# HeadOn from OpenCTF 2018 *by Javantea* *Aug 12, 2018* HeadOn is an easy forensics challenge. [HeadOn-ac8890852965d787f7591bc10add61bb01efb5eb](https://www.altsci.com/concepts/images/HeadOn-ac8890852965d787f7591bc10add61bb01efb5eb) contained [blob](https://www.altsci.com/concepts/images/blob) which is a zip file. ``` file blob blob: Zip archive data, made by v?[0x31e], extract using at least v2.0, last modified Sun Dec 12 05:18:44 2010, uncompressed size 10299, method=deflate ``` ``` unzip -l blob Archive: blob Length Date Time Name --------- ---------- ----- ---- 10299 08-04-2018 11:25 flag.pdf --------- ------- 10299 1 file ``` ``` unzip -v blob Archive: blob Length Method Size Cmpr Date Time CRC-32 Name -------- ------ ------- ---- ---------- ----- -------- ---- 10299 Defl:N 9575 7% 08-04-2018 11:25 bfeb2149 flag.pdf -------- ------- --- ------- 10299 9575 7% 1 file unzip blob Archive: blob file #1: bad zipfile offset (local header sig): 0 ``` I tried pulling the deflated data out by hand using Unproprietary, but no such luck. Then I looked at the file in a hex editor. It looks kinda like this: ``` hexdump -C blob |head 00000000 00 00 00 00 14 00 00 00 08 00 34 5b 04 4d 49 21 |..........4[.MI!| 00000010 eb bf 67 25 00 00 3b 28 00 00 08 00 1c 00 66 6c |..g%..;(......fl| 00000020 61 67 2e 70 64 66 55 54 09 00 03 a3 ef 65 5b b0 |ag.pdfUT.....e[.| 00000030 ef 65 5b 75 78 0b 00 01 04 00 00 00 00 04 00 00 |.e[ux...........| 00000040 00 00 85 5a 75 58 54 5b d7 bf 0a 06 83 34 32 34 |...ZuXT[.....424| 00000050 43 37 33 4c 30 8c 20 20 29 9d 82 94 e4 10 02 43 |C73L0. )......C| 00000060 23 8d 84 80 80 a4 8a 74 4b 48 23 dd dd 21 2d 9d |#......tKH#..!-.| 00000070 c2 48 49 89 f4 07 de fb c6 f7 de f7 7b be f3 3c |.HI.........{..<| 00000080 fb 9c bd 62 af b5 f6 5a bf bd cf 1f 7b b3 aa 48 |...b...Z....{..H| 00000090 4a f3 f2 f3 21 00 ac ad 99 ad 75 ad 15 ad 29 00 |J...!.....u...).| ``` I noticed that the normal PK\x03\x04 header was missing, so I looked at infozip's documents and found that the first thing would be to try adding the first 4 bytes. That turned out to be the solution. [Documentation](https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html) ``` unzip ../bloba. Archive: ../bloba. inflating: flag.pdf okular flag.pdf pdftotext flag.pdf cat flag.txt Flag{SDG7qJ734rIw6f3f90832r} ``` The flag is visible in [the pdf](https://www.altsci.com/concepts/images/flag.pdf).