# Red Joker Write-Up
### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/).
Copyright © 2020 Team 0x194. Some Rights Reserved.
This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)
For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/)
This challenge can be found on port 9007.
Visit the website on port 9007, you can download a corrupted zip file `red_joker.zip`.
Since the archive file is corrupted, we cannot open it and unzip normally. Now, let's examine it with a hex editor. Open it and search for the bytes `50 4B 03 04` (in hex), which is the signature for a zip file entry. It is highlighted in red in the following screenshot.
OK! Now we've found the file entry for `joker_red.png`. If we look at the header of this entry, we can see that both the compressed file size and the original file size are `1E 02 01 00` (highlighted in blue), which indicates that the file is merely _stored_ in the zip, uncompressed.
Now we've located the file entry (thus where data area starts from), and the size of the data area,what's left is very straightforward.
>>> hex(0x000015FD + 0x0001021E - 1)
We calculate the byte offsets of the data area containing the bytes of the image, and extract it. The offset is from `00 00 15 FD` to `00 01 18 1A`.
Here is our flag! Let's calculate its checksum and submit it!
$ md5sum red_joker.png
### Some Useful Resource
- Buchholz, Florian. "The structure of a PKZip file." [users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html](https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html)
Nice write up and one that I will keep in my notes. I initially used foremost and it extracted the image.
@kartibok Thank you! I didn't know about foremost before, thanks for sharing!