git gud bro – Digital Forensics Challenge Writeup | 07CTF

Oneliner:

the problem is about git forensics. The classic problem is to recover the delete file. In this challange you have to find the lost binary of a png file

Understanding:

1. unzip git_gud_bro.zip then you will get handout directory .
2. The directory contain only .git directory which create when we initalize a repository locally for version contol

Step:

1. At first, I recommend you to go through some basic but important stuff. Create a directory named recovered
2. copy the .git into that directory cp -r .git recovered/
3. go to that directory cd recovered
4. Now main part before solve git forensics. Check if your header is in a good conditions or not. There is many way to identify this. But I prefer the cross reference with comment git reflog it will show you comment along with it's header. In this challange the header is fine so we will proceed next
5. try to grab the last content that is deleted git checkout . ; git fsck --lost-found
6. You will see a file named flag
7. Analyzing the file will give you nothing!
8. So the problem lead us another classic challange. Version content grab. Means If the owner later modify the file so that it get corrupt and then delete the file. So we already solve the second part. THis time we have to go back in time when the file is actually correct
9. To check all comment made so far git log --oneline
10. In the bottom you will se a comment This is my flag.. It is when the flag is created
11. To check what's the commit is about git show commentID
12. To get the commit content (which means pervious saved versions) git show fileID > sus.bin then it will save the file as sus.bin
13. there is 558 commit so analyzing both is deadly. And not feasible. I make a simple script that will first build a file then check for valid file signature if not; reject.
14. Found A file with PNG file but it's incomplete. It has no tail signature byte IEND. So you can't open the png file but if you force you will see only top part is loading rest is missing
15. this allow me to think such that, The author delete the previous file then add the next part only. Means each commit is only the next piece of our puzzle. Need to concatinate right??
16. git log --reverse --pretty=format:"%H" -- flag | xargs -I$ git show $:flag 2>/dev/null > complete.png This will automatically concatinate the flag content and make a final file named complete.png
17. But the file still not complete . It half loaded. means the png data is missing/isn't load at all. So check the for the IEND xxd complete.png | grep -i iend
18. You will find that there is two IEND byte. Means earlier one tells our OS that the file is end dont load the extra byte. Thus we miss last few bytes. TO solve this, here is the script

import sys

if len(sys.argv) != 3:
    sys.exit(1)

input_file = sys.argv[1]
output_file = sys.argv[2]

with open(input_file, "rb") as f:
    data = f.read()
iend_index = data.find(b'\x00\x00\x00\x00IEND')
if iend_index == -1:
    raise ValueError("IEND chunk not found")

iend_chunk = data[iend_index:iend_index+12]

before_iend = data[:iend_index]
after_iend = data[iend_index+12:]
new_data = before_iend + after_iend + iend_chunk

with open(output_file, "wb") as f:
    f.write(new_data)

print(f"Saved : {output_file}")

RUN the command: python3 solve.py complete.png solve.png

Finally check the solve.png and you have your flag. Thanks~~