CTF: ASIS CTF Finals 2017
Points: 343
Category: forensic

Recon

In this task we were provided with a file called ifhe_Find_Out [sic].
Let’s try to find some information about it:

Well, that’s not helpful at all. Time to look at the hex dump:

Apart from asisctffinal, what clearly stands out is: hvc1HEVC Image. Googling HEVC Image points us at a new image file format: HEIF. Moreover, ifhe in the challenge name is an anagram of HEIF. This gives us some idea about kind of file we’re dealing with. Still, we’re unable to open it. To resolve this issue we need to find a valid HEIF file to compare with ours and look for differences between them. We’ve chosen this example.

It seems that we’re missing 4 bytes at the beginning of the file in addition to mif1heichevc being replaced with asisctffinal.

fix

Prepend magic bytes:

Replace asisctffinal with mif1heichevc:

Fixed file:

opening the file

The last thing to do is to open the image. Unfortunately, it’s not as easy as it sounds. HEIF is a new format with little to no support from image viewers. However, reference implementation in JavaScript (including example HEIF files) from Nokia is available, so we can use their website by replacing some HEIF file from examples with our own and then use browser to display the flag.

Finally, we can open heif/examples.html and click on autumn example to reveal the flag.
Note: Use Firefox since Chrome considers different file:// URIs as separate origins.



1 Comment » for ASIS CTF Finals 2017: If he finds out…
  1. Sang says:

    Wow, how difficult it is. Well done, guys.