Tags: tar zip forensics
Rating:
*([Original write-up](https://security.meta.stackexchange.com/a/3084/95381) by [@rawsec](https://twitter.com/rawsec/))*
## UnbreakMyStart (forensics, 337)
We get a `.tar.xz` file. Or so it seems...
$ tar -xvf unbreak_my_start.tar.xz
tar: This does not look like a tar archive
xz: (stdin): File format not recognized
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Thanks, `tar`, so helpful. Let's look inside:
$ xxd unbreak_my_start.tar.xz
00000000: 504b 0304 1400 0800 0800 04e6 d6b4 4602 PK............F.
00000010: 0021 0116 0000 0074 2fe5 a3e0 07ff 007d .!.....t/......}
00000020: 5d00 331b 0847 5472 2320 a8d7 45d4 9ae8 ].3..GTr# ..E...
00000030: 3a57 139f 493f c634 8905 8c4f 0bc6 3b67 :W..I?.4...O..;g
00000040: 7028 1a35 f195 abb0 2e26 666d 8c92 da43 p(.5.....&fm...C
00000050: 11e1 10ac 4496 e2ed 36cf 9c99 afe6 5a8e ....D...6.....Z.
00000060: 311e cb99 f4be 6dca 943c 4410 8873 428a 1.....m..<D..sB.
00000070: 7c17 f47a d17d 7808 b7e4 22b8 ec19 9275 |..z.}x..."....u
00000080: 5073 0c34 5f9e 14ac 1986 d378 7b79 9f87 Ps.4_......x{y..
00000090: 0623 7369 4372 19da 6e33 0217 7f8d 0000 .#siCr..n3......
000000a0: 0000 001c 0f1d febd b436 8c00 0199 0180 .........6......
000000b0: 1000 00ad af23 35b1 c467 fb02 0000 0000 .....#5..g......
000000c0: 0459 5a .YZ
Starting with `PK\x03\x04` - that's a ZIP header!
**Pro tip:** Be smarter than me and don't try to brute-force the ZIP file entry offsets for ages. Cause, see that footer? `0x59 0x5A` is actually the `.xz` format's stream footer magic bytes. So it appears to be a valid XZ file, just with a ZIP header.
Now since, we don't have the time and energy to read specs, let's just make our own dummy `.xz`, use its header to replace the ZIP header and hope for the best:
$ tar -cfJ foo.tar.xz -T /dev/null
$ head -c 6 foo.tar.xz > patched.tar.xz
$ tail -c +10 unbreak_my_start.tar.xz >> patched.tar.xz
$ tar -xvf patched.tar.xz
flag.txt
$ cat flag.txt
hackover18{U_f0und_th3_B3st_V3rs10n}