$ binwalk art.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1920 x 1080, 8-bit/color RGBA, non-interlaced
3408641 0x340301 PDF document, version: "1.5"
3408712 0x340348 Zlib compressed data, default compression
3412206 0x3410EE Zlib compressed data, default compression
3418964 0x342B54 Unix path: /Type/FontDescriptor/FontName/BAAAAA+NotoSans-Regular
3419203 0x342C43 Zlib compressed data, default compression
3419623 0x342DE7 Unix path: /Type/Font/Subtype/TrueType/BaseFont/BAAAAA+NotoSans-Regular
3419994 0x342F5A Zlib compressed data, default compression
3428648 0x345128 Unix path: /Type/FontDescriptor/FontName/CAAAAA+DejaVuSerif
3428883 0x345213 Zlib compressed data, default compression
3429245 0x34537D Unix path: /Type/Font/Subtype/TrueType/BaseFont/CAAAAA+DejaVuSerif
3429667 0x345523 Unix path: /S/Transparency/CS/DeviceRGB/I true>>/Contents 2 0 R>>
3430685 0x34591D Zip archive data, at least v2.0 to extract, compressed size: 217, uncompressed size: 573, name: _rels/.rels
3430943 0x345A1F Zip archive data, at least v2.0 to extract, compressed size: 288, uncompressed size: 511, name: docProps/app.xml
3431277 0x345B6D Zip archive data, at least v2.0 to extract, compressed size: 356, uncompressed size: 731, name: docProps/core.xml
3431680 0x345D00 Zip archive data, at least v2.0 to extract, compressed size: 222, uncompressed size: 663, name: word/_rels/document.xml.rels
3431960 0x345E18 Zip archive data, at least v2.0 to extract, compressed size: 165, uncompressed size: 208, name: word/settings.xml
3432172 0x345EEC Zip archive data, at least v2.0 to extract, compressed size: 297, uncompressed size: 918, name: word/fontTable.xml
3432517 0x346045 Zip archive data, at least v2.0 to extract, compressed size: 83172, uncompressed size: 84725, name: word/media/image1.png
3515768 0x35A578 Zip archive data, at least v2.0 to extract, compressed size: 1138, uncompressed size: 4099, name: word/document.xml
3516953 0x35AA19 Zip archive data, at least v2.0 to extract, compressed size: 605, uncompressed size: 2192, name: word/styles.xml
3517603 0x35ACA3 Zip archive data, at least v2.0 to extract, compressed size: 352, uncompressed size: 1443, name: [Content_Types].xml
3518004 0x35AE34 Zip archive data, at least v1.0 to extract, compressed size: 20, uncompressed size: 20, name: not_the_flag.txt
3518847 0x35B17F End of Zip archive
What I did was to unzip the art.png file
$binwalk -e art.png
$ ls -l
-rwxrwxrwx 1 16559 Mar 23 16:09 340348
-rwxrwxrwx 1 110157 Mar 23 16:09 340348.zlib
-rwxrwxrwx 1 11944 Mar 23 16:09 3410EE
-rwxrwxrwx 1 106663 Mar 23 16:09 3410EE.zlib
-rwxrwxrwx 1 774 Mar 23 16:09 342C43
-rwxrwxrwx 1 99666 Mar 23 16:09 342C43.zlib
-rwxrwxrwx 1 15908 Mar 23 16:09 342F5A
-rwxrwxrwx 1 98875 Mar 23 16:09 342F5A.zlib
-rwxrwxrwx 1 606 Mar 23 16:09 345213
-rwxrwxrwx 1 89986 Mar 23 16:09 345213.zlib
-rwxrwxrwx 1 88184 Mar 23 16:09 34591D.zip
-rwxrwxrwx 1 1443 Sep 20 2018 '[Content_Types].xml'
drwxrwxrwx 1 4096 Mar 23 16:09 _rels
drwxrwxrwx 1 4096 Mar 23 16:09 docProps
-rwxrwxrwx 1 20 Sep 20 2018 not_the_flag.txt
drwxrwxrwx 1 4096 Mar 23 16:09 word
Afterward, I could find an image1.png in the word/media directory. I extracted the strings from the file by strings command. Bascially, this is the pdf file so if you know the pdf file format, you can find a suspicious part. That part is right after the %%EOF marker. And it seems like an encoded text and I simply decoded the text to the flag.
$ echo "ZmxhZ3tQMGxZdEByX0QwX3kwdV9HM3RfSXRfTjB3P30K" | base64 -d
Flag : flag{P0lYt@r_D0_y0u_G3t_It_N0w?}
Reference site : https://www.tamuctf.com/challenges#I%20heard%20you%20like%20files.
'<개인공부> - IT > [CTF (Write up)]' 카테고리의 다른 글
| Chaos Communication Camp 2019 (Ancient Data) (0) | 2019.08.28 |
|---|---|
| Securinets Prequals 2K19 Write-up (Easy Trade) (0) | 2019.03.24 |
| TAMUctf '19 Write-up (Hello World) (0) | 2019.03.24 |
| Pragyan CTF 19' Write-up / Welcome (0) | 2019.03.18 |
| UTCTF 19' Write-up / Low Sodium Bagel (0) | 2019.03.15 |
