Rating:

by Javantea

Aug 12, 2018

HeadOn is an easy forensics challenge.


file blob
blob: Zip archive data, made by v?[0x31e], extract using at least v2.0, last modified Sun Dec 12 05:18:44 2010, uncompressed size 10299, method=deflate



unzip -l blob
Archive: blob
Length Date Time Name
--------- ---------- ----- ----
10299 08-04-2018 11:25 flag.pdf
--------- -------
10299 1 file



unzip -v blob
Archive: blob
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
10299 Defl:N 9575 7% 08-04-2018 11:25 bfeb2149 flag.pdf
-------- ------- --- -------
10299 9575 7% 1 file

unzip blob
Archive: blob


I tried pulling the deflated data out by hand using Unproprietary, but no such luck. Then I looked at the file in a hex editor. It looks kinda like this:


00000000 00 00 00 00 14 00 00 00 08 00 34 5b 04 4d 49 21 |..........4[.MI!|
00000010 eb bf 67 25 00 00 3b 28 00 00 08 00 1c 00 66 6c |..g%..;(......fl|
00000020 61 67 2e 70 64 66 55 54 09 00 03 a3 ef 65 5b b0 |ag.pdfUT.....e[.|
00000030 ef 65 5b 75 78 0b 00 01 04 00 00 00 00 04 00 00 |.e[ux...........|
00000040 00 00 85 5a 75 58 54 5b d7 bf 0a 06 83 34 32 34 |...ZuXT[.....424|
00000050 43 37 33 4c 30 8c 20 20 29 9d 82 94 e4 10 02 43 |C73L0. )......C|
00000060 23 8d 84 80 80 a4 8a 74 4b 48 23 dd dd 21 2d 9d |#......tKH#..!-.|
00000070 c2 48 49 89 f4 07 de fb c6 f7 de f7 7b be f3 3c |.HI.........{..<|
00000080 fb 9c bd 62 af b5 f6 5a bf bd cf 1f 7b b3 aa 48 |...b...Z....{..H|


I noticed that the normal PK\x03\x04 header was missing, so I looked at infozip's documents and found that the first thing would be to try adding the first 4 bytes. That turned out to be the solution.


unzip ../bloba.
Archive: ../bloba.
inflating: flag.pdf
okular flag.pdf
pdftotext flag.pdf
cat flag.txt
Flag{SDG7qJ734rIw6f3f90832r}


The flag is visible in the pdf.