2.0 KiB
Tragic Magic
Tragic Magic is a forensics challenge involving a corrupted image file. We are provided with a file named flag.png and a hint suggesting that the file transfer protocol might have messed up the binary data.
Information Gathering
We start by trying to identify the file type using the file command:
$ file flag.png
flag.png: data
The file command simply says "data", which means it doesn't recognize the file signature (magic bytes).
Analysis
Let's inspect the first few bytes of the file using xxd:
$ xxd -l 16 flag.png
00000000: 5550 4e47 4141 1a0a 0000 000d 4948 4452 UPNGAA......IHDR
We can clearly see the strings PNG and IHDR in the ASCII representation. PNG is part of the standard file signature, and IHDR is the mandatory first chunk of any valid PNG file. This confirms beyond any doubt that the file is intended to be a PNG image.
However, the "Magic Bytes" (the 8-byte file signature) at the very beginning are incorrect.
Valid PNG signature:
89 50 4E 47 0D 0A 1A 0A (.PNG....)
Our file signature:
55 50 4E 47 41 41 1A 0A (UPNGAA..)
The signature has been partially corrupted:
89became55('U')0D 0A(Windows newline) became41 41('AA')
This matches the hint about an "optimal ASCII protocol" mangling the binary data.
Solution
We need to repair the file header so image viewers can recognize it.
- Open
flag.pngin a hex editor. - Locate the first 8 bytes.
- Replace them with the standard PNG signature:
89 50 4E 47 0D 0A 1A 0A. - Save the file.
Alternatively, we can use printf to overwrite the header via the command line:
printf "\x89\x50\x4E\x47\x0D\x0A\x1A\x0A" | dd of=flag.png bs=1 count=8 conv=notrunc
After fixing the header, the file is recognized correctly:
$ file flag.png
flag.png: PNG image data, 1024 x 512, 8-bit/color RGBA, non-interlaced
Opening the restored image reveals the flag written in the pixels:
{flag: corrupted_png_header}