Rating: 4.5

# Red Joker Write-Up

### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/).

For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/)

-----

This challenge can be found on port 9007.

Visit the website on port 9007, you can download a corrupted zip file red_joker.zip.

Since the archive file is corrupted, we cannot open it and unzip normally. Now, let's examine it with a hex editor. Open it and search for the bytes 50 4B 03 04 (in hex), which is the signature for a zip file entry. It is highlighted in red in the following screenshot.

OK! Now we've found the file entry for joker_red.png. If we look at the header of this entry, we can see that both the compressed file size and the original file size are 1E 02 01 00 (highlighted in blue), which indicates that the file is merely _stored_ in the zip, uncompressed.

Now we've located the file entry (thus where data area starts from), and the size of the data area,what's left is very straightforward.

python
>>> hex(0x000015FD + 0x0001021E - 1)
'0x1181a'


We calculate the byte offsets of the data area containing the bytes of the image, and extract it. The offset is from 00 00 15 FD to 00 01 18 1A.

Here is our flag! Let's calculate its checksum and submit it!

console
\$ md5sum red_joker.png


### Some Useful Resource

- Buchholz, Florian. "The structure of a PKZip file." [users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html](https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html)

Original writeup (https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/).
kartibokDec. 8, 2020, 10:07 a.m.

Nice write up and one that I will keep in my notes. I initially used foremost and it extracted the image.
K

yechsDec. 9, 2020, 2:54 p.m.

@kartibok Thank you! I didn't know about foremost before, thanks for sharing!