Eui Chul Chung

Vulnerability Researcher
PEN: OSCP, OSEP, OSCE3
WEB: OSWA, OSWE
EXP: OSED


Categories:

Tags:



Exploitation

Using the file command shows that the image is cut in half.

┌──(m0nk3y@kali)-[~/DH/broken-png]
└─$ file image.png
image.png: PNG image data, 512 x 256, 8-bit/color RGBA, non-interlaced

With hexeditor I’ll change the height from 0x100 to 0x200, which sets the image height to 512.

┌──(m0nk3y@kali)-[~/DH/broken-png]
└─$ cmp -l image.png.bak image.png
   23   1   2

After the bit modification, we can check that the file height has been successfully changed into 512px and the image is no longer corrupt.

┌──(m0nk3y@kali)-[~/DH/broken-png]
└─$ pngcheck image.png
OK: image.png (512x512, 32-bit RGB+alpha, non-interlaced, 98.7%).

Post Exploitation

After a successful exploitation, I’m able to view the flag.