Yop,
Here 4 writes-up concerning Forensics challenges of OpenToAll CTF 2015.
- Forensics 50 – Doggie
woof!
b927033257a4604c06e791619a4c0713.tar.bz2
This task was solve by Themaks
What do we have ?
$ file b927033257a4604c06e791619a4c0713.tar.bz2 b927033257a4604c06e791619a4c0713.tar.bz2: bzip2 compressed data, block size = 900k $ 7z x b927033257a4604c06e791619a4c0713.tar.bz2 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: b927033257a4604c06e791619a4c0713.tar.bz2 Extracting b927033257a4604c06e791619a4c0713.tar Everything is Ok Size: 819200 Compressed: 795418 $ tar xvf b927033257a4604c06e791619a4c0713.tar a038218191c05846099054a9f21ff22a.png
Actually the file is a jpg instead of png image :
$ file a038218191c05846099054a9f21ff22a.png a038218191c05846099054a9f21ff22a.png: JPEG image data, JFIF standard 1.01 $ cp a038218191c05846099054a9f21ff22a.png dog.jpg
Lets try classical checks on this file :
$ trid dog.jpg TrID/32 - File Identifier v2.11 - (C) 2003-11 By M.Pontello Definitions found: 5449 Analyzing... Collecting data from file: dog.jpg 38.4% (.JPG) JFIF-EXIF JPEG Bitmap (5000/1/1) 30.7% (.JPG) JFIF JPEG Bitmap (4003/3) 23.0% (.JPG) JPEG Bitmap (3000/1) 7.6% (.MP3) MP3 audio (1000/1)
Nothing…
$ binwalk dog.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 201 0xC9 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#'>
Nothing…
$ exiftool dog.jpg ExifTool Version Number : 8.60 File Name : dog.jpg Directory : . File Size : 790 kB File Modification Date/Time : 2015:03:10 11:15:47+01:00 File Permissions : rw-r--r-- File Type : JPEG MIME Type : image/jpeg JFIF Version : 1.01 Resolution Unit : None X Resolution : 1 Y Resolution : 1 XMP Toolkit : Image::ExifTool 9.76 Author : 00ffb.01039.011a9.013e3.013e8.00ffb.01590.015cb.8a461.8a612.8a6f3.8a8a0.b24ce.b2663.b2751.b2663.a2a23.a2a37.a272d.a2742.6d677.57092.57357.36515.5d538 Image Width : 1944 Image Height : 2904 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1944x2904
ok… we got something in Author field. What this code mean ?
00ffb.01039.011a9.013e3.013e8.00ffb.01590.015cb.8a461.8a612.8a6f3.8a8a0.b24ce.b2663.b2751.b2663.a2a23.a2a37.a272d.a2742.6d677.57092.57357.36515.5d538
This is a list of offset in image itself !
$ exiftool dog.jpg | grep -i author | awk '{print $3}' | tr '.' '\n' > code.txt
$ for i in `cat code.txt`;do xxd -s 0x$i -l 0x1 dog.jpg ;done
0000ffb: 6680 2233 df02 298c ef93 da8e c09e f1ed f."3..).........
0001039: 6c99 cf6a 00fa b333 cc50 082c 3067 df8a l..j...3.P.,0g..
00011a9: 6103 71f9 fcd6 6eba d9b2 f6ef dc2c c106 a.q...n......,..
00013e3: 67fe 318a 057b a195 bd47 4fde 51da 7bfe g.1..{...GO.Q.{.
00013e8: 7ba1 95bd 474f de51 da7b fe95 5dd6 b979 {...GO.Q.{..]..y
0000ffb: 6680 2233 df02 298c ef93 da8e c09e f1ed f."3..).........
0001590: 6360 cdd4 0290 4c0f 4a88 ad9d 374c 4297 c`....L.J...7LB.
00015cb: 6b63 40d0 ab90 c761 c9cf 7c08 f8ad f67a kc@....a..|....z
008a461: 209d 552b 8a02 e9b7 a86a 9cee 238a a831 .U+.....j..#..1
008a612: 7340 53a4 28a0 39a7 4514 0a8a 39a7 4050 s@S.(.9.E...9.@P
008a6f3: 6ea8 7530 2258 983f b9ac 3ba2 5998 0d24 n.u0"X.?..;.Y..$
008a8a0: 6f86 51b6 b070 2073 5eab c5d5 d6f9 6528 o.Q..p s^.....e(
00b24ce: 773f eeac 51fd 4e01 d800 c763 f3cd 5af6 w?..Q.N....c..Z.
00b2663: 20ea 407c a6f4 e973 a64c c6df dbe6 afb8 .@|...s.L......
00b2751: 6909 1a89 2d8a ebda 1009 241f 91bd 4ab1 i...-.....$...J.
00b2663: 20ea 407c a6f4 e973 a64c c6df dbe6 afb8 .@|...s.L......
00a2a23: 6811 323e 2adb 47ff 00b0 945c 16d9 b240 h.2>*.G....\...@
00a2a37: 6159 9617 a9f4 91a9 8cab 6c63 dbd8 e6b2 aY........lc....
00a272d: 7354 5966 6240 3eb5 0204 031e d5b2 f917 sTYfb@>.........
00a2742: 20c7 e154 74bd 335e ea80 4008 d89c 98ed ..Tt.3^..@.....
006d677: 686f 54ec 0f31 cfe3 5d30 4bda 452a 2e05 hoT..1..]0K.E*..
0057092: 6195 8eb5 642a eaa2 4103 0238 f98e 295d a...d*..A..8..)]
0057357: 749d 470b 81b7 efbd 66d0 16e4 9ba5 9772 t.G.....f......r
0036515: 2101 cdbd c330 e6a0 dd35 bd03 4933 ab1d !....0...5..I3..
005d538: 7d2c 66e9 2aa3 f315 89ff 00d7 7fbf 1d5f },f.*.........._
$ for i in `cat code.txt`;do xxd -s 0x$i -l 0x1 dog.jpg | tail -c 2 | tr -d '\n';done
flag{fck snow i has hat!}
- Forensics 75 – Lost_Flug
http://public.givemesecurity.info/cap.pcapng.zip
We need to deal with a ‘big’ pcapng file :
$ capinfos cap.pcapng File name: cap.pcapng File type: Wireshark - pcapng File encapsulation: Ethernet Packet size limit: file hdr: (not set) Number of packets: 21189 File size: 4789328 bytes Data size: 4078696 bytes Capture duration: 83 seconds Start time: Thu Mar 5 22:45:25 2015 End time: Thu Mar 5 22:46:48 2015 Data byte rate: 49378.55 bytes/sec Data bit rate: 395028.41 bits/sec Average packet size: 192.49 bytes Average packet rate: 256.52 packets/sec SHA1: 816dc6131eb580f676abc9ee9a7fbcc5b727ae0b RIPEMD160: b31c7154b8fdd44f9d541e5fdec5f1cff73b00c7 MD5: becdbb3f63e7125d0571e34d81ddb3f1 Strict time order: True
I used tshark, with statistics options, to try to figure out what could be interesting :
$ tshark -r cap.pcapng -q -z hosts $ tshark -r cap.pcapng -q -z http,tree $ tshark -r cap.pcapng -q -z ptype,tree $ tshark -r cap.pcapng -q -z io,phs $ tshark -r cap.pcapng -q -z conv,tcp
After many searchs/checks/”greping” I get lucky and noticed an irc connection :
$ tshark -r cap.pcapng -q -z conv,tcp | grep -v http ================================================================================ TCP Conversations Filter:<No Filter> | <- | | -> | | Total | Rel. Start | Duration | | Frames Bytes | | Frames Bytes | | Frames Bytes | | | 10.0.0.103:65068 <-> 10.0.0.113:8009 48 5575 48 5111 96 10686 2.469873000 77.4683 10.0.0.103:60196 <-> 104.131.124.226:ssh 42 8078 42 2820 84 10898 0.936100000 79.9640 10.0.0.103:60073 <-> 192.155.91.114:36162 17 2023 34 3689 51 5712 1.853268000 80.0362 10.0.0.103:50500 <-> 195.148.124.79:6665 18 8919 20 1525 38 10444 14.210748000 50.3558 10.0.0.103:50301 <-> 157.55.112.13:50004 16 1478 17 1194 33 2672 3.774533000 67.6499 157.55.133.142:50004 <-> 10.0.0.103:49717 17 1190 15 1386 32 2576 4.428519000 68.4545 ...
The 6665 port number is an usual irc port.
$ strings cap.pcapng | grep -i irc 13c9ae USER logman * irc.freenode.com :logman 140d60 :rajaniemi.freenode.net 002 logman1337 :Your host is rajaniemi.freenode.net[195.148.124.79/6665], running version ircd-seven-1.1.3 140e45 :rajaniemi.freenode.net 004 logman1337 rajaniemi.freenode.net ircd-seven-1.1.3 DOQRSZaghilopswz CFILMPQSbcefgijklmnopqrstvz bkloveqjfI 14119b :rajaniemi.freenode.net 252 logman1337 24 :IRC Operators online
$ strings cap.pcapng | grep -i freenode ... after the modt ... 1439cb :rajaniemi.freenode.net 376 logman1337 :End of /MOTD command. 17f472 :rajaniemi.freenode.net 305 logman1337 :You are no longer marked as being away 329a2a :rajaniemi.freenode.net 353 logman1337 @ #XPvCxHRTCFKBBzyb :logman1337 @kee7a 329a79 :rajaniemi.freenode.net 366 logman1337 #XPvCxHRTCFKBBzyb :End of /NAMES list. 32af9a )oS":rajaniemi.freenode.net 352 logman1337 #XPvCxHRTCFKBBzyb ~logman 162.245.177.238 rajaniemi.freenode.net logman1337 H :0 logman 32b01e :rajaniemi.freenode.net 352 logman1337 #XPvCxHRTCFKBBzyb ~kee7a unaffiliated/kee7a kornbluth.freenode.net kee7a H@ :0 kee7a 32b09b :rajaniemi.freenode.net 315 logman1337 #XPvCxHRTCFKBBzyb :End of /WHO list.
Hummm we found an irc connection on freenode, where someone called ‘logman1337’ join the channel #XPvCxHRTCFKBBzyb…
So, jump on freenode and trying to join this chan :
$ irssi --connect=rajaniemi.freenode.net --port=6665 --nick securimag ... /j #XPvCxHRTCFKBBzyb
The flag was an user connected named flag{Us3EsS31}
- Forensics 100 – Catz
I have some pictures of catz on my drive! I also had a sensitive file on there, but even after it was deleted, it was still there! I took some extra precautions to prevent prying eyes…
http://public.givemesecurity.info/d17c5ed999bc505ec80e64c714c6d965.tar.bz2
Let’s go to rescue cats !
$ file d17c5ed999bc505ec80e64c714c6d965.tar.bz2 d17c5ed999bc505ec80e64c714c6d965.tar.bz2: gzip compressed data, from Unix, last modified: Thu Mar 5 02:44:09 2015 $ 7z x d17c5ed999bc505ec80e64c714c6d965.tar.bz2 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: d17c5ed999bc505ec80e64c714c6d965.tar.bz2 Extracting d17c5ed999bc505ec80e64c714c6d965.tar Everything is Ok Size: 10496000 Compressed: 7546151 $ tar xvf d17c5ed999bc505ec80e64c714c6d965.tar catz.img $ file catz.img catz.img: Linux rev 1.0 ext4 filesystem data, UUID=2d362e1b-69ae-4137-bdbb-4fde2775ac91 (extents) (huge files)
This 10M ext4 file system seems saint, so just try to mount it :
$ mkdir tmp ; mount catz.img tmp ; ls -larth tmp total 7.3M drwx------ 2 root root 12K Mar 5 02:01 lost+found -rw-r--r-- 1 root root 64K Mar 5 02:02 cat.jpg -rw-r--r-- 1 root root 173K Mar 5 02:02 cat2.jpg -rw-r--r-- 1 root root 86K Mar 5 02:02 cat3.jpg -rw-r--r-- 1 root root 53K Mar 5 02:02 cat4.jpg -rw-r--r-- 1 root root 114K Mar 5 02:02 cat5.jpg -rw-r--r-- 1 root root 72K Mar 5 02:03 cat6.jpg -rw-r--r-- 1 root root 67K Mar 5 02:03 cat7.jpg -rw-r--r-- 1 root root 49K Mar 5 02:03 cat8.jpg -rw-r--r-- 1 root root 500K Mar 5 02:03 catdog.gif -rw-r--r-- 1 root root 805K Mar 5 02:04 catgif.gif -rw-r--r-- 1 root root 2.0M Mar 5 02:04 catsipsip.gif -rw-r--r-- 1 root root 70K Mar 5 02:04 catreindeer.jpg -rw-r--r-- 1 root root 36K Mar 5 02:04 catyum.gif -rw-r--r-- 1 user users 1.1M Mar 5 02:05 catfunnyface.jpg -rw-r--r-- 1 user users 2.0M Mar 5 02:08 catcuddle.gif -rw-r--r-- 1 user users 203K Mar 5 02:10 catwindow.jpg drwxr-xr-x 3 root root 1.0K Mar 5 02:10 . drwxr-xr-x 3 user users 4.0K Mar 6 11:06 ..
Ok some cat pictures, but nohting interesting was found during first checks :
$ exiftool cat* ... nothing ... $ feh cat* ... nothing ... $ binwalk *
Well, this is an ext4 FS and because the description speak about it : maybe the flag was deleted.
$ extundelete --restore-all catz.img WARNING: Extended attributes are not restored. Loading filesystem metadata ... 2 groups loaded. Loading journal descriptors ... 149 descriptors loaded. Writing output to directory RECOVERED_FILES/ Searching for recoverable inodes in directory / ... 2 recoverable inodes found. Looking through the directory structure for deleted files ... Restored inode 18 to file RECOVERED_FILES/.cat.jpg 1 recoverable inodes still lost. Restored inode 17 to file RECOVERED_FILES/file.17
Two files was restored. Sound good.
$ ls -larth total 24K drwxr-xr-x 4 user users 4.0K Mar 6 11:10 .. -rw-r--r-- 1 user users 12K Mar 6 11:10 file.17 -rw-r--r-- 1 user users 54 Mar 6 11:10 .cat.jpg drwxr-xr-x 2 user users 4.0K Mar 6 11:10 . $ file file.17 .cat.jpg file.17: Vim swap file, version 7.4 .cat.jpg: data
When I saw a vi swap file, I prepared my command tools to restore it… but :
$ xxd .cat.jpg
0000000: 6600 6c00 6100 6700 7b00 6600 7500 6700 f.l.a.g.{.f.u.g.
0000010: 6c00 7900 5f00 6300 6100 7400 7300 5f00 l.y._.c.a.t.s._.
0000020: 6e00 6500 6500 6400 5f00 6c00 7500 7600 n.e.e.d._.l.u.v.
0000030: 5f00 3200 7d0a _.2.}.
$ cat .cat.jpg
flag{fugly_cats_need_luv_2}
Flag is in .cat.jpg and also at the end of swap file :
$ xxd file.17
0002fb0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0002fc0: 0000 0000 0000 0000 0000 6620 6c20 6120 ..........f l a
0002fd0: 6720 7b20 6620 7520 6720 6c20 7920 5f20 g { f u g l y _
0002fe0: 6320 6120 7420 7320 5f20 6e20 6520 6520 c a t s _ n e e
0002ff0: 6420 5f20 6c20 7520 7620 5f20 3220 7d00 d _ l u v _ 2 }.
- Forensics 200 – Gone
It seems that my files are gone!
http://public.givemesecurity.info/gone.img.tar.bz2
Another task with a drive :
$ 7z x gone.img.tar.bz2 7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18 p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs) Processing archive: gone.img.tar.bz2 Extracting gone.img.tar Everything is Ok Size: 10496000 Compressed: 8310917 $ tar xvf gone.img.tar 1fdb86c25131bb3aa247bada29b29115.img $ file 1fdb86c25131bb3aa247bada29b29115.img 1fdb86c25131bb3aa247bada29b29115.img: Linux rev 1.0 ext4 filesystem data, UUID=1385df22-b2ce-4b4f-858e-79ae1932ca1a (errors) (extents) (huge files)
We can sucessfull mount it, but the file system appear empty. So I’ll try to fix it.
Firstly with testdisk…
$ testdisk 1fdb86c25131bb3aa247bada29b29115.img ... blabla ... failed ...
And secondly with ‘standard’ fsck 🙂
$ cp 1fdb86c25131bb3aa247bada29b29115.img gone.img $ fsck.ext4 -v gone.img e2fsck 1.42.5 (29-Jul-2012) ext2fs_open2: The ext2 superblock is corrupt fsck.ext4: Superblock invalid, trying backup blocks... gone.img was not cleanly unmounted, check forced. Pass 1: Checking inodes, blocks, and sizes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information Free blocks count wrong for group #0 (6789, counted=488). Fix<y>? yes Free blocks count wrong for group #1 (2006, counted=228). Fix<y>? yes Free blocks count wrong (8795, counted=716). Fix<y>? yes Free inodes count wrong for group #0 (1269, counted=1262). Fix<y>? yes Free inodes count wrong (2549, counted=2542). Fix<y>? yes gone.img: ***** FILE SYSTEM WAS MODIFIED ***** 18 inodes used (0.70%, out of 2560) 2 non-contiguous files (11.1%) 0 non-contiguous directories (0.0%) # of inodes with ind/dind/tind blocks: 0/0/0 Extent depth histogram: 10 9524 blocks used (93.01%, out of 10240) 0 bad blocks 0 large files 7 regular files 2 directories 0 character device files 0 block device files 0 fifos 0 links 0 symbolic links (0 fast symbolic links) 0 sockets ------------ 9 files $ file gone.img gone.img: Linux rev 1.0 ext4 filesystem data, UUID=1385df22-b2ce-4b4f-858e-79ae1932ca1a (extents) (huge files)
Appear better, now we can view files when we mount it :
$ mount gone.img tmp ; ls -larth tmp total 8.0M drwx------ 2 root root 12K Mar 5 02:47 lost+found -rw-r--r-- 1 root root 3.5M Mar 5 03:36 file -rw-r--r-- 1 root root 18 Mar 5 03:36 AE5 -rw-r--r-- 1 root root 2.1M Mar 5 03:37 rand -rw-r--r-- 1 root root 96K Mar 5 03:37 fil.enc -rw-r--r-- 1 root root 1.2M Mar 5 03:43 ran2 -rw-r--r-- 1 root root 23K Mar 5 03:45 ran3 -rw-r--r-- 1 root root 1.2M Mar 5 03:46 ran4 drwxr-xr-x 3 root root 1.0K Mar 5 03:46 . drwxr-xr-x 3 user users 4.0K Mar 6 17:58 ..
We can point out two files on it :
$ file * AE5: ASCII text file: data fil.enc: data lost+found: directory ran2: data ran3: data ran4: data rand: data $ xxd fil.enc | head 0000000: 5361 6c74 6564 5f5f 9439 e6c5 4330 e12e Salted__.9..C0.. 0000010: b05c 5638 fff0 2496 9dac c546 aa1a 1dee .\V8..$....F.... 0000020: 4e89 7d16 d17c ccf9 162a 6a50 b923 e9bd N.}..|...*jP.#.. $ xxd AE5 0000000: 345b 3731 4133 6a39 5b5c 3232 3f2f 2b75 4[71A3j9[\22?/+u 0000010: 300a 0.
‘AE5’ file contain a string like a password and the name of file itself is probably a hint about the cipher used to encrypt fil.enc… I guess.
Well, I isolated these files and created a “cipher” file containing all -aes* supported by openssl tools.
$ ls -larth total 112K drwxr-xr-x 4 user users 4.0K Mar 6 18:02 .. -rw-r--r-- 1 root root 96K Mar 6 18:02 fil.enc -rw-r--r-- 1 root root 18 Mar 6 18:02 AE5 -rw-r--r-- 1 root root 368 Mar 6 18:02 cipher drwxr-xr-x 2 root root 4.0K Mar 6 18:02 . $ cat cipher -aes-128-cbc -aes-128-cfb -aes-128-cfb1 -aes-128-cfb8 -aes-128-ctr ... -aes128 -aes192 -aes256
Bourrin time :
$ for i in `cat cipher`;do openssl enc -d $i -in fil.enc -pass file:AE5 -out fil$i ; done
Checking results :
$ file fil* fil-aes128: data fil-aes-128-cbc: data fil-aes-128-cfb: PNG image data, 855701748 x 4133316295, 218-bit fil-aes-128-cfb1: data fil-aes-128-cfb8: data fil-aes-128-ctr: PNG image data, 1300 x 1076, 8-bit/color RGBA, non-interlaced fil-aes-128-ecb: data fil-aes-128-gcm: SysEx File - AudioVertrieb fil-aes-128-ofb: PNG image data, 356303344 x 1815138770, 170-bit fil-aes-128-xts: data fil-aes192: data ... fil-aes-256-ofb: data fil-aes-256-xts: data fil.enc: data
One of them appear interesting :
$ cp fil-aes-128-ctr fil-aes-128-ctr.png $ feh fil-aes-128-ctr.png
