CTF: ASIS CTF Finals 2017
Points: 343
Category: forensic
Recon
In this task we were provided with a file called ifhe_Find_Out [sic].
Let’s try to find some information about it:
1 2 |
$ file ifhe_Find_Out ifhe_Find_Out: data |
Well, that’s not helpful at all. Time to look at the hex dump:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$ xxd -l 0x100 ifhe_Find_Out 00000000: 6674 7970 6d69 6631 0000 0000 6173 6973 ftypmif1....asis 00000010: 6374 6666 696e 616c 0000 021c 6d65 7461 ctffinal....meta 00000020: 0000 0000 0000 0021 6864 6c72 0000 0000 .......!hdlr.... 00000030: 0000 0000 7069 6374 0000 0000 0000 0000 ....pict........ 00000040: 0000 0000 0000 0000 0e70 6974 6d00 0000 .........pitm... 00000050: 004e 2200 0000 3469 6c6f 6300 0000 0044 .N"...4iloc....D 00000060: 4000 024e 2200 0000 0002 4000 0100 0000 @..N".....@..... 00000070: 0000 0062 484e 2300 0000 0064 9000 0100 ...bHN#....d.... 00000080: 0000 0000 0012 aa00 0000 4e69 696e 6602 ..........Niinf. 00000090: 0000 0000 0000 0200 0000 1f69 6e66 6502 ...........infe. 000000a0: 0000 004e 2200 0068 7663 3148 4556 4320 ...N"..hvc1HEVC 000000b0: 496d 6167 6500 0000 001f 696e 6665 0200 Image.....infe.. 000000c0: 0000 4e23 0000 6876 6331 4845 5643 2049 ..N#..hvc1HEVC I 000000d0: 6d61 6765 0000 0000 1a69 7265 6600 0000 mage.....iref... 000000e0: 0000 0000 0e74 686d 624e 2300 014e 2200 .....thmbN#..N". 000000f0: 0001 4569 7072 7000 0001 2369 7063 6f00 ..Eiprp...#ipco. |
Apart from asisctffinal, what clearly stands out is: hvc1HEVC Image. Googling HEVC Image points us at a new image file format: HEIF. Moreover, ifhe in the challenge name is an anagram of HEIF. This gives us some idea about kind of file we’re dealing with. Still, we’re unable to open it. To resolve this issue we need to find a valid HEIF file to compare with ours and look for differences between them. We’ve chosen this example.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$ xxd -l 0x100 autumn_1440x960.heic 00000000: 0000 001c 6674 7970 6d69 6631 0000 0000 ....ftypmif1.... 00000010: 6d69 6631 6865 6963 6865 7663 0000 0200 mif1heichevc.... 00000020: 6d65 7461 0000 0000 0000 0021 6864 6c72 meta.......!hdlr 00000030: 0000 0000 0000 0000 7069 6374 0000 0000 ........pict.... 00000040: 0000 0000 0000 0000 0000 0000 0e70 6974 .............pit 00000050: 6d00 0000 004e 2200 0000 3469 6c6f 6300 m....N"...4iloc. 00000070: 0100 0000 0000 046a 804e 2300 0000 046c .......j.N#....l 00000080: ac00 0100 0000 0000 000e 4a00 0000 4e69 ..........J...Ni 00000090: 696e 6602 0000 0000 0000 0200 0000 1f69 inf............i 000000a0: 6e66 6502 0000 004e 2200 0068 7663 3148 nfe....N"..hvc1H 000000b0: 4556 4320 496d 6167 6500 0000 001f 696e EVC Image.....in 000000c0: 6665 0200 0000 4e23 0000 6876 6331 4845 fe....N#..hvc1HE 000000d0: 5643 2049 6d61 6765 0000 0000 1a69 7265 VC Image.....ire 000000e0: 6600 0000 0000 0000 0e74 686d 624e 2300 f........thmbN#. 000000f0: 014e 2200 0001 2969 7072 7000 0001 0769 .N"...)iprp....i |
It seems that we’re missing 4 bytes at the beginning of the file in addition to mif1heichevc being replaced with asisctffinal.
fix
Prepend magic bytes:
1 |
$ dd if=autumn_1440x960.heic bs=1 count=4 | cat - ifhe_Find_Out > ifhe_fixed |
Replace asisctffinal with mif1heichevc:
1 |
$ dd conv=notrunc if=autumn_1440x960.heic of=ifhe_fixed bs=1 count=12 skip=16 seek=16 |
Fixed file:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
$ xxd -l 0x80 ifhe_fixed 00000000: 0000 001c 6674 7970 6d69 6631 0000 0000 ....ftypmif1.... 00000010: 6d69 6631 6865 6963 6865 7663 0000 021c mif1heichevc.... 00000020: 6d65 7461 0000 0000 0000 0021 6864 6c72 meta.......!hdlr 00000030: 0000 0000 0000 0000 7069 6374 0000 0000 ........pict.... 00000040: 0000 0000 0000 0000 0000 0000 0e70 6974 .............pit 00000050: 6d00 0000 004e 2200 0000 3469 6c6f 6300 m....N"...4iloc. 00000070: 0100 0000 0000 0062 484e 2300 0000 0064 .......bHN#....d 00000080: 9000 0100 0000 0000 0012 aa00 0000 4e69 ..............Ni 00000090: 696e 6602 0000 0000 0000 0200 0000 1f69 inf............i 000000a0: 6e66 6502 0000 004e 2200 0068 7663 3148 nfe....N"..hvc1H 000000b0: 4556 4320 496d 6167 6500 0000 001f 696e EVC Image.....in 000000c0: 6665 0200 0000 4e23 0000 6876 6331 4845 fe....N#..hvc1HE 000000d0: 5643 2049 6d61 6765 0000 0000 1a69 7265 VC Image.....ire 000000e0: 6600 0000 0000 0000 0e74 686d 624e 2300 f........thmbN#. 000000f0: 014e 2200 0001 4569 7072 7000 0001 2369 .N"...Eiprp...#i |
opening the file
The last thing to do is to open the image. Unfortunately, it’s not as easy as it sounds. HEIF is a new format with little to no support from image viewers. However, reference implementation in JavaScript (including example HEIF files) from Nokia is available, so we can use their website by replacing some HEIF file from examples with our own and then use browser to display the flag.
1 2 |
$ git clone "https://github.com/nokiatech/heif.git" --branch gh-pages $ mv ifhe_fixed heif/content/images/autumn_1440x960.heic |
Finally, we can open
heif/examples.html and click on autumn example to reveal the flag.
Note: Use Firefox since Chrome considers different
file:// URIs as separate origins.
Wow, how difficult it is. Well done, guys.