PicoCTF: tunn3l v1s10n

When we first download the file it only lists data as it’s file type and the contents are not human readable. After playing around with it for a while I decide to try exiftool on the file and found something interesting.

The photo is in fact a bitmap file. I renamed it with the proper extension (.bmp) and tried to view it as a photo but received this error.

Let’s look at the hexadecimal values in hexeditor to see if we can figure out what’s going on

You can go on wikipedia and a find a guide to help you understand what is going within the bitmap file format. Files contain headers that give various information about what type of file it is, as well the size of the header, and any other info your computer may need to display the image. If any of these bits are corrupted your computer may not be able to display the image which may explain why we are unable to view the photo at the moment. On the left you have the hex representation of the data and on the right any printable ascii characters are displayed, though in this case it is just gibberish. The first few bytes will be what’s called a “magic number”. These values identify the type of file you have for example .jpg, .wav, or .bmp. Then after the magic info we have what’s called a file header. A file header, also known as a file signature or file marker, is a portion of data at the beginning of a file that contains specific information about the file’s format, structure, content, and other metadata. then after that we have the data about the file itself. If any of of these bits are corrupted it may result in the file being unaccessible.

We can see the magic numbers in the beginning and then towards the end of the first line we see BAD written out twice. I’m guessing these are the corrupted values. Let’s figure what these values are suppose to represent within the file format.

The Offset is just a numeric value that represents a location in memory. Specific values are stored there to make it easy for the computer to interpret them. The two offsets we are interested in are “0A” and “0E”. “0A” is the starting address of where the image data begins, this is most likely going to be the end of the header. And “0E” is the size of the header itself. Our magic numbers from the beginning returned “BM” which means we are using the Windows BITMAPHEADERINFO header type. The size of this header is 40 bytes. 40 in hex is 28 so let’s input the 28 for “BA” and then 0 for “D” and see if it works.

We are now finally able to view the photo but there is no flag. The image seems a little cropped though. Going back to our chart for header info we see that there is an offset for altering the images height in pixels. This part took some guessing and checking but I was able to get the full image to display by altering these bits.