Challenge Description#
- Name: tGIF
- Category: misc
- Points: 50
- Challenge Description:
TGIF, but I think I’m either rendering my file wrongly or the dimensions are just off.
File Analysis#
The challenge began with a file named tgif that did not have a recognizable file type. Running the file command gave the following output:
└─$ file tgif
tgif: data
The file utility could not identify the file type. This hinted that the file might have corrupted or missing magic headers.
Hexadecimal Analysis#
To investigate further, I opened the file in hexedit and examined the first few bytes. Here is part of the header:
00000000 47 04 46 38 39 61 90 01 C8 00 F7 00 00 00 00 00 G.F89a..........
00000010 25 1E 25 3A 31 34 3D 43 62 46 3E 48 48 35 32 4E %.%:14=CbF>HH52N
00000020 4D 65 4F 3A 34 56 4F 61 57 45 46 5A 3F 38 5E 46 MeO:4VOaWEFZ?8^F
The header did not match any known magic number for standard file types. However, parts of it (47 04 46 38 39 61) resembled the magic header for GIF files, which should be GIF89a. GIF Bits and Bytes guide
Correcting the Magic Header#
I replaced the incorrect bytes (47 04) with 47 49 (G and I) to create the proper magic header GIF89a. This allowed the file to be recognized as a GIF image.
└─$ file tgif
tgif: GIF image data, version 89a
GIF Integrity Check#
After fixing the header, I opened the GIF. It was partially corrupted—the image displayed, but it was incomplete. This suggested that some other fields in the header, such as width or height, were incorrect.
Modifying the Height#
To fix the GIF, I adjusted the height value in the header. I used the online tool RedKetchup GIF Resizer to modify the height and correct the file.
Flag#
After correcting the height, the GIF displayed correctly, revealing the full image showing the flag
r00t{d38252762d3d4fd229faae637fd13f4c}