Tunn3l V1s10n Solution

This is the solution for picoCTF's Tunn3l V1s10n challenge forensics problem.

This problem was taken from the picoCTF 2021 and the solution will be discussed below. So proceed with caution.

Here we are able to download a file called tunn3l_v1s10n.

Let's investigate the file first by running

file tunn3l_v1s10n
stat tunn3l_v1s10n

Nothing specifically interesting yet.

So next we look at the metadata by running

exiftool -listf tunn3l_v1s10n

ExifTool Version Number         : 12.67
File Name                       : tunn3l_v1s10n
Directory                       : .
File Size                       : 2.9 MB
File Modification Date/Time     : 2024:04:07 04:30:51-07:00
File Access Date/Time           : 2024:04:07 04:32:34-07:00
File Inode Change Date/Time     : 2024:04:07 04:32:34-07:00
File Permissions                : -rw-r--r--
File Type                       : BMP
File Type Extension             : bmp
MIME Type                       : image/bmp
BMP Version                     : Unknown (53434)
Image Width                     : 1134
Image Height                    : 306
Planes                          : 1
Bit Depth                       : 24
Compression                     : None
Image Length                    : 2893400
Pixels Per Meter X              : 5669
Pixels Per Meter Y              : 5669
Num Colors                      : Use BitDepth
Num Important Colors            : All
Red Mask                        : 0x27171a23
Green Mask                      : 0x20291b1e
Blue Mask                       : 0x1e212a1d
Alpha Mask                      : 0x311a1d26
Color Space                     : Unknown (,5%()
Rendering Intent                : Unknown (826103054)
Image Size                      : 1134x306
Megapixels                      : 0.347

Here we discover that it is a bmp image. Let's try opening it.

open tunn3l_v1s10n

No image comes out. But there is an error stating that BMPImage has unsupported header size

Maybe it is a wrong file format so let's try coverting it to a different format.

convert -quality 100 tunn3l_v1s10n copy.bmp
convert -quality 100 tunn3l_v1s10n copy.jpg
convert -quality 100 tunn3l_v1s10n copy.png

Although the error has disappeared and now able to view the image there is still no flag.

Looking at the hint Weird that it won't display right..., we see that the image has something weird in it. So let's experiment using Gimp (photo editor). Experimented with color balance etc (because of the weird colors) but still nothing.

Looking at the information we have derived we know that image dimension (wxh) is 1134x306= 337,306 however the total size of file 2,893,454 which is much larger.

Probably we can modify with the image dimension as there might be some image data not being shown.

Let's open the file

hexeditor tunn3lv1s10n

Now we refer to BMP documentation to figure out how to modify the dimension of image.

From the documentation we found in BITMAPINFOHEADER that image width and height can be edited at hex offset 12 and 16.

So going to our hexeditor we find the hex values of width at offset 12 to be 6E 04 and height at offset 16 to be 32 01 .

Let's try modifying height to be the same as width 6E 04 and saving the file as tunn3l_v1s10n_modified

Now let's convert the tunn3l_v1s10n_modified

convert -quality 100 tunn3l_v1s10n_modified copy_modfied.bmp

However this results in an error. It seems we exceeded the image data with the height hex value.

Now let's just try incrementing change height to 32 02 then rerun the commands above.

convert -quality 100 tunn3l_v1s10n_modified copy_modfied.bmp

Certainly showed a little bit more of the image.

Now let's try 32 03 for the height.

Now the image has shown the portion which has the flag.

Flag: picoCTF{qu1t3_a_v13w_2020}

Until next time. Keep learning.

Stay stoked and code. :)

---

I hope you can voluntarily Buy Me A Coffee if you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)