Forensics - XIPPER
This file is something wrong. Can you open it before the winter season?
In this challenge we are initially given a file called xipper.PNG. Running file on the PNG shows that it is actually a ZIP file. However, when attempting to unzip the file we get the following error:
$ unzip xipper.zip
Archive: xipper.zip
file #1: bad zipfile offset (local header sig): 0
Opening the file in a hex editor, we see the first 4 bytes are wrong. A proper ZIP file starts with 50 4B 03 04, but this one has 50 4B 04 03. Swapping these bytes fixes the signature and allows us to unzip the file.
However, we now get a new error:
$ unzip xipper.zip
Archive: xipper.zip
flag.txt: mismatching "local" filename (flag.txtmP-n-0^P<�+b�),
continuing with "central" filename version
inflating: flag.txt bad CRC 19742d59 (should be d151cc46)
The extracted file has a bad CRC and a corrupted filename. Investigating further with zipdetails:
$ zipdetails xipper.zip
...
001A Filename Length 0014
001C Extra Length 0000
001E Filename 'flag.txtmP�n�0 <��b�'
...
The filename length is set to 0x0014 (20), which causes part of the payload to be interpreted as part of the filename. Changing the byte at offset 0x001A to 08 (length of flag.txt) fixes this.
After that, the ZIP extracts cleanly. The content of flag.txt is:
The woods are lovely, dark and deep / But I have promises to keep / And miles to go before I sleep.
— Robert Frost, “Stopping By Woods on a Snowy Evening"
Under the poem, there are many spaces and tabs. Initially, it looked like Whitespace code, but decoding failed. Searching further led to SNOW, a tool that hides messages in trailing whitespace on ASCII lines.
Download and run SNOW with the -C flag to decompress:
$ ./snow/snow -C flag.txt
CyberGonCTF{Z1pp3R_4nD_573G5n0W}