Grass is Greener

~# cat Question

the Leaves Shades the Branches
FILE: Grass_Final.zip

Unzipping Grass_Final.zip, gives us Grass_Final.png. Immediately, I tried viewing the png using eog. However, it gave me a file format error. Thus, I tried using exiftool to see the metadata of the file. Once again, it showed a file format error.

┌──(tev㉿kali)-[~/HACK@AC]
└─$ exiftool Grass_Final.png
ExifTool Version Number         : 12.67
File Name                       : Grass_Final.png
Directory                       : .
File Size                       : 15 MB
File Modification Date/Time     : 2023:05:15 15:42:42-04:00
File Access Date/Time           : 2023:05:15 15:42:42-04:00
File Inode Change Date/Time     : 2024:02:27 05:29:42-05:00
File Permissions                : -rw-r--r--
Error                           : File format error

┌──(tev㉿kali)-[~/HACK@AC]
└─$ pngcheck -v Grass_Final.png
File: Grass_Final.png (15081104 bytes)
  this is neither a PNG or JNG image nor MNG stream
ERRORS DETECTED in Grass_Final.png

After some googling, I came across this github repo talking about magic bytes. Basically, we can now exploit this the same way. Seeing that is a png image, we can change to magic bytes of the corrupted file. Here's the list of file signatures for their respective magic bytes. I used xxd (hex viewer) on the file to see its hexadecimal format. However, based on the png file signatures, it has been altered and is no longer a png despite the file extension.

┌──(tev㉿kali)-[~/HACK@AC]
└─$ xxd -l8 Grass_Final.png
00000000: 8940 4e47 0d0a 1a0a

Fixing the magic bytes

We can alter the magic bytes of the corrupted png to match the magic bytes of a real png file.

┌──(tev㉿kali)-[~/HACK@AC]
└─$ printf '\x89\x50\x4e\x47\x0d\x0a\x1a\x0a' | dd of=Grass_Final.png bs=1 seek=0 conv=notrunc
8+0 records in
8+0 records out 
8 bytes copied, 0.000240838 s, 33.2 kB/s

The file is now an actual png file. I ran eog on the file and it revealed an area of ACS(I).

┌──(tev㉿kali)-[~/HACK@AC]
└─$ pngcheck Grass_Final.png
OK: Grass_Final.png (4032x3024, 32-bit RGB+alpha, non-interlaced, 69.1%).

┌──(tev㉿kali)-[~/HACK@AC]
└─$ eog Grass_Final.png

At this point, I got really stuck as I thought it had something to do with the image. Thus I tried looking hard at the image to see if the flag was hidden in the photo 🤣. I re-looked at the challenge and realized the description gave us a hint. Reading the capital letters of the description the Leaves Shades the Branches gives us LSB. Then I knew I had to run zsteg on the image. There is the flag!

LSB of the PNG file

┌──(tev㉿kali)-[~/HACK@AC]
└─$ zsteg Grass_Final.png 
imagedata           .. file: AIX core file 64-bit
b1,g,msb,xy         .. file: OpenPGP Secret Key
b1,rgb,lsb,xy       .. text: "ACSI{t0uch_gr@55}"
b2,r,msb,xy         .. file: OpenPGP Secret Key
b2,g,msb,xy         .. text: "PTPUADPP"
b2,b,msb,xy         .. text: "QADQDET@"
b3,bgr,lsb,xy       .. text: "Zh$S, Y("
b4,r,msb,xy         .. text: "p@0WGt3'0 @W1pV7@SsU"
b4,g,lsb,xy         .. text: "Ffff"fD" "hdB$hdDFH"
b4,g,msb,xy         .. file: zlib compressed data
b4,b,lsb,xy         .. text: ""d&dDff@("
b4,b,msb,xy         .. text: "aQ!FVe"6!1QF aG&QBbD"
b4,rgb,msb,xy       .. text: "0qe7FW76!S2!"
b4,abgr,msb,xy      .. text: "ouos_Gos/1/5/1/1"

Flag: ACSI{t0uch_gr@55}

PreviousVery Vulnerable Site NextObject Orientated Programming

Last updated 1 month ago