 Hey there everybody, my name is John Hammond. Welcome back to some more Pico CTF 2017. This is the master challenge or kind of the last challenge for level two here. It's called Missing Identity and the challenge prompt is turns out some of the files back from master challenge one were corrupted. Restore this one file and find the flag and we're given a link here which we can go ahead and grab the copy address for so we can W get it. The hints say what file is this, what do you expect to find the file structure. All characters in the file are lower case numerical, they will not be any zeros. Okay, so let's go ahead and work with this. I'm going to W get this file. Oh, don't know why accidentally. Now I should have the correct one in the clipboard. Good. Let's run file on this thing. So file file. And it's just simply data. Okay, so nothing particularly good in their exit tool. Let's see if we can get any metadata on it. Unknown file type nothing particular in there. So again, more low hanging fruit. Let's try and run strings on this thing. And I'm seeing interesting stuff, right? Lots of garbage it seems like. But at the very, very end, we see things like flag dot PNG, not the flag one dot PNG, not the flag two, etc, etc. And they have an I end or segments that would represent, okay, maybe a header or a chunk in a PNG, portable network graphics image file. And I'll also say PK, which maybe this has just come from a little bit of experience or playing CTFs and doing this kind of stuff for long enough. But PK makes me think of a zip archive. And considering they have multiple files in here, we know that it's could very well be just a compressed folder or just just an archive like a zip archive. So if I actually tried to hex edit this thing, if you don't have a hex edit, it's just a simple hex editor you can see to app and solve hex edit if you want, you can use gex or bless or whatever one you particularly like, but I'm used to hex edit, we can just run hex edit on the file. And if you'll notice at the very, very top of the file, the hexadecimal side on the left and kind of the ASCII side on the right, it's just starting the file with a bunch of Xs. And that's weird, obviously, that should not be the magic bytes or the kind of the signature that should be representing a file, there's got to be some kind of identifier. And that's what the file command uses to determine the type of file that it's looking at. The file command here will just read the first kind of bytes and determine the file signature. So let's go off of a hunch. If we wanted to go ahead and assume this is a zip archive, well, maybe we could patch it up, or we could try and run some again forensics tools on it, try and run binwalk on the file. Looks like it'll try and read out, not the flag files, but it doesn't see the original just simple flag file flag dot png. If I extract all the stuff out. Oh, maybe it does have flag dot png. Nope, it's not able to recognize it. Okay. But we also have a zip archive. Let's try and unzip that. Sure, go ahead and extract stuff. Maybe it rewrote not the flag. No, it didn't. This actually is not the flag. Remember how the hint said all characters in the file are lowercase, etc. Or the actually this note here, it says the flag starts with the character Z. And actually, if you check out, I'm gonna hit the arrow key, you can see not the flag one dot png. This is an identical file. So it's actually just interpreting not the flag one dot png and flag dot png to be the same using binwalk. So that's not the methodology that we want. However, you can see there are other files in here that are just random numbers. But again, not the flag that we want. So we could try another tool, we could try and run foremost on file. And again, it's trying to find some other stuff here in the output here, zip archive, let's unzip this again, see what we can drag out. And EOG flag. Nope, exact same thing is not the not the flag one. So that again, that technique will not work for us but worthwhile trying. So what I'm going to go ahead and do now is I want to again, take a look at the hex edit, take a look at the hex dump, see what this file is really made up of in bytes, hexadecimal and ASCII over here that xxxx, we want to change this to something that it should be. If we're going to work with the assumption and interpretation that this is a zip archive, we can look at the zip archive kind of file header or the start of what you would normally see in a zip archive. So what I'm going to do is actually just going to Google file signatures and you could go for a zip archive if you want. But I know Gary Kessler actually has a fantastic archive of like regular file signatures that just kind of keeps note of. So I'm going to control F here for zip. And there are a lot of kind of occurrences here. There's G zip and seven zip and etc. etc. B zip too that we don't need. But I just want zip regular PK zip archive. It's an interesting note here. It says PK are the initials of Phil Katz, the co-creator of the zip file format and author of PK zip. And it gives us this set of bytes here that we could set to be the very start of our file. So I'm going to go ahead and do that. Looks like in the hexadecimal side, it should be 504b0304. And interestingly enough, it doesn't cover the last two X's. But I tried something interesting when I went ahead and worked with this, I would save the file, go ahead and control X to break out of it. Now, if I run file on file, it thinks it's a zip archive. So I can unzip file. And it'll go ahead and extract everything just fine. And then when I check out flag.png, we get the real flag. Zippity, dude, eight, four, nine, nine, three, three, two, whatever. And the flag may be different again, kind of the hex at the very end from my account to your account, whatever. But that is the real flag. So interestingly enough, we didn't have to take care of those other X's when we went ahead and checked out the hex dump of the file. I guess it just was able to process the zip archive just fine. Cool. I'm perfectly fine with that. A flag's a flag, whatever. So that's it. Let's go ahead and take note of that. EOG flag.png, put it over there. Let's zoom in on that and let's write down the flag. Zippity, dude, eight, four, nine, nine, three, three, three, two. Cool. Copy that. Go ahead and submit it. And that's it. Cool. Now it's going to give us a cheesy cut scene. Let's go ahead and skip all this. But now we are in level three. So we have completed that. And let's go ahead and mark that challenge as complete. And we're ready to move on. So super cool. Hope you guys enjoyed this one. Please do keep watching. Hope you're enjoying this. Hope this is a cool series. And I do want to give a quick shout out to the people that support me on Patreon. Thank you guys so much. I can't say it enough. One dollar a month on Patreon will give you a special shout out just like this at the end of every video. Make your heart warm inside. Feel fuzzy that you're helping out another dude on the internet just trying to, I don't know, make some mark on the world, I guess, by making stupid internet videos. Whatever. Five dollars a month on Patreon will give you early access to everything that released on YouTube before it goes live because I like to try and record videos in bulk. I'm getting progressively worse at this, so I'm really, I apologize. But that should not dissuade you. Five dollars a month and you get access to a shared Google Drive where I will try and upload and populate videos that I have recorded in advance and YouTube is gradually releasing based on like a schedule, maybe a daily or gradual thing, whatever. So that would help me out if you want content right when it's ready, don't have to wait. However, much timeline or weight that I put on, you can just get it right away. If you did like this video, please do like, comment, and subscribe. Link in the description to our Discord server is a cool community full of CTI players, programmers, and hackers. You want to play Pego CTF 2018 opens this Friday. Hang out with me, other cool people will form a team, will jam, it'll be awesome. So please just come hang out, join the party. Hey, I love you guys. Hope to see you on Patreon. Hope to see you in the next video. Take it easy.