PicoCTF 2022 Forensics walkthrough – Part 1
In this article, we will attempt to solve picoCTF 2022 Forensics challenges 1 to 3.
This post assumes you are familiar with what CTF is, if not then feel free to check out this introduction to CTF video by LiveOverFlow:
So, let's get started.
Challenge 1 – Enhance
As we can see in the description that we are provided with a download link of an image file and no hints.
Let's start by firing up our terminal and grabbing the image using curl and open it.
curl -LO "https://artifacts.picoctf.net/c/137/drawing.flag.svg"
When opened:
It looks like there's nothing here. Let's try something else. Let's try to cat this image file.
cat drawing.flag.svg
Output:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:cc="http://creativecommons.org/ns#"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"
xmlns:svg="http://www.w3.org/2000/svg"
xmlns="http://www.w3.org/2000/svg"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
width="210mm"
height="297mm"
viewBox="0 0 210 297"
version="1.1"
id="svg8"
inkscape:version="0.92.5 (2060ec1f9f, 2020-04-08)"
sodipodi:docname="drawing.svg">
<defs
id="defs2" />
<sodipodi:namedview
id="base"
pagecolor="#ffffff"
bordercolor="#666666"
borderopacity="1.0"
inkscape:pageopacity="0.0"
inkscape:pageshadow="2"
inkscape:zoom="0.69833333"
inkscape:cx="400"
inkscape:cy="538.41159"
inkscape:document-units="mm"
inkscape:current-layer="layer1"
showgrid="false"
inkscape:window-width="1872"
inkscape:window-height="1016"
inkscape:window-x="48"
inkscape:window-y="27"
inkscape:window-maximized="1" />
<metadata
id="metadata5">
<rdf:RDF>
<cc:Work
rdf:about="">
<dc:format>image/svg+xml</dc:format>
<dc:type
rdf:resource="http://purl.org/dc/dcmitype/StillImage" />
<dc:title></dc:title>
</cc:Work>
</rdf:RDF>
</metadata>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1">
<ellipse
id="path3713"
cx="106.2122"
cy="134.47203"
rx="102.05357"
ry="99.029755"
style="stroke-width:0.26458332" />
<circle
style="fill:#ffffff;stroke-width:0.26458332"
id="path3717"
cx="107.59055"
cy="132.30211"
r="3.3341289" />
<ellipse
style="fill:#000000;stroke-width:0.26458332"
id="path3719"
cx="107.45217"
cy="132.10078"
rx="0.027842503"
ry="0.031820003" />
<text
xml:space="preserve"
style="font-style:normal;font-weight:normal;font-size:0.00352781px;line-height:1.25;font-family:sans-serif;letter-spacing:0px;word-spacing:0px;fill:#ffffff;fill-opacity:1;stroke:none;stroke-width:0.26458332;"
x="107.43014"
y="132.08501"
id="text3723"><tspan
sodipodi:role="line"
x="107.43014"
y="132.08501"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3748">p </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.08942"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3754">i </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.09383"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3756">c </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.09824"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3758">o </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.10265"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3760">C </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.10706"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3762">T </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.11147"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3764">F { 3 n h 4 n </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.11588"
style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"
id="tspan3752">c 3 d _ 2 4 3 7 4 6 7 5 }</tspan></text>
</g>
</svg>
Upon looking closely at the end of the output, we see that before every, </tspan> there's a little fragment of the flag. Let us now concatenate this and remove the spaces from between:
Flag: picoCTF{3nh4nc3d_24374675}
Challenge 2 – File types
Let's begin this challenge by downloading the linked PDF file.
curl -LO "https://artifacts.picoctf.net/c/324/Flag.pdf"
When I tried to open the linked Flag.pdf, I faced an error:
When I clicked on hint it said:
It is possible for this file to not be a PDF, let us now check it using the “file” command in our Linux terminal. file command is used to determine file type.
file Flag.pdf
Running this command revealed that this is not a PDF file, but it's a “shell archive text”. Let us now try to rename it to .sh extension, give it executable permission and then try to execute it.
mv Flag.pdf Flag.sh
chmod +x Flag.sh
./Flag.sh
It threw an error uudecode: command not found
After doing a quick internet search I found Arch Linux's manual for uudecode and under package information found the package name: “extra/sharutils”
Let us now install it:
sudo pacman -S sharutils
Now after I re-executed the Flag.sh did ls, I found a new file named flag in my directory.
After again running file command on our new flag, it is revealed that it is current ar archive.
To extract it I then used binwalk: binwalk -e
Which then created a folder named _flag.extracted which then contained a file named 64 which turned out to be gzip compressed data
Again, we can use binwalk to extract this file. Upon doing so, we got a folder _64.extracted which contained two files flag and flag.gz, both compressed data, one lzip and the other one gzip.
I tried extracting the flag lzip file using binwalk -e flag, but it didn't work. So I tried extracting it using lzip command, and the output file flag.out turned out to be LZ4 compressed data
lzip -k -d flag
Then I extracted the lz4 data and then ran file command on the output file2.out, and it turned out to be LZMA compressed data
lz4 -d flag.out flag2.out
Then the to extract the lzma file I executed
lzma -d -k flag2.out
But it gave me an error:
lzma: flag2.out: No such file or directory
So I renamed the flag2.out to flag2.lzma and ran the command again:
lzma -d -k flag2.lzma
Which successfully executed and created a new file named flag2 which then turned out to be lzop compressed data upon running file command.
To extract the lzop file, I then installed the lzop package using sudo pacman -S lzop.
After changing the name of the file flag2 to flag2.lzop I ran:
lzop -d -k flag2.lzop -o flag3
Which then created the file named flag3 which turned out to be lzip compressed data and then again, to extract it I ran:
lzip -k -d flag3
Which created flag3.out, XZ compressed data
Then after renaming flag3.out to flag4.xz, I extracted flag4.xz using the xz command, which created flag4 which turned out to be an ASCII text.
mv flag3.out flag4.xz
xz -d -k flag4.xz
After running cat on flag4 which is an ASCII file, I got:
7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f
6630725f3062326375723137795f37396230316332367d0a
So to decode it from hex I went over to CyberChef which gave me the flag:
picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_79b01c26}
Challenge 3 – Lookey here
Let's begin this challenge by downloading the linked anthem.flag.txt file.
This time it is what it says, a text file.
After viewing it in using less I realised it's a very long text file, so I ran wc to count the lines:
wc -l anthem.flag.txt
Output:
2146 anthem.flag.txt
So I ran grep to search through it if it contains our flag or not.
grep pico anthem.flag.txt
And we've found the flag:
picoCTF{gr3p_15_@w3s0m3_58f5c024}
~ spignelon | Ujjawal Saini