# Red Joker Write-Up

### Presented to you by [Team 0x194](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/).

Copyright © 2020 Team 0x194. Some Rights Reserved.

This work is licensed under a [Creative Commons Attribution-ShareAlike 4.0 International License](http://creativecommons.org/licenses/by-sa/4.0/)

For attribution, we would appreciate if you also include a link to our [original write-up](https://0x194.com/writeup/Metasploit%20Community%20CTF%202020/Red_Joker/)

-----

This challenge can be found on port 9007.

Visit the website on port 9007, you can download a corrupted zip file `red_joker.zip`.

Since the archive file is corrupted, we cannot open it and unzip normally. Now, let's examine it with a hex editor. Open it and search for the bytes `50 4B 03 04` (in hex), which is the signature for a zip file entry. It is highlighted in red in the following screenshot.


OK! Now we've found the file entry for `joker_red.png`. If we look at the header of this entry, we can see that both the compressed file size and the original file size are `1E 02 01 00` (highlighted in blue), which indicates that the file is merely _stored_ in the zip, uncompressed.

Now we've located the file entry (thus where data area starts from), and the size of the data area,what's left is very straightforward.

```python
>>> hex(0x000015FD + 0x0001021E - 1)
'0x1181a'
```

We calculate the byte offsets of the data area containing the bytes of the image, and extract it. The offset is from `00 00 15 FD` to `00 01 18 1A`.

Here is our flag! Let's calculate its checksum and submit it!

```console
$ md5sum red_joker.png
ded8965ad103400300b7180b42f55e28 red_joker.png
```


### Some Useful Resource

- Buchholz, Florian. "The structure of a PKZip file." [users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html](https://users.cs.jmu.edu/buchhofp/forensics/formats/pkzip.html)