G.O.A.T. 🐐

misc secchallenge22
Published on 16 Mar 2022

Description

I just found this weird gif-like file:

wget https://www.crysys.hu/downloads/misc/movie.apng

Here, take a look for yourself.

  • Author: veloxer

Solution

This is indeed a weird looking file, I havenโ€™t seen this extension before, and I cannot open it with anything, so I started googling. The creator didnโ€™t troll us with the extension, as it is an Animated PNG, hence apng. The format of these files are quite the same as PNGs, except they contain additional fcTL and fdAT chunks. fcTL chunks are responsible for animating the frames, while fdAT chunks hold the data, similarly to IDAT chunks. Looking at the available information online I found a tool called TweakPNG. Its quite an ancient one, but with wine we can run it even on Linux, and it lets us inspect the chunks of our file.

Scanning through the chunks, one chunk in particular stood out, since it had many fdAT chunks after each other, while the rest of the file followed a nice structure: One fcTL chunk followed by an fdAT chunk. Looking into how to disassemble the APNG into separate PNGs Iโ€™ve found the tool called apngdis.

Using that tool I split up the original file into many still png images:

apngdis movie.apng

Using another tool called pngcheck, and a bit of python, we can find the file, that has those extra chunks:

from pwn import *
import re

for i in range(1, 429):
	length = len(str(i))
	filename = f'frames/apngframe{"0" * (3 - length)}{i}.png'
	with process(["pngcheck", "-vf", filename], level = "CRITICAL") as p:
		output = p.recvall().decode()
		chunk_count = re.findall(r'[0-9]* chunks', output)[0].split(' ')[0]
		
		print(f'{filename}: {chunk_count} chunks')

Indeed, there is a file with much higher chunk count then the others. Inspecting that file using zsteg, we can see, that there is a jpeg hidden inside our png file, which we can extract using:

zsteg 129.png -E b1,b,lsb,xy > hidden.jpg

image

From here, we can advance further. Checking basic stuff on this JPEG, namely using strings and binwalk we can see, that it contains a password, as well as a hidden zip file inside of it. We can extract it using dd once again:

dd if=hidden.jpg of=hidden.zip bs=1 skip=5454

After unzipping, we get an mp3 file. Playing it we can hear a weird crackling noise. Checking it up in Audacity we can see a hidden message:

cd22{HIDDEN}

โ† Back to SecChallenge22

all tags

CTF crypto crysys dnSpy hardware misc pwn reverse secchallenge secchallenge22 web