This is CTF Gandalf, presenting a new writeup of Hackover CTF 2018's `UnbreakMyStart` challenge.

In this challenge, we're presented with a file called `unbreak_my_start.tar.xz`.

Trying to extract the file fails with `unxz: unbreak_my_start.tar.xz: File format not recognized`

\- maybe it is not an xz file at all?

`file` recognizes, or rather - doesn't recognize it, as `data`. It's only 195 bytes large, so we'll take a look at it as a hexdump:
```
00000000 50 4b 03 04 14 00 08 00 08 00 04 e6 d6 b4 46 02 |PK............F.|
00000010 00 21 01 16 00 00 00 74 2f e5 a3 e0 07 ff 00 7d |.!.....t/......}|
00000020 5d 00 33 1b 08 47 54 72 23 20 a8 d7 45 d4 9a e8 |].3..GTr# ..E...|
00000030 3a 57 13 9f 49 3f c6 34 89 05 8c 4f 0b c6 3b 67 |:W..I?.4...O..;g|
00000040 70 28 1a 35 f1 95 ab b0 2e 26 66 6d 8c 92 da 43 |p(.5.....&fm...C|
00000050 11 e1 10 ac 44 96 e2 ed 36 cf 9c 99 af e6 5a 8e |....D...6.....Z.|
00000060 31 1e cb 99 f4 be 6d ca 94 3c 44 10 88 73 42 8a |1.....m..<D..sB.|
00000070 7c 17 f4 7a d1 7d 78 08 b7 e4 22 b8 ec 19 92 75 ||..z.}x..."....u|
00000080 50 73 0c 34 5f 9e 14 ac 19 86 d3 78 7b 79 9f 87 |Ps.4_......x{y..|
00000090 06 23 73 69 43 72 19 da 6e 33 02 17 7f 8d 00 00 |.#siCr..n3......|
000000a0 00 00 00 1c 0f 1d fe bd b4 36 8c 00 01 99 01 80 |.........6......|
000000b0 10 00 00 ad af 23 35 b1 c4 67 fb 02 00 00 00 00 |.....#5..g......|
000000c0 04 59 5a |.YZ|
```

Let's compare it to a normal .tar.xz of a small file, my file contains a single uppercase 'A':
```
00000000 fd 37 7a 58 5a 00 00 04 e6 d6 b4 46 02 00 21 01 |.7zXZ......F..!.|
00000010 16 00 00 00 74 2f e5 a3 e0 27 ff 00 6f 5d 00 3a |....t/...'..o].:|
00000020 19 4a ce 1b b0 fb 0a cc 4b 4b ab 9f 33 83 e6 02 |.J......KK..3...|
00000030 e8 c7 e3 f5 50 6b c7 64 e3 cb 2b 3a 1f 14 fa 05 |....Pk.d..+:....|
00000040 d5 d9 30 1c 5d 6c 3d ab 80 b3 e6 4f 0b 2e 1a b9 |..0.]l=....O....|
00000050 87 7f 04 13 dc 13 c5 b7 a3 bd 0a 50 f7 9e 06 c5 |...........P....|
00000060 c6 4c db 83 27 e5 f1 d6 87 35 36 24 5b bf ad b7 |.L..'....56$[...|
00000070 ad ac 34 fc fc 32 6c 2f 77 0c ec 4f e8 0f 30 eb |..4..2l/w..O..0.|
00000080 b3 e3 2c 0e 56 21 cb 38 f6 4e a5 01 53 00 00 00 |..,.V!.8.N..S...|
00000090 73 fb 79 24 a1 ce 4a 6d 00 01 8b 01 80 50 00 00 |s.y$..Jm.....P..|
000000a0 fd 81 a7 0b b1 c4 67 fb 02 00 00 00 00 04 59 5a |......g.......YZ|
```

A little knowledge of the XZ format, and those two dump side-by-side, verifies that this is in fact at least parts of an XZ file, highlighted by the last three bytes `04 59 5a`, and a partially broken XZ stream header.

To repair this file, we're utilizing a small ruby script we came up with:
```ruby
File.open "unbreak_my_start.tar.xz", "r:ASCII-8BIT" do |data|
File.open "new.tar.xz", "w:ASCII-8BIT" do |n|
data.seek 14
n.write "\xfd\x37\x7a\x58\x5a\x00\x00\x04\xe6\xd6\xb4"
n.write data.read
end
end
```

This script will open both the broken file we started with, and a new file. Then we seek past the broken header, and write our own in front of the rest, for this we used the header of our normal file that was used for the initial comparison.

Now we end up with a new.tar.xz file, which we can successfully extract!

```
> bsdtar xvf new.tar.xz
x flag.txt
```

And there's our flag.

```
> cat flag.txt
hackover18{U_f0und_th3_B3st_V3rs10n}
```

That's it. Hope you enjoyed reading this writeup

__CTF Gandalf__