BSidesSF 2021 CTF: Tapesplice

Tapeslice

158 points

Does this tape look like it’s been cut to you?

(author: symmetric)

tapesplice.tar

Solution

Attached file seems to be a tar archive.

luc@slon:~/Pobrane$ tar xvf tapesplice.tar 
thankyou_noflag.png

thankyou noflag

Despite the fact that binwalk can’t find anything I’ve decided to double check with hexedit.

hexedit

“Normal” png file ends with IEND followed by 4 bytes. It looks like there’s something more in the tar. Let’s try to extract it with “vulgar” dd.

luc@slon:~/Pobrane$ dd ibs=1 obs=1 skip=129135 if=tapesplice.tar of=surprise
3985+0 przeczytanych rekordów
3985+0 zapisanych rekordów
skopiowane 3985 bajtów (4,0 kB, 3,9 KiB), 0,00816783 s, 488 kB/s
luc@slon:~/Pobrane$ file surprise 
surprise: bzip2 compressed data, block size = 900k

Ok, we’re home ;-)

luc@slon:~/Pobrane$ bunzip2 surprise
bunzip2: Can't guess original name for surprise -- using surprise.out

bunzip2: surprise: trailing garbage after EOF ignored
luc@slon:~/Pobrane$ cat surprise.out
CTF{everything_has_space_for_hidden_data}

Flag

CTF{everything_has_space_for_hidden_data}

Privacy Policy
luc © 2021