Section 1: Executive Summary
1.1 Summary
In this CTF challenge, a corrupted file needs to be analyzed using hex examination via Linux terminal and repaired. The file is in JPEG format but cannot be recognized by the system because its magic bytes are corrupted. The goal is to add the appropriate JPEG magic codes through hex editing and recover the file.
1.2 Background
File formats are recognized by special byte sequences called “magic bytes” or “file signatures” located at the beginning of files. These markers indicate the file format to the operating system and applications. For example:
- JPEG/JFIF:
FF D8 FF E0 - PNG:
89 50 4E 47 - PDF:
25 50 44 46
In this challenge, the magic bytes of a JPEG (JFIF) format file have been corrupted or altered. Therefore, the file cannot be recognized by the system and cannot be opened. The file needs to be restored to its original state by correcting the magic bytes.
Section 2: Hex Analysis and Recovery of JPEG File
2.1 Technical Details & Evidence
First, we use the wget command to download the file in its original state:
wget <Link>
We use the file and hexdump commands to analyze the file type and content:
file file
hexdump -C file | head -5The hexdump -C command provides canonical (standard) hex+ASCII display. | head -5 shows the first 5 lines of the output, allowing us to analyze the beginning of the file.
As a result of the hex examination, we determine that the file is actually in JFIF format but the first four bytes do not contain the JPEG magic codes (FF D8 FF E0). This indicates that the file is either corrupted or the magic bytes have been intentionally altered.
2.2 Hex Code Correction and File Repair
JPEG files start with FF D8 FF E0 magic bytes. To correct the first 2 bytes of our corrupted file, we use the following command:
(printf '\xff\xd8' && tail -c +3 file) > repair.jpgHow this command works:
printf '\xff\xd8': Prints the JPEG start bytesFF D8to the screen&&: Executes the second command if the first command is successfultail -c +3 file: Skips the first 2 bytes of the original file and displays all content starting from the 3rd byte> repair.jpg: Combines the outputs of both commands and saves them to therepair.jpgfile
In summary, this operation can be described as: “Add JPEG start bytes + skip first 2 bytes of original file + combine and save to new file.”
When we open the repaired file, we can view the PicoCTF flag inside it.
Section 3: References
File Signatures & Edit:
- Wikipedia File Signatures: https://en.wikipedia.org/wiki/List_of_file_signatures
- Online Hex Editor: https://hexed.it/
Linux Command Line Tools:
- https://man7.org/linux/man-pages/man1/wget.1.html
- https://man7.org/linux/man-pages/man1/file.1.html
- https://man7.org/linux/man-pages/man1/hexdump.1.html
- https://man7.org/linux/man-pages/man1/head.1.html
- https://man7.org/linux/man-pages/man1/tail.1.html
For more updates and to follow my journey, connect with me on:
Leave a Reply