{"id":13319,"date":"2016-09-06T16:06:21","date_gmt":"2016-09-06T14:06:21","guid":{"rendered":"http:\/\/www.codilime.com\/?p=13319"},"modified":"2017-11-07T19:04:35","modified_gmt":"2017-11-07T18:04:35","slug":"tw-mma-2-2016-ninth","status":"publish","type":"post","link":"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/","title":{"rendered":"Ninth"},"content":{"rendered":"<p>Link: https:\/\/score.ctf.westerns.tokyo\/problems\/22 (only for logged in users)<br \/>\nPoints: 100<br \/>\nCategory: Misc<\/p>\n<h2>Description<\/h2>\n<blockquote><p>Find the flag.<br \/>\n<a href=\"http:\/\/www.codilime.com\/wp-content\/uploads\/2016\/09\/ninth.png-3b14ad4cbefa5af41ab15bf85ddd8a11b8999bb43f3326a2af7867c71dd6e879.png\" rel='magnific'><img loading=\"lazy\" src=\"http:\/\/www.codilime.com\/wp-content\/uploads\/2016\/09\/ninth.png-3b14ad4cbefa5af41ab15bf85ddd8a11b8999bb43f3326a2af7867c71dd6e879.png\" alt=\"ninth.png-3b14ad4cbefa5af41ab15bf85ddd8a11b8999bb43f3326a2af7867c71dd6e879\" width=\"400\" height=\"283\" class=\"alignnone size-full wp-image-13347\" \/><\/a><\/p>\n<p>This problem is not image based on steganography.<\/p><\/blockquote>\n<h2>tl;dr<\/h2>\n<p>Take data from IDAT chunk, decompress it and grep for <code>TWCTF<\/code>.<\/p>\n<h2>Solution explanation<\/h2>\n<p>The first step in every image\u00a0based challenge is to look at its metadata:<\/p>\n<pre class=\"nums:false show-plain:3 lang:sh\">$ identify -verbose ninth.png \r\nImage: ninth.png\r\n  Format: PNG (Portable Network Graphics)\r\n  (...)\r\n  Geometry: 1200x848+0+0\r\n  (...)\r\nidentify: Extra compressed data. `ninth.png' @ warning\/png.c\/MagickPNGWarningHandler\/1671.\r\nidentify: Extra compression data. `ninth.png' @ warning\/png.c\/MagickPNGWarningHandler\/1671.<\/pre>\n<p>We can notice two important things while solving this task:<\/p>\n<ul>\n<li>image size is <code>1200x848px<\/code><\/li>\n<li>identify notices some <code>Extra compressed\/compression data<\/code> &#8211; the flag?<\/li>\n<\/ul>\n<p>To understand what it means, basic knowledge of PNG &#8220;backstage&#8221; is required.<\/p>\n<p>PNG data is organized as chunks. A chunk is a set of bytes containing the following information:<\/p>\n<ul>\n<li>Length &#8211; 4 bytes<\/li>\n<li>Chunk type &#8211; 4 bytes<\/li>\n<li>Chunk data &#8211;\u00a0<em>Length\u00a0<\/em>bytes<\/li>\n<li>CRC &#8211; 4 bytes<\/li>\n<\/ul>\n<p>One of chunks type is <code>IDAT<\/code>. There can be many of them in one PNG file. <code>IDAT<\/code> chunks contain compressed information about pixels in the image.<br \/>\nWe can get this information with simple <code>Python<\/code> script:<\/p>\n<pre class=\"lang:python\" title=\"solve.py(1)\">import png\r\nimport zlib\r\n\r\ndef get_decompressed_data(filename):\r\n    img = png.Reader(filename)\r\n    for chunk in img.chunks():\r\n        if chunk[0] == \"IDAT\":\r\n            return zlib.decompress(chunk[1])<\/pre>\n<p>This function returns <code>4071274<\/code> bytes. They are organized in scanlines which represent information about pixels in each line of an image (3 bytes per pixel) with one additional byte representing filter applied to this line. Knowing that, we can calculate how many bytes we should have and remove them (we are only interested in that &#8220;additional compressed data&#8221;).<\/p>\n<pre class=\"top-set:false start-line:9 show-plain:3 lang:python decode:true\" title=\"solve.py(2)\">data = get_decompressed_data(\"ninth.png\")\r\nimage_width = 1200\r\nimage_height = 848\r\nbytes_per_pixel = 3\r\nbytes_per_filter = 1\r\ndata = data[(image_width * bytes_per_pixel + bytes_per_filter) * image_height:]\r\nprint ''.join([x for x in data if x in string.printable])<\/pre>\n<pre class=\"top-set:false toolbar:2 striped:false nums:false show-plain:3 lang:sh highlight:1 decode:true\">$ python solve.py \r\nTWCTF{WAMP_Are_You_Ready?}\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Link: https:\/\/score.ctf.westerns.tokyo\/problems\/22 (only for logged in users) Points: 100 Category: Misc Description Find the flag. This problem is not image based on steganography. tl;dr Take data from IDAT chunk, decompress it and grep for TWCTF. Solution explanation The first step<span class=\"ellipsis\">&hellip;<\/span> <a href=\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\"><\/p>\n<div class=\"read-more\">Read more &#8250;<\/div>\n<p><!-- end of .read-more --><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,6],"tags":[8,9],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<link rel=\"canonical\" href=\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ninth - CodiSec\" \/>\n<meta property=\"og:description\" content=\"Link: https:\/\/score.ctf.westerns.tokyo\/problems\/22 (only for logged in users) Points: 100 Category: Misc Description Find the flag. This problem is not image based on steganography. tl;dr Take data from IDAT chunk, decompress it and grep for TWCTF. Solution explanation The first step&hellip; Read more &#8250;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\" \/>\n<meta property=\"og:site_name\" content=\"CodiSec\" \/>\n<meta property=\"article:published_time\" content=\"2016-09-06T14:06:21+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2017-11-07T18:04:35+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.codilime.com\/wp-content\/uploads\/2016\/09\/ninth.png-3b14ad4cbefa5af41ab15bf85ddd8a11b8999bb43f3326a2af7867c71dd6e879.png\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"2 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/codisec.com\/#website\",\"url\":\"https:\/\/codisec.com\/\",\"name\":\"CodiSec\",\"description\":\"PENETRATION TESTING  AND MALWARE ANALYSIS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/codisec.com\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"http:\/\/www.codilime.com\/wp-content\/uploads\/2016\/09\/ninth.png-3b14ad4cbefa5af41ab15bf85ddd8a11b8999bb43f3326a2af7867c71dd6e879.png\",\"contentUrl\":\"http:\/\/www.codilime.com\/wp-content\/uploads\/2016\/09\/ninth.png-3b14ad4cbefa5af41ab15bf85ddd8a11b8999bb43f3326a2af7867c71dd6e879.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/#webpage\",\"url\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\",\"name\":\"Ninth - CodiSec\",\"isPartOf\":{\"@id\":\"https:\/\/codisec.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/#primaryimage\"},\"datePublished\":\"2016-09-06T14:06:21+00:00\",\"dateModified\":\"2017-11-07T18:04:35+00:00\",\"author\":{\"@id\":\"https:\/\/codisec.com\/#\/schema\/person\/0d90a3305e8fad91a45c409f16234f52\"},\"breadcrumb\":{\"@id\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/\",\"url\":\"https:\/\/codisec.com\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\",\"url\":\"https:\/\/codisec.com\/tw-mma-2-2016-ninth\/\",\"name\":\"Ninth\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/codisec.com\/#\/schema\/person\/0d90a3305e8fad91a45c409f16234f52\",\"name\":\"Krzysztof Kwapisiewicz\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/codisec.com\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/cc5472d24bc6961ae4e2fadb3ea8dd5e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/cc5472d24bc6961ae4e2fadb3ea8dd5e?s=96&d=mm&r=g\",\"caption\":\"Krzysztof Kwapisiewicz\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/13319"}],"collection":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/comments?post=13319"}],"version-history":[{"count":4,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/13319\/revisions"}],"predecessor-version":[{"id":14937,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/13319\/revisions\/14937"}],"wp:attachment":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/media?parent=13319"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/categories?post=13319"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/tags?post=13319"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}