CTF_Writeups

Childhood Photo

2026/KICTF/Forensics/Childhood-Photo/Writeup.md

When I first looked at the challenge, there was only one file:

gepj.lanif

The filename immediately felt suspicious. If you reverse it, it becomes final.jpeg. That was the first hint that something wasn’t normal.

Initial Inspection

I checked what kind of file it actually was:

file gepj.lanif
xxd -l 16 gepj.lanif

Surprisingly:

That’s strange because:

Seeing an end marker at the beginning strongly suggests the file is byte-reversed.

Header Inspection

Since the file appeared to be fully reversed, I reversed it byte-by-byte:

perl -0777 -ne 'print scalar reverse $_' gepj.lanif > final.jpeg
file final.jpeg

Now the file was recognized as a valid JPEG image.

This is the image

That confirmed the suspicion — the challenge intentionally reversed the entire file to break the signature.

In CTF challenges, if something works perfectly, it usually means there’s more hidden underneath.

So I searched for multiple JPEG end markers:

grep -oba $'\xff\xd9' final.jpeg
wc -c final.jpeg

Normally, a JPEG should have only one FFD9 marker at the very end.

But here, there was an earlier occurrence before the file actually ended.

That means:

I extracted everything after the first FFD9 marker:

dd if=final.jpeg of=trailing.bin bs=1 skip=138898 status=none
file trailing.bin

Carved File Type

It turned out to be another JPEG.

So I renamed it:

mv trailing.bin childhood.jpg

Opening childhood.jpg revealed the real content of the challenge.

Hidden Image

And there it was — the flag written directly on the image.

KJCTF{r3v3r53d_jp3g_h34d3r_fix3d}

This challenge used two simple but clever tricks:

No heavy steganography. No encryption. Just understanding file structure and thinking logically.

Sometimes the cleanest tricks are the most satisfying to solve.