
| lzop -x flag
lzop: flag: can't decompress to same file
skipping flag [flag]
|
Looks like I need to specify a different destination file
1
| lzop flag -d -oflag.new
|
Checking with file again it is still an lzop archive
So I will try to extract it again…
1
| lzop flag.new -d -oflag.new.new
|
It is still an lzop file
1
| lzop flag.new.new -d -oflag.new.new.new
|
If I now check the filetype
1
2
| file flag.new.new.new
flag.new.new.new: lzip compressed data, version: 1
|
It is an lzip archive this time…
1
| lzip -d flag.new.new.new
|
By checking the filetype I get
1
2
| file flag.new.new.new.out
flag.new.new.new.out: XZ compressed data, checksum CRC64
|
let’s rename it to a proper extension
1
| cp flag.new.new.new.out flag.new.new.new.xz
|
Now extract it one more time…
1
| unxz flag.new.new.new.xz
|
1
2
| file flag.new.new.new
flag.new.new.new: ASCII text
|
cat’ing out this file we finally get some text …
1
2
3
4
| cat flag.new.new.new
7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f
6630725f3062326375723137795f32373866316131387d0a
|
The first line is hex and translates to
1
| picoCTF{f1len@m3_m@n1pul@t10n_
|
The second line is also hex and translates to
1
| f0r_0b2cur17y_278f1a18}
|
So the flag is:
1
| picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_278f1a18}
|
