Writeup: Pragyan 2019 - Magic-PNGs

(Updated: )
writeups
, , , ,

Information

  • category: forensics
  • points: 100

Description

Magic PNGs:
Can you help me open this zip file? I seem to have forgotten its password. I think the image file has something to do with it.

Writeup

We have a zip file, and a PNG corrupted file that has the password to decrypt the zipped file.
If we launch pngcheck to check the correctness of the image, we get the following output :

1
2
you_cant_see_me.png:  CORRUPTED by text conversion
ERROR: you_cant_see_me.png

That’s because the first bytes (which defines the file type) don’t correspond to the PNG file signature. To correct the first bytes we can use an hex editor like hexer or ghex , and change :

89 50 4E 47 2E 0A 2E 0A

to

89 50 4E 47 0D 0A 1A 0A

To check the first bytes use this command :

xxd -l8 you_cant_see_me.png

To recheck the correctness of the file I launch the command pngcheck :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
pngcheck -vf image.png          
File: image.png (6163 bytes)
  chunk IHDR at offset 0x0000c, length 13
    205 x 246 image, 8-bit palette, non-interlaced
  chunk gAMA at offset 0x00025, length 4: 0.45455
  chunk cHRM at offset 0x00035, length 32
    White x = 0.3127 y = 0.329,  Red x = 0.64 y = 0.33
    Green x = 0.3 y = 0.6,  Blue x = 0.15 y = 0.06
  chunk PLTE at offset 0x00061, length 132: 44 palette entries
  chunk bKGD at offset 0x000f1, length 1
    index = 0
  chunk pHYs at offset 0x000fe, length 9: 2835x2835 pixels/meter (72 dpi)
  chunk idat at offset 0x00113, length 5737:  illegal reserved-bit-set chunk
  chunk tEXt at offset 0x01788, length 37  chunk tEXt at offset 0x017b9, length 37  chunk tEXt at offset 0x017ea, length 21  chunk IEND at offset 0x0180b, length 0:  no IDAT chunks
ERRORS DETECTED in image.png

We have an error in the offset 0x00113 in the idat chunk. Feh confirms that it is a CRC error :

1
2
3
4
5
6
7
8
feh image.png
libpng warning: idat: CRC error
libpng warning: tEXt: CRC error
libpng warning: tEXt: CRC error
libpng error: IEND: out of place
feh WARNING: image.png - No Imlib2 loader for that file format
feh: No loadable images specified.
See 'man feh' for detailed usage information

To recover the right CRC we can use PCRT, but it gives us some errors :

1
2
3
4
5
6
7
8
[Finished] Correct PNG header
[Finished] Correct IHDR CRC (offset: 0x1D): 42DFF335
[Finished] IHDR chunk check complete (offset: 0x8)
[Detected] Error IDAT chunk data length! (offset: 0xX5)
chunk length:44AE4260
actual length:0
[Notice] Try fixing it? (y or n) [default:y] y
[Warning] Only fix because of DOS->Unix conversion

But if we change in the file using an hex editor idat to IDAT we can correct the CRC using PCRT, so we need to change at line 00000110 the hex from :

0016 6969 6461 7478 dadd 1d89 b6aa 384c

To :

0016 6949 4441 5478 dadd 1d89 b6aa 384c

And then run :

python pcrt.py -i image.png -o correct.png

And we get :

which has the mirrored string :

h4CK3RM4n

If we do the md5hash of the string, we can unzip the file.

unzip -P $(echo -n "h4CK3RM4n" | md5sum | cut -d ' ' -f1) tryme.zip

Flag

pctf{y0u_s33_m33_n0w!}