Perfect Picture

Writeup for Perfect Picture (Web) - Imaginary (2023) 💜

PreviousLogin NextRoks

Last updated 4 months ago

Perfect Picture

Writeup for Perfect Picture (Web) - Imaginary (2023) 💜

Description

Someone seems awful particular about where their pixels go...

Source code is provided, so let's review it before we check .

Recon

There's 75 LOC in app.py so let's breakdown the important parts.

The storage location of uploaded images and allowed extensions are configured.

app.config['UPLOAD_FOLDER'] = '/dev/shm/uploads/'
app.config['ALLOWED_EXTENSIONS'] = {'png'}

When we upload a file, it splits on a . and looks at the rightmost split (extension). If the lowercase string matches the allowed extension (png) then the filename is allowed.

return '.' in filename and filename.rsplit('.', 1)[1].lower() in app.config['ALLOWED_EXTENSIONS']

Next, a random image name is generated.

img_name = f'{str(random.randint(10000, 99999))}.png'

A check function is called which will first read the flag into a variable.

with open('flag.txt', 'r') as f:
	flag = f.read()

The dimensions of the image must be 690 x 420 (w x h) and specific pixels need match the expected colours.

with Image.open(app.config['UPLOAD_FOLDER'] + uploaded_image) as image:
	w, h = image.size
	if w != 690 or h != 420:
		return 0
	if image.getpixel((412, 309)) != (52, 146, 235, 123):
		return 0
	if image.getpixel((12, 209)) != (42, 16, 125, 231):
		return 0
	if image.getpixel((264, 143)) != (122, 136, 25, 213):
		return 0

Next, exiftool confirms that the metadata is as expected.

if metadata["PNG:Description"] != "jctf{not_the_flag}":
	return 0
if metadata["PNG:Title"] != "kool_pic":
	return 0
if metadata["PNG:Author"] != "anon":
	return 0

If all the checks pass, the flag will be returned!

Solution

OK, so based on our analysis we need to create an image with the following properties:

Dimension (w x h) of 690 x 420
Pixel (412, 309) is (52, 146, 235, 123)
Pixel (12, 209) is (42, 16, 125, 231)
Pixel (264, 143) is (122, 136, 25, 213)
Image description is jctf{not_the_flag}
Image title is kool_pic
Image author is anon

I'm lazy, so asked ChatGPT to make a python script (note: exif packages failed for me, as they were strict on keys so used subprocess with exiftool instead).

from PIL import Image, ImageDraw
import subprocess

# Define the image dimensions
width = 690
height = 420

# Create a blank image with a white background
image = Image.new("RGBA", (width, height), (255, 255, 255, 255))
draw = ImageDraw.Draw(image)

# Set the specified pixel values
pixels = {
    (412, 309): (52, 146, 235, 123),
    (12, 209): (42, 16, 125, 231),
    (264, 143): (122, 136, 25, 213)
}

for (x, y), color in pixels.items():
    draw.point((x, y), fill=color)

# Save the image without metadata
image.save("generated_image.png")

# Close the image
image.close()

# Add image description, title, and author as metadata using exiftool
description = "jctf{not_the_flag}"
title = "kool_pic"
author = "anon"

subprocess.run([
    "exiftool",
    "-Description=" + description,
    "-Author=" + author,
    "-Title=" + title,
    "generated_image.png"
])

We upload the generated image and receive the flag in return.

Flag: ictf{7ruly_th3_n3x7_p1c4ss0_753433}