picoCTF Solutions
picoCTF 2024ForensicsMedium

Blast from the past

Published: April 3, 2024

Description

The judge for these pictures is a real fan of antiques. Can you age this photo to the specifications? Set the timestamps on this picture to 1970:01:01 00:00:00.001+00:00 with as much precision as possible for each timestamp. In this example, +00:00 is a timezone adjustment. Any timezone is acceptable as long as the time is equivalent. As an example, this timestamp is acceptable as well: 1969:12:31 19:00:00.001-05:00. For timestamps without a timezone adjustment, put them in GMT time (+00:00). The checker program provides the timestamp needed for each.

Setup

EXIF editing

Download original.jpg, rename it to original_modified.jpg, and keep a backup.

Install exiftool and a hex editor (Bless works well on Linux).

wget https://artifacts.picoctf.net/c_mimas/91/original.jpg -O original_modified.jpg && \
exiftool -AllDates='1970:01:01 00:00:00.001' original_modified.jpg

Solution

  1. Step 1Set EXIF sub-second fields
    Use exiftool to set SubSecCreateDate, SubSecDateTimeOriginal, and SubSecModifyDate to 1970:01:01 00:00:00.001. The checker verifies each field independently.
    exiftool -SubSecCreateDate='1970:01:01 00:00:00.001' \
  -SubSecDateTimeOriginal='1970:01:01 00:00:00.001' \
  -SubSecModifyDate='1970:01:01 00:00:00.001' original_modified.jpg
    Learn more

    EXIF (Exchangeable Image File Format) is a standard that embeds metadata inside JPEG, TIFF, and other image formats. Every digital camera and smartphone writes dozens of fields - shutter speed, GPS coordinates, camera model, and multiple timestamp fields - directly into the image file before any pixel data.

    Timestamps in EXIF are stored in several distinct fields: DateTimeOriginal (when the shutter fired), CreateDate (when the file was created), and ModifyDate (last edit). Samsung and other manufacturers add proprietary vendor blocks with their own timestamp fields, making complete timestamp manipulation non-trivial.

    exiftool is the de-facto standard for reading and writing EXIF data. The -AllDates flag is a shortcut that sets all common date fields at once, but sub-second and vendor-specific fields (like Samsung's Image_UTC_Data) require explicit targeting. Unix epoch 0 (1970:01:01 00:00:00) plus 1 millisecond is a common forensics timestamp target because it represents the very beginning of Unix time.

    In digital forensics, timestamps are crucial evidence. Investigators compare EXIF timestamps against file-system timestamps (mtime, atime, ctime) and network logs to establish timelines. Knowing how to manipulate - and detect manipulation of - these fields is a core skill in both offensive and defensive forensic analysis.

  2. Step 2Patch Samsung:TimeStamp
    Samsung embeds Image_UTC_Data########### near the end of the file. Open the JPEG in Bless, locate Image_UTC_Data1700513181420, and replace the digits with 0000000000001 (epoch +1 ms).
    Learn more

    Many Android manufacturers embed proprietary metadata blocks in JPEG files that sit outside the standard EXIF IFD (Image File Directory) structure. Samsung's Image_UTC_Data block stores a Unix timestamp in milliseconds as a plain decimal ASCII string embedded in the file's binary data.

    Because this field is non-standard, tools like exiftool may not write it by default. A hex editor like Bless (Linux) or HxD (Windows) lets you open the raw bytes of the file, search for the known ASCII prefix Image_UTC_Data, and overwrite just the digit string in-place - keeping the overall file size identical, which avoids corrupting the JPEG structure.

    The target value 0000000000001 represents 1 millisecond past Unix epoch (January 1, 1970, 00:00:00.001 UTC), matching the other EXIF timestamp fields. When patching binary data, always ensure replacement strings have the exact same byte length as the original to avoid shifting subsequent data and breaking the file format.

    This technique - finding and patching known byte patterns in binary files - is widely used in reverse engineering, game modding, and firmware analysis. Tools like grep -b (byte-offset grep) or Python's bytes.find() can locate the pattern programmatically instead of using a GUI hex editor.

  3. Step 3Submit and verify
    Pipe the modified file to the uploader, then run the checker to confirm every timestamp matches.
    nc -w 2 mimas.picoctf.net 57925 < original_modified.jpg \
  && nc -d mimas.picoctf.net 50499
    Learn more

    netcat (nc) is a versatile networking utility often called the "Swiss army knife of networking." The < redirection feeds the file's raw bytes directly into the TCP stream, which is exactly how binary file upload services typically work over raw sockets.

    The -w 2 flag sets a 2-second idle timeout, preventing netcat from hanging after the server stops sending data. For binary uploads, the server reads all incoming bytes until the connection closes (EOF), so piping a file with input redirection is an idiomatic way to send it.

    Using two separate netcat connections - one to upload, one to check - mirrors a common CTF pattern where submission and verification are on different ports. In real-world security assessments, similar raw socket techniques are used to test custom protocols, upload files to embedded devices, or probe services that don't speak HTTP.

Flag

picoCTF{71m3_7r4v311ng_p1c7ur3_12e0...}

Once every timestamp reads 1970:01:01 00:00:00.001, the checker returns the flag above.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Forensics

Related reading

What to try next