Blast from the past picoCTF 2024 Solution

Description

1. Step 1Set EXIF sub-second fields
   Use exiftool to set SubSecCreateDate, SubSecDateTimeOriginal, and SubSecModifyDate to 1970:01:01 00:00:00.001. The checker verifies each field independently.
   bash

   exiftool -SubSecCreateDate='1970:01:01 00:00:00.001' \
     -SubSecDateTimeOriginal='1970:01:01 00:00:00.001' \
     -SubSecModifyDate='1970:01:01 00:00:00.001' original_modified.jpg

   Copied!
   Learn more

   EXIF (Exchangeable Image File Format) embeds metadata inside JPEG, TIFF, and other image formats. Every camera and smartphone writes dozens of fields (shutter speed, GPS, camera model, multiple timestamps) into the file before the pixel data.

   Timestamps live in several fields: DateTimeOriginal (when the shutter fired), CreateDate (file creation), and ModifyDate (last edit). The -AllDates flag covers these standard EXIF fields in one shot, but it skips Samsung-proprietary blocks like Image_UTC_Data, which is why hex editing is needed in the next step.

   In digital forensics, timestamps are crucial evidence. Investigators compare EXIF timestamps against file-system timestamps (mtime, atime, ctime) and network logs to build timelines. Knowing how to manipulate (and detect manipulation of) these fields is a core skill on both sides.

2. Step 2Patch Samsung:TimeStamp
   Open the JPEG in Bless. Search for the ASCII string Image_UTC_Data; the 13-digit number that follows it (e.g. 1700513181420) is the millisecond timestamp. Replace the digits with 0000000000001 (epoch + 1 ms), keeping the byte length identical.
   Learn more

   Many Android manufacturers embed proprietary metadata blocks in JPEG files that sit outside the standard EXIF IFD structure. Samsung's Image_UTC_Data block stores a Unix timestamp in milliseconds as a plain decimal ASCII string embedded in the file's bytes.

   To find the field in a hex editor, search for the ASCII string Image_UTC_Data. The 13-digit decimal number immediately after the label is the millisecond timestamp. Overwrite just those digits in place so the file size stays identical; otherwise the JPEG offsets shift and the structure breaks.

   The target value 0000000000001 is 1 millisecond past Unix epoch (1970-01-01 00:00:00.001 UTC), matching the EXIF fields you set in the previous step. Tools like grep -b (byte-offset grep) or Python's bytes.find() can locate the pattern programmatically if you prefer scripting to a GUI hex editor.

3. Step 3Submit and verify
   Pipe the modified file to the uploader port, then connect to the checker. Once every timestamp reads 1970:01:01 00:00:00.001, the checker prints the flag.
   bash

   nc -w 2 mimas.picoctf.net 57925 < original_modified.jpg \
     && nc -d mimas.picoctf.net 50499

   Copied!
   Learn more

   netcat (nc) is the Swiss army knife of networking. The < redirection feeds the file's raw bytes directly into the TCP stream, which is how binary upload services typically work over a raw socket.

   -w 2 sets a 2-second idle timeout so netcat doesn't hang after the server stops sending data. -d closes stdin after the file is sent (no keyboard input expected), which prevents the second connection from waiting on terminal input that will never come.

   Using two separate netcat connections (one to upload, one to check) is a common CTF pattern where submission and verification run on different ports. The same raw socket pattern shows up in real assessments when probing custom protocols or pushing files to embedded devices.

Flag

Once every timestamp reads 1970:01:01 00:00:00.001, the checker returns the flag above.