Writeups

advanced-potion-making

Last updated on Sep 03, 2024
352 words, 2 min read

Challenge Description

We begin our quest for the flag by downloading the file using wget. Running file advanced-potion-making and exiftool advanced-potion-making did not provide us with any clue about the file type of this file.

Trying hexedit

According to this source, one way of determining the file type is to look for the file signature by opening it in a hex editor.

Hex Editor

hex editor is a tool that allows an examiner to inspect each byte of the file; most hex editors provide many functionalities that help in the analysis of a file.

So I proceeded to use hexedit and recognised that this file is likely a png file with a wrong file signature.

With reference to this page, I changed the file header of this file using hexedit.

pngcheck and zsteg

After changing the header, I used cp to add a .png file extension to the file, and tested this file for corruption using pngcheck -v advanced-potion-making.png. Thankfully, there were no errors. I proceeded to attempt zsteg to check if there was any hidden data. However this was not useful.

Looking at the image from another angle

The above shows how the advanced-potion-making.png image looks like. It seems that it’s just one red image with nothing of interest. I tried using the bucket tool in GIMP - GNU Image Manipulation Program, but that did not reveal our flag.

I then headed over to https://29a.ch/photo-forensics/#forensic-magnifier to see if I can retrieve the flag by magnifying the image. Indeed, hovering over specific portions of the image reveals parts of the flag. I would be able to get the flag from this. But this process would be rather tedious if I rely solely on magnification.

The Flag

I searched online for other tools for image forensics, and came across Aperi’Solve. This was my first time using it. As seen above, the full flag was easily seen when I uploaded the file on Aperi’Solve.

For more information, see Aperi’Solve or refer to their official GitHub page.

The flag can be read easily from the above image, although the ‘1’ may be mistaken to be an ‘i’.

Flag

picoCTF{w1z4rdry}

Graph View

Backlinks