Forensics: Phishy Phishy (500) — SunshineCTF 2018 Writeup (2 of X)
This challenge involves a lot of testing and hypothesis-making. Nevertheless, it was a fun, albeit frustrating, challenge 😅
We were give a .zip file named (phishy_chall.zip) which contains the following data:
After looking for leads as to what program would open these types of files, I came across the Paint3D Windows App.
So I started to make a project in Paint3D:
After which, I tried locating the project files to prove my hypothesis. When I searched for the location of the project files, I came across this video. According to it, the default path of the project files exist at:
So let’s look for our project!
So, now the problem is how to import the phishy_chall project into the Projects directory. Looking at the
\LocalState directory, you’ll be able to notice the
A further look into the projects file:
So let’s assume that the
projects.json file dictates (identifies?) the projects that Paint3D will list on its Projects list.
So let’s copy the
phishy_chall folder to the Projects directory and modify the
projects.json file accordingly:
I intentionally left the
Id field blank and hoped for the best.
Opening the Project in Paint3D results in an error:
It didn’t work, so let’s take a step back and analyze the given files.
What we can do is to make a new project and try to imitate the thumbnail on the given phishy_chall folder and compare it to the files of the new one.
Based on observation alone, we can deduce the following:
Nodes_<number>_<string>.binpattern exists on both projects.
Resources_Mesh_<number>.binalso exists on both projects.
<number>value on the above-mentioned files are unique to each project.
But we cannot progress based on these observations alone. When it comes to programs crashing due to corrupted files and the corrupted files themeselves, it often indicates that the files involved were modified incorrectly. Therefore, we must look deeper into the files and see if our assumptions are correct.
The biggest question at this point is “Where to start?”
When you look at the phishy_chall files:
You can see that the files with the highlighted dates were modified a day later than the other files in the folder. So let’s check them out first:
Comparing them to the files from the goldy (new) project:
It’s easy to see that the files from the phishy_chall project was modified incorrectly.
We now have the following observations:
- When you look at offset
0x0Fon the Resources_Mesh files, you can see that the ASCII value
FISHwas placed there instead of the weird y’s.
- The decimal value
18446744069414584347is equivalent to the value
FFFFFFFF0000001Bin hex. If you look closely, that’s offset
0x0Fin reverse for the goldy file. This solidifies our hypothesis that the files in
phishy_challwere indeed incorrectly modified.
- You can also see that the value
FFFFFFFF0000001Bappears on the
Nodes_n_MeshInstance.binfile, specifically on offsets
Based on these observations, let’s modify the
phishy_chall files to (hopefully) fix the project.
Keep in mind:
18446744069414584343 (dec) ==
Notice the following changes:
Let’s try to open the file now:
Alright!!! Now, let’s try to look around using 3D view:
Finally got the flag!
The flag is:
That’s all for this challenge! As, always, thank you for reading!