TAMUctf '19 Write-up (I heard you like files)

As we open the uploaded file, we can see below image. After I downloaded this file, I checked the hidden file itself by binwalk command.

$ binwalk art.png

DECIMAL       HEXADECIMAL     DESCRIPTION

--------------------------------------------------------------------------------

0             0x0             PNG image, 1920 x 1080, 8-bit/color RGBA, non-interlaced

3408641       0x340301        PDF document, version: "1.5"

3408712       0x340348        Zlib compressed data, default compression

3412206       0x3410EE        Zlib compressed data, default compression

3418964       0x342B54        Unix path: /Type/FontDescriptor/FontName/BAAAAA+NotoSans-Regular

3419203       0x342C43        Zlib compressed data, default compression

3419623       0x342DE7        Unix path: /Type/Font/Subtype/TrueType/BaseFont/BAAAAA+NotoSans-Regular

3419994       0x342F5A        Zlib compressed data, default compression

3428648       0x345128        Unix path: /Type/FontDescriptor/FontName/CAAAAA+DejaVuSerif

3428883       0x345213        Zlib compressed data, default compression

3429245       0x34537D        Unix path: /Type/Font/Subtype/TrueType/BaseFont/CAAAAA+DejaVuSerif

3429667       0x345523        Unix path: /S/Transparency/CS/DeviceRGB/I true>>/Contents 2 0 R>>

3430685       0x34591D        Zip archive data, at least v2.0 to extract, compressed size: 217, uncompressed size: 573, name: _rels/.rels

3430943       0x345A1F        Zip archive data, at least v2.0 to extract, compressed size: 288, uncompressed size: 511, name: docProps/app.xml

3431277       0x345B6D        Zip archive data, at least v2.0 to extract, compressed size: 356, uncompressed size: 731, name: docProps/core.xml

3431680       0x345D00        Zip archive data, at least v2.0 to extract, compressed size: 222, uncompressed size: 663, name: word/_rels/document.xml.rels

3431960       0x345E18        Zip archive data, at least v2.0 to extract, compressed size: 165, uncompressed size: 208, name: word/settings.xml

3432172       0x345EEC        Zip archive data, at least v2.0 to extract, compressed size: 297, uncompressed size: 918, name: word/fontTable.xml

3432517       0x346045        Zip archive data, at least v2.0 to extract, compressed size: 83172, uncompressed size: 84725, name: word/media/image1.png

3515768       0x35A578        Zip archive data, at least v2.0 to extract, compressed size: 1138, uncompressed size: 4099, name: word/document.xml

3516953       0x35AA19        Zip archive data, at least v2.0 to extract, compressed size: 605, uncompressed size: 2192, name: word/styles.xml

3517603       0x35ACA3        Zip archive data, at least v2.0 to extract, compressed size: 352, uncompressed size: 1443, name: [Content_Types].xml

3518004       0x35AE34        Zip archive data, at least v1.0 to extract, compressed size: 20, uncompressed size: 20, name: not_the_flag.txt

3518847       0x35B17F        End of Zip archive

What I did was to unzip the art.png file

$binwalk -e art.png

$ ls -l

-rwxrwxrwx 1    16559 Mar 23 16:09  340348

-rwxrwxrwx 1   110157 Mar 23 16:09  340348.zlib

-rwxrwxrwx 1    11944 Mar 23 16:09  3410EE

-rwxrwxrwx 1   106663 Mar 23 16:09  3410EE.zlib

-rwxrwxrwx 1      774 Mar 23 16:09  342C43

-rwxrwxrwx 1    99666 Mar 23 16:09  342C43.zlib

-rwxrwxrwx 1    15908 Mar 23 16:09  342F5A

-rwxrwxrwx 1    98875 Mar 23 16:09  342F5A.zlib

-rwxrwxrwx 1      606 Mar 23 16:09  345213

-rwxrwxrwx 1    89986 Mar 23 16:09  345213.zlib

-rwxrwxrwx 1    88184 Mar 23 16:09  34591D.zip

-rwxrwxrwx 1     1443 Sep 20  2018 '[Content_Types].xml'

drwxrwxrwx 1     4096 Mar 23 16:09  _rels

drwxrwxrwx 1     4096 Mar 23 16:09  docProps

-rwxrwxrwx 1       20 Sep 20  2018  not_the_flag.txt

drwxrwxrwx 1     4096 Mar 23 16:09  word

Afterward, I could find an image1.png in the word/media directory. I extracted the strings from the file by strings command. Bascially, this is the pdf file so if you know the pdf file format, you can find a suspicious part. That part is right after the %%EOF marker. And it seems like an encoded text and I simply decoded the text to the flag.

$ echo "ZmxhZ3tQMGxZdEByX0QwX3kwdV9HM3RfSXRfTjB3P30K" | base64 -d

Flag : flag{P0lYt@r_D0_y0u_G3t_It_N0w?}

Reference site : https://www.tamuctf.com/challenges#I%20heard%20you%20like%20files.