picoCTF Solutions
PathPart of the Digital Forensics path · Step 5 of 5: Multi-Layer and Advanced Challenges
picoCTF 2024ForensicsMedium

endianness-v2

Published: April 3, 2024

Description

Here's a file that was recovered from a 32-bits system that organized the bytes a weird way. We're not even sure what type of file it is. Download it here and see what you can get out of it

Setup

CyberChef workflow

Download the provided file (hurt.c).

Open CyberChef (or use a local script) to perform the endianness swap.

wget https://artifacts.picoctf.net/c_titan/85/hurt.c

Solution

This builds on the basic endianness challenge by applying byte-order swapping to forensics. Instead of simple word conversion, you fix a corrupted image file by swapping 32-bit chunks.
  1. Step 1Convert to hex
    Load the file into CyberChef and run To Hex to view the raw bytes.
    Learn more

    Hex (hexadecimal) representation is the standard way to view raw binary data. Each byte becomes two hex digits (00–FF), making it easy to spot patterns, magic bytes, and structure without needing to know the file format. Every forensics and reversing workflow starts with examining raw bytes.

    CyberChef is a web-based data transformation tool created by GCHQ (UK's intelligence agency). It uses a "recipe" metaphor where you chain operations - much like Unix pipes - to transform data. Operations include encoding/decoding, encryption, compression, file format parsing, and more. It's become indispensable in CTF competitions for quick data manipulation without writing code.

    The file extension .c is misleading - this is a technique called file masquerading, where a file is given an incorrect extension to hide its true type. The correct way to identify a file's type is to examine its magic bytes (the first few bytes that identify the format), not its extension. Commands like file on Linux and TrID on Windows do exactly this.

  2. Step 2Swap endianness
    Apply Swap Endianness with word length 4 (little ↔ big). Now the magic bytes resemble a valid JPEG header.
    Learn more

    Endianness describes the byte order used to store multi-byte values. In big-endian format (used by network protocols, older Motorola/SPARC processors), the most significant byte comes first. In little-endian format (used by x86/x64, ARM in typical configurations), the least significant byte comes first.

    A 32-bit value like 0x12345678 is stored as 12 34 56 78 in big-endian and 78 56 34 12 in little-endian. This difference is invisible to programs running on the same architecture but becomes critical when transferring binary data between different systems - as this challenge simulates.

    The JPEG magic bytes are FF D8 FF at the start of every valid JPEG file. If the first bytes after swapping look like this pattern, you've confirmed the file format. File carvers and forensics tools use extensive databases of magic byte signatures (maintained in databases like libmagic) to identify file types independent of their extensions.

    Endianness bugs are a real concern in systems programming, network code, and embedded systems. The htonl() / ntohl() family of C functions ("host-to-network" and "network-to-host" long) exist specifically to convert between host byte order and network byte order (big-endian) when writing socket code.

  3. Step 3Render the image
    Run From Hex followed by Render Image (Raw) to display the image containing the flag text.
    Learn more

    CyberChef's Render Image (Raw) operation takes raw binary data and displays it as an image directly in the browser, using a data URI. This eliminates the need to save the file to disk and open it in a separate viewer - useful for quick verification during CTF work.

    The From Hex operation converts the hex string back to binary bytes. The full recipe (To Hex → Swap Endianness → From Hex → Render Image) demonstrates CyberChef's power: each operation in a recipe transforms the data and passes it to the next, exactly like Unix pipes.

    The flag being embedded as text in an image is a technique called visual steganography at the most basic level - the data is visible to the eye once the image is rendered, but hidden if you're only looking at the raw (corrupted) bytes. More advanced visual steganography hides data in the LSBs (least significant bits) of pixel values, making it invisible to the naked eye.

    This challenge teaches a valuable forensics workflow: when a file doesn't open or looks corrupted, check its magic bytes, compare to known formats, and consider byte-order issues. Many "corrupted" files in forensics challenges are actually valid files with their byte order swapped, bytes XORed with a constant, or other simple transformations applied.

Flag

picoCTF{cert!f1Ed_iNd!4n_s0rrY_3nDian_76e...}

Swapping each 32-bit word back to big endian renders the image holding the flag.

Want more picoCTF 2024 writeups?

Browse picoCTF 2024Full library

Useful tools for Forensics

Related reading

What to try next