General

File

Begin with identifying the type of file. At times we may need to know what kind of file we are dealing with. Use the file command to identify your file.

Syntax: file [options] filename

Options: `-b` (brief): Omit the filename in the output.

`-i` (mime): Output MIME type strings.

`-f` (files from file): Read filenames from a specified file.

`-L` (dereference): Follow symbolic links.

`-s` (special files): Read block or character special files.

There are cases where we may be given a file with a certain extension (eg: jpg), to look for its authenticity you may use the file command. Any inconsistencies found will mean a corrupt file. This can also be identified when you are unable to open the file. In such a cases the file signatures must be fixed. We will see this in a later example.

Strings

Analyzing the file type alone will not give us any leads to go about further. We can make use

of the strings command to print human readable characters hidden within the file(binary files mostly).

Now, why do we use this?

The strings command quickly extracts embedded data, flags or sometimes the indicators of compromise, i.e. URLs/ IP Addresses or file paths to go forward with.

Syntax: strings [option] file

Options: -a or --all (Scan the entire file, not just the initialized and loaded sections.)

-n <number> (Minimum length of strings to display (default is 4).)

-t <format>( Print the offset before each string. Can be -o, -x or -d)

-e <encoding> (Select character encoding)

Exiftool

To get details about the metadata we can use exiftool. It helps understanding the data in hand. Sometimes, we get flags just by using this command.

Syntax: exiftool [OPTIONS] FILE

Options: -r (Recursively process directories.)

-overwrite_original (Overwrite original file with edited metadata.)

-o ( Write output to specified file.

-d (Set date format for output.)

-gps:all (Extract all GPS information.)\

Binwalk

Another alternative option to the exiftool to analyze the data is binwalk.

It can extract data embedded within files like firmware images, executable and disc images.

Syntax: binwalk [OPTIONS] FILE(S)

Installation: sudo apt-get install binwalk

Options: -B (Only scan for file signatures.)

-e ( Automatically extract files from input.)

-M or -matryoshka (Recursively scan extracted files.)

-y (Search for known executable code within files.)

-l (List all available extraction signatures.)

-D ( Disassemble extracted code.)

xxd

This is command is used when we need the files's contents hexadecimal format. This shows the binary content in a more readable form. It can be used to analyse file signatures even if file extensions have been changed or removed. It can also be used for data recovery by simply fixing the file header.

Syntax: xxd [OPTIONS] FILE(S)

Installation: sudo apt install xxd

Options: -r (Reverse a hexdump)

-p ( Create plain hexdump and without ASCII representation)

-c (Specifying number of colums in the output)

WALKTHROUGH 1

We shall see an easy example

Information(picoCTF): https://play.picoctf.org/practice/challenge/186?category=4&page=1

Let us start with identifying the file using the file command. This gives us the file details such as its a jpg image file. We shall continue executing commands as in our general list. You should be looking for any suspicious looking strings. Now on executing exiftool we observe something uncanny.

We can see that the License here consists of both uppercase and lower case characters. This could be encoded in Base64. Now, what is Base64? It is a binary text encoded using ASCII strings. It usually has an = at the end of it (not in this case, its just a padding character.), that is one way you can identify that it is base64.

Now just copy the License: cGljb0NURnt0aGVfbTN0YWRhdGFfMXNfbW9kaWZpZWR9

And paste it onto any Base64 decoder available online.

You should get your flag: picoCTF{the_m3tadata_1s_modified}