This is part 3 of my Rootcon 2017 write-up/walkthrough series. In case you missed it, here’s Part 1 which included an update about my team (Team Harambae) and I’s Rootcon 2017 CTF experience and a walkthrough of the BinForCry 200 challenge; and Part 2, which features a walkthrough of the BinForCry 350 challenge :)
BinForCry 100
After a long week at work, I finally (finally!) found the (super short) time to write about this easy, but nonetheless interesting challenge that we encountered last Rootcon 11. This challenge features a file signature-related problem.
This writeup will be a quick and short one, so let’s get to it!
Browsing the challenge page will give you this .gif:
As per usual procedures, I tried to use exiftool and binwalk to check for hidden files and metadata in this file to no avail. I even tried to use the strings command and found nothing. However, viewing the source of the challenge webpage and scrolling further down will give you this comment:
<!--archive.zip-->
So I downloaded the .zip file and issued the unzip command.
The resulting directory contains an .mp4 file named beathim.mp4 worth 13MB, a text file named checksum, and a __MACOSX directory which means that this file was archived using a Mac /:)
Displaying the contents of the checksum file will give you this output:
$ cat checksumMD5 (beathim.mp4) = e5c8df90d44bdf866f0e427c47bbdd32
hmm. okay. Let’s see if the beathim.mp4 file we got has the same checksum:
I tried playing/viewing the .mp4 file but it shows nothing but the following error:
Running exiftool will display the following output:
Which means that there is something wrong with the file itself. Let’s take a look.
Opening the file using Bless will validate our guess:
If you look at the data starting at offset 00, you’ll see that the file shows the following ASCII values:
Well, of course I instinctively passed the ASCII string FLAG Ble01FD,6+AH which was converted to flag_is{Ble01FD6ah}. Which was obviously wrong /:)
As I said in the caption above, that’s not how .mp4 signatures should look like. A quick search would help you understand and identify a normal .mp4 signature format. A normal .mp4 file primarily consists of the following:
A signature at offset 04 using one of the following pre-defined signatures:
”ftyp”, “mdat”, “moov”, “pnot”, “udta”, “uuid”, “moof”, “free”, “skip”, “jP2 “, “wide”, “load”, “ctab”, “imap”, “matt”, “kmat”, “clip”, “crgn”, “sync”, “chap”, “tmcd”, “scpt”, “ssrc”, “PICT”
And a sub-type at offset 08 which must be one of the following values:
“avc1”, “iso2”, “isom”, “mmp4”, “mp41”, “mp42”, “mp71”, “msnv”, “ndas”, “ndsc”, “ndsh”, “ndsm”, “ndsp”, “ndss”, “ndxc”, “ndxh”, “ndxm”, “ndxp”, “ndxs”
For an .mp4 file, we should typically be looking for a ftypmp42 signature-subtype combination.
As you can see in the screenshot above, neither the signature nor the sub-type is present on the file. Time to delete the unnecessary values, then. Deleting the values from FLAG to END will leave us with the following:
Following the specifications, let’s add the signature and subtype and append 00 00 00 01 at the end like so:
However, we need to put the block size before the signature and subtype so for now, let’s put 00 00 00 1C (size: 28) as the block size:
If you look at offset 10, it looks like a truncated mp42isom. One thing to note about offset 10 is that it shows the compatible brands that can play the .mp4 file. (e.g. mp42 [ISO 14496–1 vers. 2], isom [ISO 14496–1 Base Media], mmp4 [3G Mobile MP4], qt [QuickTime Movie], etc.)
Let’s try to put mmp4mp42isom at offset 10 like this:
Save it, and hope for the best.
If all goes well, you will now be able to see the corresponding metadata of the file using exiftool:
# I'll just paste the output here since it won't fit in a screenshotExifTool Version Number : 10.60
File Name : beathim.mp4
Directory : .
File Size : 13 MB
File Modification Date/Time : 2017:09:21 13:17:52+08:00
File Access Date/Time : 2017:09:21 13:17:52+08:00
File Inode Change Date/Time : 2017:09:21 13:17:52+08:00
File Permissions : rw-r--r--
File Type : MP4
File Type Extension : mp4
MIME Type : video/mp4
Major Brand : MPEG-4/3GPP Mobile Profile (.MP4/3GP) (for NTT)
Minor Version : 0.0.1
Compatible Brands : mmp4, mp42, isom
Movie Header Version : 0
Create Date : 2017:07:22 23:47:10
Modify Date : 2017:07:22 23:47:19
Time Scale : 30000
Duration : 21.12 s
Preferred Rate : 1
Preferred Volume : 100.00%
Preview Time : 0 s
Preview Duration : 0 s
Poster Time : 0 s
Selection Time : 0 s
Selection Duration : 0 s
Current Time : 0 s
Next Track ID : 3
Track Header Version : 0
Track Create Date : 2017:07:22 23:47:10
Track Modify Date : 2017:07:22 23:47:19
Track ID : 1
Track Duration : 21.12 s
Track Layer : 0
Track Volume : 100.00%
Balance : 0
Audio Format : mp4a
Audio Channels : 2
Audio Bits Per Sample : 16
Audio Sample Rate : 48000
Matrix Structure : 1 0 0 0 1 0 0 0 1
Image Width : 1280
Image Height : 720
Media Header Version : 0
Media Create Date : 2017:07:22 23:47:10
Media Modify Date : 2017:07:22 23:47:19
Media Time Scale : 30000
Media Duration : 21.12 s
Media Language Code : und
Handler Type : Video Track
Handler Description : Core Media Video
Graphics Mode : srcCopy
Op Color : 0 0 0
Compressor ID : avc1
Source Image Width : 1280
Source Image Height : 720
X Resolution : 72
Y Resolution : 72
Bit Depth : 24
Color Representation : nclx 1 1 1
Video Field Order : Progressive; 0
Pixel Aspect Ratio : 1:1
Video Frame Rate : 29.97
Unknown Thumbnail : (Binary data 126819 bytes, use -b option to extract)
Description : This video is about My Movie
Title : My Movie
Movie Data Size : 13431075
Movie Data Offset : 136231
Avg Bitrate : 5.09 Mbps
Image Size : 1280x720
Megapixels : 0.922
Rotation : 0
Play the mp4 file, and you will see a Gravity Falls clip.
After watching for a few seconds, I present to you — the flag!
So there you have it, the flag for BinForCry 100 is flag_is{w3_l0v3_gr4vity_F4lls}
So how about the checksum? My final
beathim.mp4file’s checksum is:4798d14acadc861c9bce1eaac02a23a2which is way off from the provided checksum:e5c8df90d44bdf866f0e427c47bbdd32. Tough luck, haha!
That’s it for the BinForCry 100 challenge. I hope I helped you learn something new, reader!
As always, thank you for reading!
