Magnet Weekly CTF — Week 3

Cargo Hold

The question asked “Which exit did the device user pass by that could have been taken for Cargo?”

OK, so it’s definitely there. Why aren’t my carving tools working?
MVIMG_20200307_130326.jpg
> grep --byte-offset -a -o ftyp MVIMG_20200307_130326.jpg
1427339:ftyp
dd if=MVIMG_20200307_130326.jpg bs=1427335 skip=1 of=326.mp4
ffmpeg -i 326.mp4 326_fixed.mp4

Question Ambiguity

I felt the question in this case was a little ambiguous because from the frame above the answer could be:

  • Sor-Gardemoen
  • Gardemoen Vest
  • Kulturpark
  • E16

Next Level

This was slightly manual, so I automated a bit of it:

for f in `ls MVIMG*`; 
do offset=$(grep --byte-offset -a -o ftyp $f | cut -d':' -f1 );
of=$(($offset-4)); base=$(basename $f);
dd if=$f bs=$of skip=1 of=/tmp/$base.mp4;
done

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store