📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. The Challenge
  • 3. Analysis
  • 4. Retrieve the flag

Was this helpful?

  1. Forensic Exercises
  2. Image Forensics

Unswirl Image

PreviousImage ForensicsNextManual Filecarving 1

Last updated 3 years ago

Was this helpful?

1. Introduction

Imagine you get an Image like this which contains a text. But the image is digitaly distored and you should find a way to made it readable. I’ve tried to solve a particular challenge of a CTF Game and the final flag was masked like this

2. The Challenge

The challenge contained a file without file extension. It's a pdf file and I'll add it here:

3. Analysis

Open that file in a texteditor shows a signature of a pdf file:

A recheck with the tool TrIDNET confirms that the signature match a pdf file:

For the further analysis I've used a free tool called Winking PDF Analyzer

A quick view shows that the pdf file contains streams. My assumption was that there is something hidden in that streams and I’ve tried to find a way to decode them.

On stackoverflow I did find a hint howto decode them:

The easiest way to decode a PDF file is to use a tool intended to do it, for example MuPDF can do this with „mutool clean -d <input pdf file> <output PDF file>“ will decompress (-d) all the compressed streams in a PDF file and write the output to a new PDF file.

mutool.exe clean -d enigma.pdf enigma_decoded.pdf

As we can see the filesize has changed from 161 KB to 2746 KB!

If I open the decoded pdf file again in Winking PDF Analyzer, I can see a reference of two images:

mutool.exe extract enigma_decoded.pdf

I’m using again mutool to extract the images of the pdf:

img-005.png is the cartoon, but now let’s see what is img-004.png

4. Retrieve the flag

Sadly I had no plan how to revert that image, but a friend of mine gave me a hint:

What computers can swirl, Computers can unswirl!

In 2007 the police catched a pedophile men who tried to mask his identity with a swirl face.

It is possible to revert the image with photoshop or an online image editing tool.

Now we can try to revert the image with photoshop by choosing the effect distort –> twirl

Or using an online image editor, which is a much faster way:

The same can be done with the black image above and we can read the text:

The pdf file contains a image with a cartoon character and the text: I dare you find it!

😄
😎
160KB
enigma.pdf
pdf
Challenge File