- Files can always be changed in a secret way. Can you find the flag?.
- Author: susie
- Tags : picoCTF2021 , Forensics
- Source: cat.jpg
We found this file. Recover the flag.
approch
-
There is no file extension.so we don't actually know what type of file it is.
-
Let's open this with a online-hex-editor like hex-works to check the intended file type.
-
The first two characters are
BMwhich indicates a BMP file.
-
Let's change the file extension to
.bmpand since it still doesn't open
-
I decided to use OnlineImageMagick to open it.
-
I'm sure there's probably some way of changing the file header to open it properly but that's alright. It displays:
-
Something interesting to note is the size of the BMP file. It's about 2MB in size for such a tiny image? That doesn't seem right. This site explains what everything in the BMP header is.
-
Height for a BMP file is at offset 0016h. I changed offset 0017h from 0x01 to 0x03.