Lost Flag
1 minute to read
We have a ZIP file called flag.zip that contains a JPEG image and also a .DS_Store file, which is a temporary file for macOS machines:
$ file flag.zip
flag.zip: Zip archive data, at least v2.0 to extract, compression method=store
$ unzip -v flag.zip
Archive: flag.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
0 Stored 0 0% 07-03-2022 05:49 00000000 flag/
86710 Defl:N 86391 0% 07-03-2022 05:29 a0cfb753 flag/flag.jpg
719 Defl:N 419 42% 07-03-2022 05:29 58f33cf2 __MACOSX/flag/._flag.jpg
6148 Defl:N 283 95% 07-03-2022 05:48 c093d238 flag/.DS_Store
120 Defl:N 53 56% 07-03-2022 05:48 38c0880b __MACOSX/flag/._.DS_Store
-------- ------- --- -------
93697 87146 7% 5 files
$ unzip flag.zip
Archive: flag.zip
creating: flag/
inflating: flag/flag.jpg
inflating: __MACOSX/flag/._flag.jpg
inflating: flag/.DS_Store
inflating: __MACOSX/flag/._.DS_Store
These temporary files contain useful information about directories and filenames. We can extract the information simply using cat:
$ cat flag/.DS_Store
.jpgIloflag.jpgIlocblob�������!ictf{mac_is_better_than_templeos}Ilocblob��������
@� @ @ @
DSDB ` @ @ @
Or we can use a tool called Python-dsstore:
$ python3 main.py flag/.DS_Store
Count: 2
flag.jpg
ictf{mac_is_better_than_templeos}