Post cover image

June 12, 2026

Corrupted File — picoCTF Forensics Writeup  by Shreya Tiwari

Challenge: Corrupted File  Category: Forensics  Platform: picoCTF  Difficulty: Easy

Shreyat

2 min read

The challenge

We're given a single file with no extension and a simple premise — something about it is broken. The hint points us toward the file header bytes. Our job is to figure out what the file is supposed to be and fix it.

This is a classic forensics technique. In real-world incident response, analysts routinely encounter files that have been deliberately mangled by malware to evade detection, or accidentally corrupted during transfer. Knowing how to identify and repair file signatures is a genuine SOC skill.

What are magic bytes?

Every file format has a signature — a fixed sequence of bytes at the very beginning of the file that tells the operating system what type of file it is. These are called magic bytes or file headers. Your OS uses these, not just the file extension, to determine how to open a file.

For example a JPEG always starts with FF D8 FF. A PNG starts with 89 50 4E 47. A PDF starts with 25 50 44 46. If these bytes are wrong or missing, the file appears corrupted even if everything else is intact.

My approach

I downloaded the file and immediately noticed it had no recognizable extension. First step in any forensics challenge — open it in a hex editor and look at the first few bytes raw.

Opening the file in a hex editor, the first three bytes read: 5C 78 FF

That's not a valid signature for any common file format. The FF at position 3 was suspicious though — JPEG headers start with FF. This felt like the first two bytes had been deliberately changed.

The hint confirmed it: check the file header, and the file is a JPEG.

A quick search for "JPEG magic bytes" confirmed the correct header should be FF D8 FF. So the first two bytes 5C 78 were wrong — they needed to be FF D8.

None None

The fix

In the hex editor, I navigated to offset 0x00 (the very start of the file) and replaced 5C 78 with FF D8, leaving the FF at position 3 untouched since it was already correct.

Saved the file with a .jpg extension and opened it — the image rendered perfectly and the flag was visible in the image.

Flag: picoCTF{...}

None

What this teaches us

File extension spoofing is a real attack vector. Malware authors routinely rename executables as .jpg or .pdf to trick users. Conversely, they also corrupt magic bytes to hide malicious files from signature-based scanners. Understanding file signatures is foundational to both malware analysis and digital forensics.

Tools like file on Linux, xxd, and binwalk all rely on magic bytes rather than extensions to identify file types — which is why security analysts trust them over what a file claims to be named.

Tools used

  • Hex editor (HxD / GHex / xxd)
  • Google (for JPEG magic bytes reference)

#Cybersecurity#Writeup#Forensics#picoCTF#EthicalHacking

If you found this helpful, I write about cybersecurity, CTFs, and my learning journey — follow for more.