PicoCTF Write-ups

File types

3 min read

Task desc

In this task, we need to unpack a flag that has been archived/encoded multiple times.

image_2

NOTE

shell archive text – A shell archive is similar to a tar file, but is only used to pack source code and other text files. This is a convenient way to combine all the source files of a project into a single file that can be sent by email. (Source)

image_3

./Flag.sh: 119: uudecode: not found: This is the main mistake. The script attempted to execute the uudecode command (probably on line 119 of its code), but the system could not find this command.

NOTE

uudecode – command used to decode files that have been previously encoded with uuencode, which in turn is used to encode binary data such as images, documents, or executable files into a format that can be safely transmitted over text communication channels.

Data encoded in this way has a recognizable appearance:

UUencoded file example

Let’s take a look inside Flag.pdf.sh:

image_5

Here is a bash script and a pattern that points to uuencoded data. Next, you can proceed in two ways:

I method

Copy this pattern to a separate file and apply command:

uudecode encoded.txt

image_6

image_7

image_8

II method

When ./Flag.sh was run, a file named flag was created with the extension:

image_9

In both cases, we get an ar archive. This format has the extension .a or .ar. (More here) so let’s rename it for convenience:

mv flag flag.a

For unpacking (Source):

ar -xv flag.a

image_10

image_11

NOTE

cpio can be interpreted as copy in, copy out. It is a basic archive format, like tar. It has the .cpio format. Unpack it like this (Source):

cpio -iv < flag.cpio

  • &lt; flag.cpio – by default, cpio reads archive data from standard input when the -i (extract) flag is used.

    The command cpio -iv flag.cpio is interpreted by cpio not as “unpack the archive from the file flag”, but probably as “unpack files named flag from standard input”. Since nothing is fed to standard input, the command simply waits for data.

    Therefore, you need to redirect the contents of the flag.cpio file to the standard input of the cpio -iv command.

Also, if you open flag.cpio in a text editor, you will notice something interesting:

image_12

in line BZh91AY&SY:

  • BZh: These are magic bytes that clearly indicate that the file is compressed using the bzip2 algorithm.
  • 9: The number after BZh indicates the block size used for compression (900 KB).

This suggests that a bz2 archive may be present in the following layers.

image_13

And here is the bz2 archive.

bunzip2 flag.bz2

image_14

image_15

NOTE

The lzip file format is designed for data exchange and long-term archiving, taking into account both data integrity and the availability of decoders. (Source)

archive has an extension .lz.

image_16

Next layer (LZ4 Source):

image_17

image_18

LZMA command

image_19

image_20

lzop very similar to gzip (Source)

image_21

The author of the task clearly loves the lzip format, which he used to archive the flag twice.

image_22

image_23

Finally ASCII-текст. Let’s see:

image_24

image_25

Or you can decode the hex-code directly in the terminal (Source):

cat flag | xxd -r -p && echo ''

image_26

picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_3c79c5ba}

Graph View