ShaktiCon CTF 2021 - Chunkies | Forensics
Chunkies
We could only retrieve only this file from the machine, but looks like this is corrupted. Can you recover the file?
Downloadable file: file.png
Solution
For this challenge, I used two tools to recover the file: HexEd.it and the command pngcheck
I also used this website to help me learn the critical chunks of a png file.
There will be a lot of back and forth between HexEd and pngcheck.
Right away, I saw that the png header is wrong. There was a missing “89” byte, so I added that in front.
//Linux
$pngcheck file.png
file.png CRC error in chunk IHDR (computed 5a7b8bdc, expected 5a9b8bdc)
ERROR: file.png
pngcheck told me that there was an error related to the IHDR chunk, specifically its CRC portion. The correct bytes should have been 5a 7b 8b dc instead of
5a 9b 8b dc (I know, it didn’t really make any sense for pngcheck to use the word “expected” here). Anyway, I fixed that.
//Linux
$pngcheck file.png
file.png illegal (unless recently approved) unknown, public chunk IADT
ERROR: file.png
This time, pngcheck told me that the chunk IADT was wrong. After googling, I found out that IADT should have been IDAT instead. I found all of the IADT strings and changed them into IDAT. (There were like 7 or 8 occurances I think)
//Linux
$pngcheck file.png
file.png illegal (unless recently approved) unknown, public chunk INED
ERROR: file.png
Finally, pngcheck stated that INED was wrong. Google told me that it should have been IEND instead. (There was only one mistake)
//Linux
$pngcheck file.png
OK: file.png (512x308, 32-bit RGB+alpha, non-interlaced, 92.8%).
After opening the image successfully, the flag was retrieved!
