Forensic tool. Software that can separate files into n-byte sections, analyze them, and output them.
Useful when files are hidden and inserted every n bytes.
フォレンジックツール.ファイルをnバイトごとにskipして解析することができます.ファイルをnバイトごとに区切って解析し,出力できるソフト.
nバイトごとに別のファイルが挿入されている場合に便利です.
You can search for file types by combining parameters.
パラメータを組み合わせてファイルの種類を探索できます,
git clone https://github.com/trimscash/skiphead ~
cd skiphead
cargo build -r
echo "export PATH=\$PATH:\$HOME/skiphead/target/release" >> ~/.zshrc
source ~/.zshrc
and use it. Replace .zshrc with the one you are using
Parse the header of the file skipped by n bytes and display the file type.
skiphead can search for file types by combining parameters.
Forensic app
Usage: skiphead [OPTIONS] <FILE>
Arguments:
<FILE>
Options:
-s <SKIP_NUMS>...
Number of skips. Must be greater than 0 [default: 1 2 3] [short aliases: n]
-l <PICK_LENGTH>...
Length to pick up from that location. Must be greater than 0 [default: 0]
-o <PICK_OFFSET>...
Offset to start picking within that range. Must be greater than or equal to 0 [default: 0]
-f <FILE_OFFSET>
Offset to start parsing the entire file [default: 0]
-c, --combinate
Combinate param mode. default mode is one on one
-x, --export-file
Whether to output the file [aliases: output, export, output-file]
-z, --only
Only non bin file
-p, --print
Print head of buffer
--output-directory <OUTPUT_DIRECTORY>
Output directory path [default: ./skiphead_out]
-h, --help
Print help
https://play.picoctf.org/practice/challenge/354
この問題を以下のwriteupを参考にしながらskipheadで解く.
Solve this problem with skiphead, referring to the following writeup.
https://digitaltravesia.jp/CTF/picoCTF2023/picoCTF_2023_Writeup.html
ファイルオフセット140 byteから4byteごとに2byte,別のファイルが挿入されている.
Every 4 bytes from file offset 140 bytes to 2 bytes, another file is inserted.
これをskipheadでやると以下のコマンドでできる.
This can be done with skiphead by the following command.
skiphead output.bmp -f 140 -n 4 -l 2
このようにZIPヘッダであることがわかる.さらに,--outputオプションをつけることで./skiphead_outにファイルを抽出することができる.
As you can see, it is a ZIP header. In addition, the --output option can be used to extract the file to . /skiphead_out.
skiphead output.bmp -f 140 -n 4 -l 2 --output
これを以下のコマンドで展開し,"{"で文字列を抽出するとフラグが得られる.
This is expanded with the following command, and the flag is obtained by extracting the string with "{".
7z e skip_4_pick_offset_0_pick_length_2_file_offset_140
picoCTF{w0rd_d4wg_y0u_f0und_5h3113ys_m4573rp13c3_a23dfbd4}
- Contributions are welcome!
- ほしい機能があればコントリビュータになってください!