BSides CHS Artifact

A walkthrough of Artifact from BSCHS 2017.

November 13, 2017 - 2 minute read -
bschs misc

The artifact challenge from the EVERSEC CTF was one that we spent a lot of spare time on but couldn’t quite figure it out.

Download the challenge here.

After downloading it, you can see that the file command can’t identify it as anything in particular. I opened it up and noted that the file header said “ROM” but wasn’t sure how to actually play the ROM, so I moved on.

[EVERSEC]λ file bWFyaTA
bWFyaTA: data

My go-to after getting a file like this is to use binwalk on it.

[EVERSEC]λ binwalk bWFyaTA 

22758   0x58E6      MySQL MISAM compressed data file Version 7

After seeing this, I thought it would be a challenge where we had to import a MySQL data file, reconstruct the header, and export the valid info. I was dead-set on this after seeing the previous binwalk output.

I found this Stack Overflow post and used the solution to extract the MySQL file.

[EVERSEC]λ binwalk --dd='.*' bWFyaTA

[_bWFyaTA.extracted]λ file 58E6 
58E6: MySQL MyISAM index file Version 7, 32896 key parts, 32896 unique key parts, 128 keys, 217020518514230271 records, -65022 deleted records

At this point, I spent an egregious amount of time trying to get this file into a MySQL database to no avail. It is after all just the index file and not the actual data for the database, so it only contains the headers.

At this point, I hadn’t made any progress when a teammate suggested that we should start looking for ways to play this ROM file. He got as far as downloaded an NES emulator but was still unable to play the file.

The solution? Change the header (“ROM”) to “NES”.

Yep. That’s the entire challenge. Change the header and play the ROM. In hindsight, it’s insane we missed this, but in the heat of the competition we were greatly overthinking some things.

To play the ROM, I installed fceux with sudo pacman -Syu fceux. The result of playing the ROM is pictured below.

Artifact Flag