Flags may be hidden in the image and can only be revealed by dumping the hex and looking for a specific pattern. mystery: data CRC error in chunk pHYs (computed 38d82c82, expected 495224f0) After using a tool such as pngcheck, if there are critical chunks with incorrect sizes defined, then this tool will automatically go through each critical chunk and fix their sizes for you. Recover the flag. The latter includes a quick guide to its usage. AperiCTF 2019 - [OSINT] Hey DJ (175 points) Tip2: Use the -n flag on the strings command to search for strings that are at least n characters in length. If you are writing a custom image file format parser, import the Python Image Library (PIL) aka Pillow. Example 1:You are provided an image named ocean.jpg.Running the exiftool command reveals the following information. Your file will be uploaded and we'll show you file's defects with preview. Find all corrupted PNG files: find . ``` Each chunk starts with 4 bytes for the length of the chunk, 4 bytes for the type, then the chunk content itself (with the length declared earlier) and 4 bytes of a checksum. chunk sRGB at offset 0x00025, length 1 Hello, I am doing forensics CTF challenges and wanted to get some advice on how to investigate the images. Exiftool We start by inspecting the metadata with exiftool:. Also, the creator of the challenge give you a hint with the two last letters. Run pngcheck -vtp7f filename.png to view all info. New Steganographic Techniques for the OOXML File Format, 2011 details some ideas for data hiding techniques, but CTF challenge authors will always be coming up with new ones. Initial thought, title points to 'crc' so we must be looking at a corrupted png, and damn was it corrupted. PNG files can be dissected in Wireshark. Any challenge to examine and process a hidden piece of information out of static data files (as opposed to executable programs or remote servers) could be considered a Forensics challenge (unless it involves cryptography, in which case it probably belongs in the Crypto category). You could also interface Wireshark from your Python using Wirepy. PDF is an extremely complicated document file format, with enough tricks and hiding places to write about for years. Since the pixels per unit differ in just one byte, and the 0xaa for the X axis makes the value very large, it makes sense to place a zero instead. PNG files can be dissected in Wireshark. It would be wasteful to transmit actual sequences of 101010101, so the data is first encoded using one of a variety of methods. At first you may not have any leads, and need to explore the challenge file at a high-level for a clue toward what to look at next. Long story short, heres what we did next: PS: I know that some of you was wondering how wonderful our script wasso have a good headache after it ;-). You signed in with another tab or window. |`50 4E 47`| In ASCII, the letters PNG, allowing a person to identify the format easily if it is viewed in a text editor.| The next chunk in a PNG after the header is the IHDR chunk, which defines the composition of the image. Its advantage is its larger set of known filetypes that include a lot of proprietary and obscure formats seen in the real world. 3. containment-forever.sharkyctf.xyz, SharkyCTF 2020 - [Forensic] Romance Dawn (100pts) Click inside the file drop area to upload a file or drag & drop a file. Statement of the challenge Are you sure you want to create this branch? Lets start with the PNG header. You may need to download binwalk on your system. It's no longer available at its original URL, but you can find a copy here. The easy initial analysis step is to check an image file's metadata fields with exiftool. Palindrome must have leaked one of their passwords as the 4 corrupted bytes (Part 1 flag)! file mystery In a CTF, part of the game is to identify the file ourselves, using a heuristic approach. Please do not expect to find every flag using these methods. The ImageMagick toolset can be incorporated into scripts and enable you to quickly identify, resize, crop, modify, convert, and otherwise manipulate image files. If partial trials are present, this function will % remove them from the last meg4 file. Thanks for reading. When the run Window appears, type cmd and press the Enter button. Corrupted jpeg/jpg, gif, tiff, bmp, png or raw images are files that suddenly become unusable and can't be opened. There may be times when you are given a file that does not have an extension or the incorrect extension has been applied to add confusion and misdirection. The participant or team with the highest score wins the event. === So, we just need to override 0xAAAA with zeroes again. Hopefully with this document, you can at least get a good headstart. Therefore, we get the length of 0x10004 - 0x5B - 0x4 = 0xFFA5 which is good since the original value is 0xAAAAFFA5. A summary of the PNG compression algorithm in layman's terms including 7 tips for reducing the file size. You signed in with another tab or window. We can read `0xffa5 bytes`. Technically, it's text ("hello world!") We just have to set the first two bytes to zero which give us : For solving forensics CTF challenges, the three most useful abilities are probably: The first and second you can learn and practice outside of a CTF, but the third may only come from experience. CTF challenge authors have historically used altered Hue/Saturation/Luminance values or color channels to hide a secret message. It seems Luffy played with my picture and I'm not able to open it anymore. We received this PNG file, but were a bit concerned the transmission may have not quite been perfect. |-|-| This is vital if the image appears corrupt. chunk IDAT at offset 0x00057, length 65445, zlib: deflated, 32K window, fast compression, chunk IDAT at offset 0x10008, length 65524, chunk IDAT at offset 0x20008, length 65524, chunk IDAT at offset 0x30008, length 6304. Of course, if you just need to decode one QR code, any smartphone will do. The closest chunk type is IDAT, let's try to fix that first: Now let's take a look at the size. Based on the output, the 19th key value must be 0x3 and the 20th key must be 0xbe. You may also try zsteg. |`89` | Has the high bit set to detect transmission systems that do not support 8-bit data and to reduce the chance that a text file is mistakenly interpreted as a PNG, or vice versa.| magick identify is a tool from ImageMagick. Strings. Audacity is the premiere open-source audio file and waveform-viewing tool, and CTF challenge authors love to encode text into audio waveforms, which you can see using the spectogram view (although a specialized tool called Sonic Visualiser is better for this task in particular). This tool tries to recover a valid image even if only the pure data section (IDAT chunk) of the image is left. Better image quality in your Twitter tweets. I H D R. Now file recognizes successfully that the file is a PNG $ file Challenge Challenge: PNG image data, 1920 x 1289, 8-bit/color RGB, interlaced I still wasn't able to read it. PNG files, in particular, are popular in CTF challenges, probably for their lossless compression suitable for hiding non-visual data in the image. tags: CTF, picoCTF, Forensic, PNG To verify the correctness or attempt to repair corrupted PNGs you can use pngcheck Follow my twitter for latest update. Binwalk is a tool that allows you to search binary images for embedded files and executable code. |`89 50 4E 47`|`. pngcheck -v mystery_solved_v1.png 0x89 0x50 0x4E 0x47 0xD 0xA 0x1A 0xA instead of 0x89 0x50 0x4E 0x47 0x0A 0x1A 0x0A, the actual header of our challenges file. Cookie Notice Statement of the challenge Broadly speaking, there are two generations of Office file format: the OLE formats (file extensions like RTF, DOC, XLS, PPT), and the "Office Open XML" formats (file extensions that include DOCX, XLSX, PPTX). . No errors detected in mystery_solved_v1.png (9 chunks, 96.3% compression). The aforementioned dissector tools can indicate whether a macro is present, and probably extract it for you. chunk IDAT at offset 0x00057, length 65445 And that's for all occurrences, so there are (I'm guessing here) 3 possibilities for n occurrences. rendering intent = perceptual View all strings in the file with strings -n 7 -t x filename.png. The images will be stored at this GIT repository if youd like to download them and try the commands and tools for yourself. Once that is done, type sfc/scannow' in the command prompt window and press the 'Enter' button again. |`49 44 41 54`|`I D A T`| From the wikipedia [PNG format page](https://en.wikipedia.org/wiki/Portable_Network_Graphics#File_header), everything is explained. **| author: Maltemo For EXT3 and EXT4 filesystems, you can attempt to find deleted files with extundelete. Occasionally, a CTF forensics challenge consists of a full disk image, and the player needs to have a strategy for finding a needle (the flag) in this haystack of data. Patience is key. The file command shows that this is a PNG file and not a JPG. When you have a challenge with a corrupted `file`, you can start with file command : You can do this also on the image processing page. ! For a more local converter, try the xxd command. The premiere open-source framework for memory dump analysis is Volatility. Understand the technical background of online image compression tools and learn which image compressor you should use from now on. . Like image file formats, audio and video file trickery is a common theme in CTF forensics challenges not because hacking or data hiding ever happens this way in the real world, but just because audio and video is fun. P N G`| Most audio and video media formats use discrete (fixed-size) "chunks" so that they can be streamed; the LSBs of those chunks are a common place to smuggle some data without visibly affecting the file. [](https://proxy.duckduckgo.com/iu/?u=https%3A%2F%2Fmedia.tenor.com%2Fimages%2F4641449478493d8645990c3794ea7429%2Ftenor.gif&f=1&nofb=1) Made for fixed-function low-resource environments, they can be compressed, single-file, or read-only. Example 1:You are provided an image named computer.jpg.Run the following command to view the strings in the file. This is what is referred to as binary-to-text encoding, a popular trope in CTF challenges. We can use binwalk to search images for embedded files such as flags or files that may contain clues to the flag. Confused yet? So, we ran file on the challenge file: The file was, in fact, corrupted since it wasnt recognized as a PNG image. hexed.it helps a whole lot. One important security-related note about password-protected zip files is that they do not encrypt the filenames and original file sizes of the compressed files they contain, unlike password-protected RAR or 7z files. ASCII characters themselves occupy a certain range of bytes (0x00 through 0x7f, see man ascii), so if you are examining a file and find a string like 68 65 6c 6c 6f 20 77 6f 72 6c 64 21, it's important to notice the preponderance of 0x60's here: this is ASCII. Description ### Description ``` [TOC] in the context of a CTF photo forensics competition. Ange Albertini also keeps a wiki on GitHub of PDF file format tricks. Example 1:You are provided an image named computer.jpg.Run the following command to dump the file in hex format. A directory named _dog.jpg.extracted has been created with the file automatically unzipped. An open-source alternative has emerged called Kaitai. It may also lack the "black hat attacker" appeal that draws many players to participate in CTFs. Your first step should be to take a look with the mediainfo tool (or exiftool) and identify the content type and look at its metadata. Unlike most CTF forensics challenges, a real-world computer forensics task would hardly ever involve unraveling a scheme of cleverly encoded bytes, hidden data, mastroshka-like files-within-files, or other such brain-teaser puzzles. Volatility is a Python script for parsing memory dumps that were gathered with an external tool (or a VMware memory image gathered by pausing the VM). Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/, Cybersecurity Enthusiast | Cloud Security & Information Protection @ Boeing | Trying to pass on knowledge to others | www.thecyberblog.com. pngcheck -v mystery_solved_v1.png hexedit Not bad. picoCTF 2019 - [Forensic] c0rrupted (250 points) chunk IDAT at offset 0x10008, length 65524 Prouvez-lui le contraire en investiguant. Complicating matters, the packets of interest are usually in an ocean of unrelated traffic, so analysis triage and filtering the data is also a job for the player. Binwalk detects a zip file embedded within dog.jpg. pHYs CRC Chunk before rectifying : `49 52 24 F0` byte 2: X movement. For analyzing and manipulating video file formats, ffmpeg is recommended. Web pages For each test-set there is an html-page containing the PNG images. * For debugging and detect CRC problem, you can use : `pngcheck -v [filename]` [TOC] Corrupted jpeg/jpg, gif, tiff, bmp, png or raw images are files that suddenly become unusable and can't be opened. For more information, please see our The next chunks after the IHDR were alright until it ends with an unknown header name : No description, website, or topics provided. Below are a few more that you can research to help expand your knowledge. Audacity can also enable you to slow down, reverse, and do other manipulations that might reveal a hidden message if you suspect there is one (if you can hear garbled audio, interference, or static). Many file formats are well-described in the public documentation you can find with a web search, but having some familiarity with the file format specifications will also help, so we include links to those here. I H C R it should be . A PNG image has a lot of blocks, called chunks, which have the same structure: The most important one, which actually represents the image, is called IDAT. In the file, we found this instead : |`1A`| **A byte that stops display of the file under DOS when the command type has been usedthe end-of-file character. chunk pHYs at offset 0x00042, length 9: 2852132389x5669 pixels/meter "house.png", 2 0"house01.png" . In the case where you do need to understand a complicated VBA macro, or if the macro is obfuscated and has an unpacker routine, you don't need to own a license to Microsoft Office to debug this. Regardless, many players enjoy the variety and novelty in CTF forensics challenges. So let's change the name of the chunck 1. |Hexa Values|Ascii Translation| # L | IDAT | DATA | CHECKSUM ---> {L} {DATA, CHECKSUM, L} {DATA, CHECKSUM, L} {DATA, CHECKSUM} Stegsolve (JAR download link) is often used to apply various steganography techniques to image files in an attempt to detect and extract hidden data. And at the start of our file, we did have this : It would be impossible to prepare for every possible data format, but there are some that are especially popular in CTFs. [](https://i.imgur.com/baF6Iul.png) Ethscan is made to find data in a memory dump that looks like network packets, and then extract it into a pcap file for viewing in Wireshark. CTF Background Help Alex! chunk gAMA at offset 0x00032, length 4: 0.45455 It seems to have suffered EOL conversion. ERRORS DETECTED in mystery_solved_v1.png This SVG image compressor shrinks your SVG logos, illustrations or icons to the smallest file size and best quality possible. Files-within-files is a common trope in forensics CTF challenges, and also in embedded systems' firmware where primitive or flat filesystems are common. If you were prepared with tools for analyzing the following, you would be prepared for the majority of Forensics challenges: Some of the harder CTF challenges pride themselves on requiring players to analyze an especially obscure format for which no publicly available tools exist. PNG files can be dissected in Wireshark. File: mystery_solved_v1.png (202940 bytes) But to search for other encodings, see the documentation for the -e flag. Cannot retrieve contributors at this time, 00000000: 89 65 4e 34 0d 0a b0 aa 00 00 00 0d 43 22 44 52 .eN4..C"DR. 00000010: 00 00 06 6a 00 00 04 47 08 02 00 00 00 7c 8b ab jG..|.. 00000020: 78 00 00 00 01 73 52 47 42 00 ae ce 1c e9 00 00 x.sRGB. 00000030: 00 04 67 41 4d 41 00 00 b1 8f 0b fc 61 05 00 00 ..gAMAa 00000040: 00 09 70 48 59 73 aa 00 16 25 00 00 16 25 01 49 ..pHYs%%.I. There are 2 categories of posts, only the first is available, get access to the posts on the flag category to retrieve the flag. Plus it will highlight file transfers and show you any "suspicious" activity. There are many Base64 encoder/decoders online, or you can use the base64 command: ASCII-encoded hexadecimal is also identifiable by its charset (0-9, A-F). $ pngcheck mystery mystery CRC error in chunk pHYs (computed 38d82c82, expected 495224f0) This tells us the calculated CRC value from the data field, and the current CRC (expected). The file within the zip file is named hidden_text.txt. Description The third byte is "delta Y", with down (toward the user) being negative. Sox is another useful command-line tool for converting and manipulating audio files. You may need to convert a file from PCAPNG to PCAP using Wireshark or another compatible tool, in order to work with it in some other tools. There are several sites that provide online encoder-decoders for a variety of encodings. Here are some examples of working with binary data in Python. Learn more. Usually they end with a simple: "It generates smaller pictures, so it's got to be better.". I broke my solution down into 5 steps: Read the corrupted PNG into memory. Additional meta-information within files may be useful depending on the challenge. ); to list the color and transparency info . Creator: 2phi, SharkyCTF 2020 - [Forensic] Pain In The Ass (200pts) ..A. 00000070: f9 ed 40 a0 f3 6e 40 7b 90 23 8f 1e d7 20 8b 3e ..@..n@{.# .>. Typically, each CTF has its flag format such as HTB{flag}. facing with, check its type with type filename. CTF events / DarkCTF / Tasks / crcket / Writeup; crcket by blu3drag0nsec / ARESx. Learn why such statements are most of the time meaningless, understand the technical background, and find out which tool you should use as of today. If an image file has been abused for a CTF, its EXIF might identify the original image dimensions, camera type, embedded thumbnail image, comments and copyright strings, GPS location coordinates, etc. 1642 x 1095 image, 24-bit RGB, non-interlaced Written by Maltemo, member of team SinHack. In a CTF context, "Forensics" challenges can include file format analysis, steganography, memory dump analysis, or network packet capture analysis. ## Fixing the corruption problems We found this file. `00 00 FF A5` Now running command in terminal $ pngcheck mystery mystery invalid chunk length (too large) There are many other tools available that will help you with steganography challenges. ### Correcting the PNG header The strings command will print out strings that are at least 4 characters long from a file. We wrote the script and it took a lifetime. . qpdf is one tool that can be useful for exploring a PDF and transforming or extracting information from it. Can you try and fix it? The flag is **picoCTF{c0rrupt10n_1847995}** PNG files, in particular, are popular in CTF challenges, probably for their lossless compression suitable for hiding non-visual data in the image. * For more in depth knowledge about how works chunks in PNG, I strongly recommend you two read my other write-ups that explains a lot of things : The file was, in fact, corrupted since it wasn't recognized as a PNG image. Slice the PNG into individual chunks. D E T`| Why we see the red compression artifacts so well and what we can do about them. ctf #, Edited the script making it output the offset in the file where the. Wireshark, and its command-line version tshark, both support the concept of using "filters," which, if you master the syntax, can quickly reduce the scope of your analysis. Flags may be embedded anywhere in the file. Much appreciated. Xor the extracted image with the distorted image with . I'm not going to beat around the bush here; I need your help. Me and my team, Tower of Hanoi, have played the PlaidCTF 2015: while my teammates did reversing stuff, my friend john and I did this awesome forensic challenge. With the aforementioned assumption in our mind, we checked if any chunk had an unexpected checksum: pngcheck helped us doing this. You may need to install exiftool on your system. For these, try working with multimon-ng to decode them. You can decode an image of a QR code with less than 5 lines of Python. So I checked the lenght of the chunk by selecting the data chunk in bless. File is CORRUPTED. Now, we'll discuss more specific categories of forensics challenges, and the recommended tools for analyzing challenges in each category. Well cover 2 examples of the file command. Steganography, the practice of concealing some amount of secret data within an unrelated data as its vessel (a.k.a. I've then assumed it was a corrupted PNG and saw that the first bytes where wrong instead of . Be careful to **select only the data chunk and not the checksum (CRC)** with it ! chunk IDAT at offset 0x30008, length 6304 Viewing the image, we get the flag: picoCTF{c0rrupt10n_1847995}. The challenge intends to hide the flag. The width of Underscore_in_C is also 958 so we can try to use the bytes of Underscore_in_C as the keys. An analysis of the image compression pipeline of the social network Twitter. ERRORS DETECTED in mystery_solved_v1.png Since all three of \r\n, \r and \n are translated into \n, you cannot know what code it originally was. 2017PlaidCTF DefConCTF . ```sh Note: This is an introduction to a few useful commands and tools. There are plugins for extracting SQL databases, Chrome history, Firefox history and much more. In this article, we will focus on finding hidden data in images and introduce commands and tools that you can use to help you find the flag. Thank you javier. The output shows THIS IS A HIDDEN FLAG at the end of the file. 3. chunk pHYs at offset 0x00042, length 9: 2852132389x5669 pixels/meter - Jongware. File is CORRUPTED. This PNG image compressor shrinks your icons and sprites to the smallest file size and best quality possible. f5; png; gif; ctf The first chunk is IHDR and has the length of 0xD, so let's fix that as well. corrupt.png.fix: PNG image data, 500 x 408, 8-bit/color RGBA, non-interlaced pngcheck -v corrupt.png.fix File: corrupt.png.fix (469363 . There are several reasons why a photo file may have been damaged. As far as that is possible, all formats supported by the PNG standard are represented. Votre ami vous assure que sa compositrice prfre (amatrice) Twisore garde son identit secrte. At first, I analyzed the png file using binwalk command and was able to extract the base 64 string which converted as another file image (base64 to image/file conversion). Assuming you have already picked up some Python programming, you still may not know how to effectively work with binary data. This JPEG XL image compressor shrinks your images and photos to the smallest file size and best quality possible. |Hexa Values|Ascii Translation| Extract all the files within the image, we find what we needed. Just as "file carving" refers to the identification and extraction of files embedded within files, "packet carving" is a term sometimes used to describe the extraction of files from a packet capture. ::: ``` ** | ## Analyzing the file CTF writeups, Corrupted Disk. When you have a challenge with a corrupted file, you can start with file command : But most of the time, as the file is corrupted, you will obtain this answer : data. ### Correcting the IHDR chunk Run the following command to install exiftool. By default, it only checks headers of the file for better performance. TrID is a more sophisticated version of file. Description to use Codespaces. scalpel, now a part of SleuthKit (discussed further under Filesystems) is another tool for file-carving, formerly known as Foremost. You can use Libre Office: its interface will be familiar to anyone who has debugged a program; you can set breakpoints and create watch variables and capture values after they have been unpacked but before whatever payload behavior has executed. You may have to grep for a pattern, decode data, or look for anything that stands out and can be used to find the flag. If working with QR codes (2D barcodes), also check out the qrtools module for Python. Work fast with our official CLI. mystery Run the following command to install binwalk. Real-world computer forensics is largely about knowing where to find incriminating clues in logs, in memory, in filesystems/registries, and associated file and filesystem metadata. If you need to dig into PNG a little deeper, the pngtools package might be useful. Therefore, either the checksum is corrupted, or the data is. When you are on the file, search for known elements that give hints about the file type. PNG files, in particular, are popular in CTF challenges, probably for their lossless compression suitable for hiding non-visual data in the image. Let's see if that fixes the checksum: That fixed the problem, we remain with a "invalid chunk length (too large)" message. ### Correcting again the PNG header to make it readable ### Correcting the IDAT chunk I tried strings, binwalk, foremost, stedhide, etc commands but having a hard time figuring it out. Both formats are structured, compound file binary formats that enable Linked or Embedded content (Objects). Exiftool allows you to read and write meta information in files. Let's save again, run the pngcheck : You can do this anytime. zlib: deflated, 32K window, fast compression For debugging and detect CRC problem, you can use : pngcheck -v [filename] ``` All of these tools, however, are made to analyze non-corrupted and well-formatted files. File: mystery_solved_v1.png (202940 bytes) ___ :smile: Nice, we just get the same values at the end of the wrong length. We can simply try replacing the expected hex values with the computed CRC. To verify correcteness or attempt to repair corrupted PNGs you can use pngcheck. The second byte is the "delta X" value - that is, it measures horizontal mouse movement, with left being negative. |Hexa Values|Ascii Translation| CTF Image Steganography Checklist. --- This is a more realistic scenario, and one that analysts in the field perform every day. A flag may be embedded in a file and this command will allow a quick view of the strings within the file. picoCTF{w1z4rdry} Didier Stevens has written good introductory material about the format. The following background is provided for the CTF and I have highlighted some important pieces of information in the description provided. There are a lot of articles about online image compression tools in the net, most of them are very superficial. In this file, I found and IEND and multiple IDAT chunks name in the hexa values, so at this moment I already knew it was a corrupted PNG picture. The other data needed to display the image (IHDR chunk) is determined via heuristics. It was probably transmitted in text mode. Paste an image from your clipboard into this website. Squashfs is one popular implementation of an embedded device filesystem. I can't open this file. 1642 x 1095 image, 24-bit RGB, non-interlaced :) Vortex . On October 14th and 15th 2022 we participated in the Reply Cyber Security Challenge 2022. To display the structure of a PDF, you can either browse it with a text editor, or open it with a PDF-aware file-format editor like Origami. This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository. By rejecting non-essential cookies, Reddit may still use certain cookies to ensure the proper functionality of our platform. The big image compression tool comparison. This PNG is clearly corrupted, check what's wrong: This kind of error may occurs when an image (binary) was downloaded as ASCII text. You can go to its website (https://online.officerecovery.com/pixrecovery/), click Choose File button under Data Recovery to select the source corrupted PNG file, and click the Secure Upload and Repair button to upload and repair the PNG image. A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. You can do this anytime. Rating: 5.0 # crcket > Category: Forensics > Description: ``` DarkArmy's openers bagging as many runs as possible for our team. ::: A summary of the JPG compression algorithm in layman's terms including 7 tips for reducing the file size. [](https://i.imgur.com/Yufot5T.png) Another note about zip cracking is that if you have an unencrypted/uncompressed copy of any one of the files that is compressed in the encrypted zip, you can perform a "plaintext attack" and crack the zip, as detailed here, and explained in this paper. Some of the useful commands to know are strings to search for all plain-text strings in the file, grep to search for particular strings, bgrep to search for non-text data patterns, and hexdump. There are a handful of command-line tools for zip files that will be useful to know about. ```sh --- To verify correcteness or attempt to repair corrupted PNGs you can use pngcheck. |-|-| Let's see what we can tell about the file: file won't recognize it, but inspecting the header we can see strings which are common in PNG files. Drag your image file onto this website. Many hex-editors also offer the ability to copy bytes and paste them as a new file, so you don't need to study the offsets. Much joy. Most CTF challenges are contained in a zip, 7z, rar, tar or tgz file, but only in a forensics challenge will the archive container file be a part of the challenge itself. The challenges you encounter may not be as straight forward as the examples in this article.