PicoCTF - c0rrupt

Posted on 2023-02-23 | Post modified | In Security Practice｜PicoCTF｜Misc｜Image Stego |

PicoCTF - c0rrupt

tags: `PicoCTF` `CTF` `Misc`

Challenge: c0rrupt

Background

advanced-potion-making

Exploit - Recover PNG file

Analyze
- Header: 89 65 4E 34 0D 0A B0 AA → 89 50 4E 47 0D 0A 1A 0A
- IHDR: 43 22 44 52 → 49 48 44 52
Then use pngcheck to analyze the file. It said the header still have some error.
1
2
3

$ pngcheck mystery mystery CRC error in chunk pHYs (computed 38d82c82, expected 495224f0) ERROR: mystery
1

* Revise `pHYs`
You can open an arbitrary png file and observe pHYs part.
- Normal one
- Corrupt one 70 48 59 73 AA → 70 48 59 73 00
1
2
3

$ pngcheck mystery mystery invalid chunk length (too large) ERROR: mystery
Still error

Again

We can observe a normal png file
- Normal one
- Corrupt one 52 24 F0 AA AA → 52 24 F0 00 00
  1
  2
  3
  
  $ pngcheck mystery mystery: invalid chunk name "�DET" (ffffffab 44 45 54) ERROR: mystery
  Still error about IDAT
Recover IDAT: AB 44 45 54 → 49 44 41 54

Then we recover the whole file successfully…

Post author: SBK6401
Post link: https://bernie6401.github.io/PicoCTF-c0rrupt/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.