Capture the Flag (CTF) cyber competitions are fun and an excellent way to learn. This is the first of a series of walkthroughs on how to tackle challenges. I built this forensics-oriented modified header challenge for use in a few competitions and workshops. The challenge features a file called change (Google drive link to the challenge file). Following are steps for analyzing the file and finding the flag inside. My analysis environment is a Kali Linux virtual machine and a hex editor application on my host machine.
The file does not have an extension, and extensions can be misleading anyway so I wouldn’t rely on that. After my operating system failed to open the file, I ran the Linux file command against it. This doesn’t help much, since the output is just “data” and no associated file extensions are identified. According to the file command man pages “Any file that cannot be identified as having been written in any of the character sets listed above is simply said to be data”.
My next step is the cat command, which will show the contents of the file. The output is not pretty but I can glean a bit of the file header. It looks like PK and JFIF, but that is a weird combination. PK is associated with zip files and JFIF is associated with image files. Side note: my go-to resource for file headers is Gary Kessler’s site.
Another handy command is strings, which displays the ASCII characters in file contents. The output here shows us JFIF, but not PK. Just in case, I also do a quick grep for the word “flag” — sometimes you can get lucky that way, but not with this challenge.
Based on the results so far, it seems that looking at the hex would be the next logical step. This can be done using the xxd command. This gives us the file header in hexadecimal, 0x 504b ffe0 0010 4a46 4946. Something definitely seems a bit wonky with that. JFIF files also have a file trailer of 0x FF D9, so I check to see if I can find that at the end of the file — success!
Next up, I open the file in a hex editor. My editor of choice is 010 Editor, although there are many others out there. 010 allows you to modify the bytes in a file, so that is what I am going to try. The header for a JFIF file should be 0x FF D8 FF E0 xx xx 4A 46 49 46 00. It looks like our file has had the first four bytes modified. I overwrote those bytes with 0x FF D8 and saved the file as a .JFIF.
A quick check using the file command again shows that it is indeed a JFIF file.
The final test is opening the file and revealing the message inside, which is the quote “Be the change you wish to see in the world” — that was the correct input for the challenge.