Tags: scripting
Rating: 5.0
## Big Bird – Scripting
[Original Writeup is easier to read imo :)](https://lawfulwaffle.com/2020/06/13/nahamcon-ctf-writeups/#big-bird)
This challenge was my favorite for two reasons: I finished it just before the CTF ended, and it was the only scripting challenge I completed (darn you, _Really Powerful Gnomes_!) The challenge linked you to a Twitter page that had posts in this format:
![bigbird-twitter-posts](https://lawfulwaffle.com/wp-content/uploads/2020/06/bigbird-twitter.png)
The simplest way to start was to get all of those tweets in order. Luckily, there’s a dead-simple command line utility called [GetOldTweets3](https://github.com/Mottl/GetOldTweets3) for scraping Twitter pages
The first command got all the tweets into a CSV. The second one ordered the tweets by first number and only kept the last number.
> ` $ GetOldTweets3 --username "BigBird01558595" --since 2020-05-30 `
> ` $ cut -d',' -f 7 output_got.csv | tr -d '"' | tr -d '#' | sort -n -t' ' -k2 | cut -d' ' -f 3 > ordered.txt `
I think the hardest part for me was figuring out what the numbers meant.
![](https://lawfulwaffle.com/wp-content/uploads/2020/06/ordered-head.png)
- 137 was too high to be ASCII, so I initially ruled it out. Then I realized that decimal numbers 80, 78, and 71 were the letters PNG. AHA! It’s an image file!
- I was able to confirm this by checking that 137 is 89 in hex. All PNG files start with 0x89, the letters PNG (0x80 0x78 0x71), and [four more bytes](http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html). The following python snippet turned the decimal numbers into one long string of bytes represented in hex.
```
#!/usr/bin/python3
s = []
with open("decimals.txt") as f:
for line in f:
l = line.strip()
s.append(hex(int(l)))
raw_bytes=""
for num in s:
byte = num.split('x')[1]
if len(byte) == 1:
raw_bytes += "0" + byte
else:
raw_bytes += byte
print(raw_bytes)
```
- I output that raw hexdump to a text file and ran `xxd -r -p` on it to revert the hex characters to actual bytes. This gave me an actual image! Throwing that into a QR code reader gave me the flag: `flag{big_bird_tweets_big_tweets}`