{"id":14601,"date":"2017-09-29T10:57:47","date_gmt":"2017-09-29T08:57:47","guid":{"rendered":"https:\/\/codisec.com\/?p=14601"},"modified":"2023-03-22T16:29:56","modified_gmt":"2023-03-22T15:29:56","slug":"asis-ctf-finals-2017-finds","status":"publish","type":"post","link":"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/","title":{"rendered":"ASIS CTF Finals 2017: If he finds out\u2026"},"content":{"rendered":"<p>CTF: ASIS CTF Finals 2017<br \/>\nPoints: 343<br \/>\nCategory: forensic<\/p>\n<h2>Recon<\/h2>\n<p>In this task we were provided with a file called <a class=\"link\" href=\"https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/ifhe_Finds_Out.zip\">ifhe_Find_Out<\/a> [sic].<br \/>\nLet&#8217;s try to find some information about it:<\/p>\n<pre class=\"nums:false\">$ file ifhe_Find_Out \r\nifhe_Find_Out: data\r\n<\/pre>\n<p>Well, that&#8217;s not helpful at all. Time to look at the hex dump:<\/p>\n<pre class=\"nums:false\">$ xxd -l 0x100 ifhe_Find_Out\r\n00000000: 6674 7970 6d69 6631 0000 0000 6173 6973  ftypmif1....asis\r\n00000010: 6374 6666 696e 616c 0000 021c 6d65 7461  ctffinal....meta\r\n00000020: 0000 0000 0000 0021 6864 6c72 0000 0000  .......!hdlr....\r\n00000030: 0000 0000 7069 6374 0000 0000 0000 0000  ....pict........\r\n00000040: 0000 0000 0000 0000 0e70 6974 6d00 0000  .........pitm...\r\n00000050: 004e 2200 0000 3469 6c6f 6300 0000 0044  .N\"...4iloc....D\r\n00000060: 4000 024e 2200 0000 0002 4000 0100 0000  @..N\".....@.....\r\n00000070: 0000 0062 484e 2300 0000 0064 9000 0100  ...bHN#....d....\r\n00000080: 0000 0000 0012 aa00 0000 4e69 696e 6602  ..........Niinf.\r\n00000090: 0000 0000 0000 0200 0000 1f69 6e66 6502  ...........infe.\r\n000000a0: 0000 004e 2200 0068 7663 3148 4556 4320  ...N\"..hvc1HEVC \r\n000000b0: 496d 6167 6500 0000 001f 696e 6665 0200  Image.....infe..\r\n000000c0: 0000 4e23 0000 6876 6331 4845 5643 2049  ..N#..hvc1HEVC I\r\n000000d0: 6d61 6765 0000 0000 1a69 7265 6600 0000  mage.....iref...\r\n000000e0: 0000 0000 0e74 686d 624e 2300 014e 2200  .....thmbN#..N\".\r\n000000f0: 0001 4569 7072 7000 0001 2369 7063 6f00  ..Eiprp...#ipco.\r\n<\/pre>\n<p>Apart from <code>asisctffinal<\/code>, what clearly stands out is: <code>hvc1HEVC Image<\/code>. Googling <code>HEVC Image<\/code> points us at a new image file format: <a class=\"link\" href=\"https:\/\/en.wikipedia.org\/wiki\/High_Efficiency_Image_File_Format\" target=\"_blank\" rel=\"noopener\">HEIF<\/a>. Moreover, <code>ifhe<\/code> in the challenge name is an anagram of HEIF. This gives us some idea about kind of file we&#8217;re dealing with. Still, we&#8217;re unable to open it. To resolve this issue we need to find a valid HEIF file to compare with ours and look for differences between them. We&#8217;ve chosen <a class=\"link\" href=\"http:\/\/nokiatech.github.io\/heif\/content\/images\/autumn_1440x960.heic\" target=\"_blank\" rel=\"noopener\">this<\/a> example.<\/p>\n<pre class=\"nums:false mark:2,3\">$ xxd -l 0x100 autumn_1440x960.heic\r\n00000000: 0000 001c 6674 7970 6d69 6631 0000 0000  ....ftypmif1....\r\n00000010: 6d69 6631 6865 6963 6865 7663 0000 0200  mif1heichevc....\r\n00000020: 6d65 7461 0000 0000 0000 0021 6864 6c72  meta.......!hdlr\r\n00000030: 0000 0000 0000 0000 7069 6374 0000 0000  ........pict....\r\n00000040: 0000 0000 0000 0000 0000 0000 0e70 6974  .............pit\r\n00000050: 6d00 0000 004e 2200 0000 3469 6c6f 6300  m....N\"...4iloc.\r\n00000060: 0000 0044 4000 024e 2200 0000 0002 2400  ...D@..N\".....$.\r\n00000070: 0100 0000 0000 046a 804e 2300 0000 046c  .......j.N#....l\r\n00000080: ac00 0100 0000 0000 000e 4a00 0000 4e69  ..........J...Ni\r\n00000090: 696e 6602 0000 0000 0000 0200 0000 1f69  inf............i\r\n000000a0: 6e66 6502 0000 004e 2200 0068 7663 3148  nfe....N\"..hvc1H\r\n000000b0: 4556 4320 496d 6167 6500 0000 001f 696e  EVC Image.....in\r\n000000c0: 6665 0200 0000 4e23 0000 6876 6331 4845  fe....N#..hvc1HE\r\n000000d0: 5643 2049 6d61 6765 0000 0000 1a69 7265  VC Image.....ire\r\n000000e0: 6600 0000 0000 0000 0e74 686d 624e 2300  f........thmbN#.\r\n000000f0: 014e 2200 0001 2969 7072 7000 0001 0769  .N\"...)iprp....i\r\n<\/pre>\n<p>It seems that we&#8217;re missing 4 bytes at the beginning of the file in addition to <code>mif1heichevc<\/code> being replaced with <code>asisctffinal<\/code>.<\/p>\n<h2>fix<\/h2>\n<p>Prepend magic bytes:<\/p>\n<pre class=\"nums:false\">$ dd if=autumn_1440x960.heic bs=1 count=4 | cat - ifhe_Find_Out &gt; ifhe_fixed\r\n<\/pre>\n<p>Replace <code>asisctffinal<\/code> with <code>mif1heichevc<\/code>:<\/p>\n<pre class=\"nums:false\">$ dd conv=notrunc if=autumn_1440x960.heic of=ifhe_fixed bs=1 count=12 skip=16 seek=16<\/pre>\n<p>Fixed file:<\/p>\n<pre class=\"nums:false \">$ xxd -l 0x80 ifhe_fixed\r\n00000000: 0000 001c 6674 7970 6d69 6631 0000 0000  ....ftypmif1....\r\n00000010: 6d69 6631 6865 6963 6865 7663 0000 021c  mif1heichevc....\r\n00000020: 6d65 7461 0000 0000 0000 0021 6864 6c72  meta.......!hdlr\r\n00000030: 0000 0000 0000 0000 7069 6374 0000 0000  ........pict....\r\n00000040: 0000 0000 0000 0000 0000 0000 0e70 6974  .............pit\r\n00000050: 6d00 0000 004e 2200 0000 3469 6c6f 6300  m....N\"...4iloc.\r\n00000060: 0000 0044 4000 024e 2200 0000 0002 4000  ...D@..N\".....@.\r\n00000070: 0100 0000 0000 0062 484e 2300 0000 0064  .......bHN#....d\r\n00000080: 9000 0100 0000 0000 0012 aa00 0000 4e69  ..............Ni\r\n00000090: 696e 6602 0000 0000 0000 0200 0000 1f69  inf............i\r\n000000a0: 6e66 6502 0000 004e 2200 0068 7663 3148  nfe....N\"..hvc1H\r\n000000b0: 4556 4320 496d 6167 6500 0000 001f 696e  EVC Image.....in\r\n000000c0: 6665 0200 0000 4e23 0000 6876 6331 4845  fe....N#..hvc1HE\r\n000000d0: 5643 2049 6d61 6765 0000 0000 1a69 7265  VC Image.....ire\r\n000000e0: 6600 0000 0000 0000 0e74 686d 624e 2300  f........thmbN#.\r\n000000f0: 014e 2200 0001 4569 7072 7000 0001 2369  .N\"...Eiprp...#i\r\n<\/pre>\n<h2>opening the file<\/h2>\n<p>The last thing to do is to open the image. Unfortunately, it&#8217;s not as easy as it sounds. HEIF is a new format with little to no support from image viewers. However, reference implementation in JavaScript (including <a href=\"http:\/\/nokiatech.github.io\/heif\/examples.html\" class=\"link\" rel=\"noopener\" target=\"_blank\">example<\/a> HEIF files) from Nokia is available, so we can use their website by replacing some HEIF file from examples with our own and then use browser to display the flag.<\/p>\n<pre class=\"nums:false \">$ git clone \"https:\/\/github.com\/nokiatech\/heif.git\" --branch gh-pages\r\n$ mv ifhe_fixed heif\/content\/images\/autumn_1440x960.heic\r\n<\/pre>\n<p>Finally, we can open <code>heif\/examples.html<\/code> and click on autumn example to reveal the flag.<br \/>\nNote: Use Firefox since Chrome considers different <code>file:\/\/<\/code> URIs as separate origins.<br \/>\n<img loading=\"lazy\" class=\"aligncenter wp-image-14649 size-large\" src=\"https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-1024x46.png\" alt=\"\" width=\"550\" height=\"25\" srcset=\"https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-1024x46.png 1024w, https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-300x13.png 300w, https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-768x34.png 768w, https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-250x11.png 250w, https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-600x27.png 600w, https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag.png 1800w\" sizes=\"(max-width: 550px) 100vw, 550px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CTF: ASIS CTF Finals 2017 Points: 343 Category: forensic Recon In this task we were provided with a file called ifhe_Find_Out [sic]. Let&#8217;s try to find some information about it: $ file ifhe_Find_Out ifhe_Find_Out: data Well, that&#8217;s not helpful at<span class=\"ellipsis\">&hellip;<\/span> <a href=\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\"><\/p>\n<div class=\"read-more\">Read more &#8250;<\/div>\n<p><!-- end of .read-more --><\/a><\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[43,25],"tags":[4,31],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v16.1.1 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<link rel=\"canonical\" href=\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ASIS CTF Finals 2017: If he finds out\u2026 - CodiSec\" \/>\n<meta property=\"og:description\" content=\"CTF: ASIS CTF Finals 2017 Points: 343 Category: forensic Recon In this task we were provided with a file called ifhe_Find_Out [sic]. Let&#8217;s try to find some information about it: $ file ifhe_Find_Out ifhe_Find_Out: data Well, that&#8217;s not helpful at&hellip; Read more &#8250;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\" \/>\n<meta property=\"og:site_name\" content=\"CodiSec\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-29T08:57:47+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-03-22T15:29:56+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag-1024x46.png\" \/>\n<meta name=\"twitter:card\" content=\"summary\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\">\n\t<meta name=\"twitter:data1\" content=\"3 minutes\">\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/codisec.com\/#website\",\"url\":\"https:\/\/codisec.com\/\",\"name\":\"CodiSec\",\"description\":\"PENETRATION TESTING  AND MALWARE ANALYSIS\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/codisec.com\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag.png\",\"contentUrl\":\"https:\/\/codisec.com\/wp-content\/uploads\/2017\/09\/asisflag.png\",\"width\":1800,\"height\":80},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/#webpage\",\"url\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\",\"name\":\"ASIS CTF Finals 2017: If he finds out\\u2026 - CodiSec\",\"isPartOf\":{\"@id\":\"https:\/\/codisec.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/#primaryimage\"},\"datePublished\":\"2017-09-29T08:57:47+00:00\",\"dateModified\":\"2023-03-22T15:29:56+00:00\",\"author\":{\"@id\":\"https:\/\/codisec.com\/#\/schema\/person\/9a268063b450a87ef6575788f7fb8ab3\"},\"breadcrumb\":{\"@id\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/\",\"url\":\"https:\/\/codisec.com\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\",\"url\":\"https:\/\/codisec.com\/asis-ctf-finals-2017-finds\/\",\"name\":\"ASIS CTF Finals 2017: If he finds out\\u2026\"}}]},{\"@type\":\"Person\",\"@id\":\"https:\/\/codisec.com\/#\/schema\/person\/9a268063b450a87ef6575788f7fb8ab3\",\"name\":\"Hubert Jasudowicz\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/codisec.com\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/a64dc094502ba6f271ce18599f947e4d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/a64dc094502ba6f271ce18599f947e4d?s=96&d=mm&r=g\",\"caption\":\"Hubert Jasudowicz\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/14601"}],"collection":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/comments?post=14601"}],"version-history":[{"count":102,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/14601\/revisions"}],"predecessor-version":[{"id":14895,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/posts\/14601\/revisions\/14895"}],"wp:attachment":[{"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/media?parent=14601"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/categories?post=14601"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/codisec.com\/wp-json\/wp\/v2\/tags?post=14601"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}