The artifact challenge from the EVERSEC CTF was one that we spent a lot of spare time on but couldn’t quite figure it out.
After downloading it, you can see that the
file command can’t identify it as anything in particular. I opened it up and noted that the file header said “ROM” but wasn’t sure how to actually play the ROM, so I moved on.
[EVERSEC]λ file bWFyaTA bWFyaTA: data
My go-to after getting a file like this is to use binwalk on it.
[EVERSEC]λ binwalk bWFyaTA DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------- 22758 0x58E6 MySQL MISAM compressed data file Version 7
After seeing this, I thought it would be a challenge where we had to import a MySQL data file, reconstruct the header, and export the valid info. I was dead-set on this after seeing the previous
I found this Stack Overflow post and used the solution to extract the MySQL file.
[EVERSEC]λ binwalk --dd='.*' bWFyaTA
[_bWFyaTA.extracted]λ file 58E6 58E6: MySQL MyISAM index file Version 7, 32896 key parts, 32896 unique key parts, 128 keys, 217020518514230271 records, -65022 deleted records
At this point, I spent an egregious amount of time trying to get this file into a MySQL database to no avail. It is after all just the index file and not the actual data for the database, so it only contains the headers.
At this point, I hadn’t made any progress when a teammate suggested that we should start looking for ways to play this ROM file. He got as far as downloaded an NES emulator but was still unable to play the file.
The solution? Change the header (“ROM”) to “NES”.
Yep. That’s the entire challenge. Change the header and play the ROM. In hindsight, it’s insane we missed this, but in the heat of the competition we were greatly overthinking some things.
To play the ROM, I installed
sudo pacman -Syu fceux. The result of playing the ROM is pictured below.