MoonWalk (Forensics) – 60

Description

There is something a little off about this picture. If you could help us we could give you some points! Just find us a flag!

Solution

There doesn’t appear to be anything ABCTF related using strings, or any sort of “invisible” text after exploring the image in gimp.

We’re going to use the program binwalk to look into the PNG and see if there are any embedded files hiding inside the image. Binwalk will look for the headers of other files and see if they are hiding inside.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 3200 x 2953, 8-bit/color RGBA, non-interlaced
85            0x55            Zlib compressed data, best compression
2757          0xAC5           Zlib compressed data, best compression
765455        0xBAE0F         JPEG image data, JFIF standard 1.01
765485        0xBAE2D         TIFF image data, big-endian, offset of first image directory: 8
1809691       0x1B9D1B        StuffIt Deluxe Segment (data): f

The JPEG is pretty interesting, at offset 765455, now all we need to do is extract it. We can use another program, foremost, to extract out the file from a given offset.

foremost -v -s 1494 PurpleThing.png

And we have extracted this cool looking image with our flag on it

ABCTF{PNG_SO_COOl}

Comments are closed.

WordPress.com.

Up ↑