 Mystery file is the next challenge in Ryan Nicholson's captured flag competition. It's 100 points in the extreme category. It says find the hidden flag in the flag file. So it gives us a shell we can connect to with some credentials to log in, CTF 8 and challenge 8. And in our home director we have a file called flag which I would wanna do some file reconnaissance on it. And we actually have the file command here in this issue of the container, the Docker container for us. So that's pretty handy, except it tells us it's just data. So let's actually see what this thing is. It says ha, ha, ha, ha. And what seemingly a lot of garbage. So no particular flag in here. I thought for a while that maybe this was like base 64 stuff that I could get out of there. I wanted to try and cat capital A so we could see any of the special characters. So there were a lot of escape sequences and stuff that we saw and it even had the terminal flash for us. So I thought, well, I could open this in Vim and take a look at it. It gives us those escape key sequences but nothing particularly interesting in there. So what I did is I actually tried to take a look at it in hex. So I use XXD to spit out just its hex representation and you can see all the ASCII here for ha, ha, ha at the very top and the zero A for the new line. So following the new line after that first line of cheesy laughter, it goes into some of those other bites and interesting things here. So I note, okay, following the new line character zero A there's one F, eight B and zero eight. And I'm thinking maybe I can use that as some kind of magic number or file header to determine what kind of file this thing actually is because I can't run strings on this thing to actually get anything out of it. I can't run bin walk or foremost or scalpel or anything that I could usually to like extract things on my own. So what really is this thing inside it? So I tried to keep in mind one F, eight B, zero eight. So I went to check out file signatures and there is a super awesome and common link by Gary Kessler. Yep, Gary Kessler. And I thought let's search one F space eight B, zero eight. And I can see right here that this is a GZIP archive file. So I can gun zip this thing. Props to illicit tiger, by the way for kind of finding that note and checking it out in the Discord server. If you aren't part of the Discord server you should totally join, come hang out because a lot of us will find random CTF things or other problems to try and solve and we'll all attack it together. And it's really fun. So just link in description. So I wanted to figure out, okay, I've got to cut up this file now. So I've got one byte, two bytes, three bytes, four bytes, et cetera, et cetera, et cetera. And I counted up to where does the new line end and where does the actual file that could be a GZIP file begin? It looks like it's 17 bytes in and onward. So I tried to use the cut command for a long time and I don't have a man page in here. So I'll do it in my local system. You can select the bytes forward and onward. So I tried to use 17 bytes on. I did cut cat flag for one thing, get it in centered input, centered output and I piped it to cut tack B, 17 onward. And it didn't look like it was getting me anything. It still had the seemingly notions to it. So I wanted to see like, if I give this to another file called something, can I check out what that something is? And it's still just data. I can't GZIP that something. Even if I tried to give it a proper file here, file extension, it was not willing to GZIP. So I figured, okay, that must be wrong. And again, props to illicitTiger because he actually used DD to cut up this file or extract out what is necessary. So the syntax for DD is kind of strange, but you specify a bunch of input arguments, just like IF, so input file, output file, the bytes that you want to read in and then the number that you want to skip. So we can use DDIF equals flag out F, excuse me, OF can equal winner.GZIP, IBS input block size can be one, read one block at a time, and then skip can be 17 bytes. Okay, so once that's done, now we have winner.GZ. If I run file on that, it will tell me that, okay, that is actual GZIP data. Great, so that's progress. Let's gunsip this. And now we have a file called winner, which we can check out. Winner, cool. It looks like it did find the flag for us and we can take note of that, write it down, put it in our, did it actually save? Nope, where's that hydrostat, right? Hygrostat, whatever. I hate copying and pasting out of a web shell, but that was that, that was the solution to mystery file. So keep in mind the file header or the magic numbers that denote the top of a file or the end of a file or specific signatures that are like a good thumbprint for a specific file and trying to determine that in hex. Always, no matter what, no matter how much it sucks, looking at the hex of some other file may be good to do in a CTF zone. So, cool. Hey, I wanna give a special shout out and some love to my supporters on Patreon. These individuals are fantastic. $1 a month on Patreon will give you a special shout out just like this at the end of every video. $5 a month on Patreon will give you early access to all my videos. If you did like this video, please do like, comment and subscribe. Please join the Discord server, hang out with us for a little bit and it would be awesome if I could see some love from Patreon. See you soon, guys.