-
Use web developer tools or Burp to capture source of index page. (Ctrl-A, Ctrl-C)
-
Paste that HTML into a new buffer in FileInsight.
-
Trim away everything but the suspicious bitstream.
-
Select the bitstream (Ctrl-A) and use the Decode tools in the left pane to convert Hex to ASCII (no key).
- Switch the view from Text to Hex to see the file clearly including PNG header bytes.
89 50 4E 47 0D ... ... .PNG.
PS C:\malware> sigcheck64 -h .\poof-haha.png
Sigcheck v2.55 - File version and signature viewer
Copyright (C) 2004-2017 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\malware\poof-haha.png:
Verified: Unsigned
File date: 9:05 PM 3/21/2018
Publisher: n/a
Company: n/a
Description: n/a
Product: n/a
Prod version: n/a
File version: n/a
MachineType: n/a
MD5: 242CEEE0E37CA4215A579FC66B700082
SHA1: 52C8765687547EFE46C62CF41DD31894E39DF7B7
PESHA1: 52C8765687547EFE46C62CF41DD31894E39DF7B7
PE256: 8061672BD343518FB8C2CFB0D8ABCE2D774CFB051DDE0EBAB08C029D8F201D24
SHA256: 8061672BD343518FB8C2CFB0D8ABCE2D774CFB051DDE0EBAB08C029D8F201D24
IMP: n/a
This should all work fine with Burp's Decoder, but Java was lagging in the workshop so we switched over to FileInsight. Reasonably clever hackers and cryptopals survivors should be able to script this out quickly in Python, etc.