Description
Download the file and find the flag. Analyze the non-standard binary.
Setup
Download the file.
wget <url>/b1g_macchmod +x b1g_macSolution
Walk me through it- Step 1Identify the file typeRun file, xxd, and strings on the downloaded file. It may be a non-standard format, a multi-architecture binary, or have embedded data. binwalk can detect embedded file systems or archives.bash
file b1g_macbashxxd b1g_mac | head -10bashstrings b1g_mac | head -40bashbinwalk b1g_macLearn more
The
filecommand reads the magic bytes at the beginning of a file to identify its type.binwalkscans the entire file for embedded signatures of known file types - useful for finding hidden archives, images, or executables concatenated onto another file. - Step 2Extract embedded content if presentIf binwalk finds embedded files, extract them with binwalk -e. Then examine each extracted file for the flag.bash
binwalk -e b1g_macbashls _b1g_mac.extracted/bashstrings _b1g_mac.extracted/* | grep picoCTFLearn more
Files can be concatenated in many ways: a JPEG with a ZIP appended at the end, a PNG with extra data after the IEND chunk, or an ELF binary with a tar archive in its data section. binwalk handles all of these by scanning for magic bytes throughout the file.
- Step 3Run and/or decompileIf it is an executable, run it and note the output. If it requires deeper analysis, load it in Ghidra. The flag may be printed at runtime or hardcoded as a string.bash
./b1g_macbashghidra b1g_mac &Learn more
Mach-O is Apple's executable format (used on macOS and iOS). If the file is a Mach-O binary, you can analyze it on Linux using tools like
jtool2or in Ghidra which supports Mach-O format. The challenge name 'B1g_Mac' hints at a macOS connection.
Flag
picoCTF{...}
Use file, strings, and binwalk to identify the format and extract embedded data or run the binary to find the flag.