Yop,

Here 4 writes-up concerning Forensics challenges of OpenToAll CTF 2015.

  • Forensics 50 – Doggie

woof!

b927033257a4604c06e791619a4c0713.tar.bz2

This task was solve by Themaks

What do we have ?

$ file b927033257a4604c06e791619a4c0713.tar.bz2
b927033257a4604c06e791619a4c0713.tar.bz2: bzip2 compressed data, block size = 900k

$ 7z x b927033257a4604c06e791619a4c0713.tar.bz2

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: b927033257a4604c06e791619a4c0713.tar.bz2

Extracting b927033257a4604c06e791619a4c0713.tar

Everything is Ok

Size: 819200
Compressed: 795418


$ tar xvf b927033257a4604c06e791619a4c0713.tar
a038218191c05846099054a9f21ff22a.png

Actually the file is a jpg instead of png image :

$ file a038218191c05846099054a9f21ff22a.png
a038218191c05846099054a9f21ff22a.png: JPEG image data, JFIF standard 1.01

$ cp a038218191c05846099054a9f21ff22a.png dog.jpg

Lets try classical checks on this file :

$ trid dog.jpg

TrID/32 - File Identifier v2.11 - (C) 2003-11 By M.Pontello
Definitions found: 5449
Analyzing...

Collecting data from file: dog.jpg
38.4% (.JPG) JFIF-EXIF JPEG Bitmap (5000/1/1)
30.7% (.JPG) JFIF JPEG Bitmap (4003/3)
23.0% (.JPG) JPEG Bitmap (3000/1)
7.6% (.MP3) MP3 audio (1000/1)

Nothing…

$ binwalk dog.jpg

DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
201 0xC9 Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#'>

Nothing…

$ exiftool dog.jpg
ExifTool Version Number : 8.60
File Name : dog.jpg
Directory : .
File Size : 790 kB
File Modification Date/Time : 2015:03:10 11:15:47+01:00
File Permissions : rw-r--r--
File Type : JPEG
MIME Type : image/jpeg
JFIF Version : 1.01
Resolution Unit : None
X Resolution : 1
Y Resolution : 1
XMP Toolkit : Image::ExifTool 9.76
Author : 00ffb.01039.011a9.013e3.013e8.00ffb.01590.015cb.8a461.8a612.8a6f3.8a8a0.b24ce.b2663.b2751.b2663.a2a23.a2a37.a272d.a2742.6d677.57092.57357.36515.5d538
Image Width : 1944
Image Height : 2904
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1944x2904

ok… we got something in Author field. What this code mean ?

00ffb.01039.011a9.013e3.013e8.00ffb.01590.015cb.8a461.8a612.8a6f3.8a8a0.b24ce.b2663.b2751.b2663.a2a23.a2a37.a272d.a2742.6d677.57092.57357.36515.5d538

This is a list of offset in image itself !

$ exiftool dog.jpg | grep -i author | awk '{print $3}' | tr '.' '\n' > code.txt

$ for i in `cat code.txt`;do xxd -s 0x$i -l 0x1 dog.jpg ;done
0000ffb: 6680 2233 df02 298c ef93 da8e c09e f1ed f."3..).........
0001039: 6c99 cf6a 00fa b333 cc50 082c 3067 df8a l..j...3.P.,0g..
00011a9: 6103 71f9 fcd6 6eba d9b2 f6ef dc2c c106 a.q...n......,..
00013e3: 67fe 318a 057b a195 bd47 4fde 51da 7bfe g.1..{...GO.Q.{.
00013e8: 7ba1 95bd 474f de51 da7b fe95 5dd6 b979 {...GO.Q.{..]..y
0000ffb: 6680 2233 df02 298c ef93 da8e c09e f1ed f."3..).........
0001590: 6360 cdd4 0290 4c0f 4a88 ad9d 374c 4297 c`....L.J...7LB.
00015cb: 6b63 40d0 ab90 c761 c9cf 7c08 f8ad f67a kc@....a..|....z
008a461: 209d 552b 8a02 e9b7 a86a 9cee 238a a831 .U+.....j..#..1
008a612: 7340 53a4 28a0 39a7 4514 0a8a 39a7 4050 s@S.(.9.E...9.@P
008a6f3: 6ea8 7530 2258 983f b9ac 3ba2 5998 0d24 n.u0"X.?..;.Y..$
008a8a0: 6f86 51b6 b070 2073 5eab c5d5 d6f9 6528 o.Q..p s^.....e(
00b24ce: 773f eeac 51fd 4e01 d800 c763 f3cd 5af6 w?..Q.N....c..Z.
00b2663: 20ea 407c a6f4 e973 a64c c6df dbe6 afb8 .@|...s.L......
00b2751: 6909 1a89 2d8a ebda 1009 241f 91bd 4ab1 i...-.....$...J.
00b2663: 20ea 407c a6f4 e973 a64c c6df dbe6 afb8 .@|...s.L......
00a2a23: 6811 323e 2adb 47ff 00b0 945c 16d9 b240 h.2>*.G....\...@
00a2a37: 6159 9617 a9f4 91a9 8cab 6c63 dbd8 e6b2 aY........lc....
00a272d: 7354 5966 6240 3eb5 0204 031e d5b2 f917 sTYfb@>.........
00a2742: 20c7 e154 74bd 335e ea80 4008 d89c 98ed ..Tt.3^..@.....
006d677: 686f 54ec 0f31 cfe3 5d30 4bda 452a 2e05 hoT..1..]0K.E*..
0057092: 6195 8eb5 642a eaa2 4103 0238 f98e 295d a...d*..A..8..)]
0057357: 749d 470b 81b7 efbd 66d0 16e4 9ba5 9772 t.G.....f......r
0036515: 2101 cdbd c330 e6a0 dd35 bd03 4933 ab1d !....0...5..I3..
005d538: 7d2c 66e9 2aa3 f315 89ff 00d7 7fbf 1d5f },f.*.........._

$ for i in `cat code.txt`;do xxd -s 0x$i -l 0x1 dog.jpg | tail -c 2 | tr -d '\n';done
flag{fck snow i has hat!}

 

  • Forensics 75 – Lost_Flug

http://public.givemesecurity.info/cap.pcapng.zip

We need to deal with a ‘big’ pcapng file :

$ capinfos cap.pcapng

File name: cap.pcapng
File type: Wireshark - pcapng
File encapsulation: Ethernet
Packet size limit: file hdr: (not set)
Number of packets: 21189
File size: 4789328 bytes
Data size: 4078696 bytes
Capture duration: 83 seconds
Start time: Thu Mar 5 22:45:25 2015
End time: Thu Mar 5 22:46:48 2015
Data byte rate: 49378.55 bytes/sec
Data bit rate: 395028.41 bits/sec
Average packet size: 192.49 bytes
Average packet rate: 256.52 packets/sec
SHA1: 816dc6131eb580f676abc9ee9a7fbcc5b727ae0b
RIPEMD160: b31c7154b8fdd44f9d541e5fdec5f1cff73b00c7
MD5: becdbb3f63e7125d0571e34d81ddb3f1
Strict time order: True

I used tshark, with statistics options, to try to figure out what could be interesting :

$ tshark -r cap.pcapng -q -z hosts

$ tshark -r cap.pcapng -q -z http,tree

$ tshark -r cap.pcapng -q -z ptype,tree

$ tshark -r cap.pcapng -q -z io,phs

$ tshark -r cap.pcapng -q -z conv,tcp

After many searchs/checks/”greping” I get lucky and noticed an irc connection :

$ tshark -r cap.pcapng -q -z conv,tcp | grep -v http
================================================================================
TCP Conversations
Filter:<No Filter>
| <- | | -> | | Total | Rel. Start | Duration |
| Frames Bytes | | Frames Bytes | | Frames Bytes | | |
10.0.0.103:65068 <-> 10.0.0.113:8009 48 5575 48 5111 96 10686 2.469873000 77.4683
10.0.0.103:60196 <-> 104.131.124.226:ssh 42 8078 42 2820 84 10898 0.936100000 79.9640
10.0.0.103:60073 <-> 192.155.91.114:36162 17 2023 34 3689 51 5712 1.853268000 80.0362
10.0.0.103:50500 <-> 195.148.124.79:6665 18 8919 20 1525 38 10444 14.210748000 50.3558
10.0.0.103:50301 <-> 157.55.112.13:50004 16 1478 17 1194 33 2672 3.774533000 67.6499
157.55.133.142:50004 <-> 10.0.0.103:49717 17 1190 15 1386 32 2576 4.428519000 68.4545

...

The 6665 port number is an usual irc port.

$ strings cap.pcapng | grep -i irc

13c9ae USER logman * irc.freenode.com :logman
140d60 :rajaniemi.freenode.net 002 logman1337 :Your host is rajaniemi.freenode.net[195.148.124.79/6665], running version ircd-seven-1.1.3
140e45 :rajaniemi.freenode.net 004 logman1337 rajaniemi.freenode.net ircd-seven-1.1.3 DOQRSZaghilopswz CFILMPQSbcefgijklmnopqrstvz bkloveqjfI
14119b :rajaniemi.freenode.net 252 logman1337 24 :IRC Operators online
$ strings cap.pcapng | grep -i freenode

... after the modt ...

1439cb :rajaniemi.freenode.net 376 logman1337 :End of /MOTD command.
17f472 :rajaniemi.freenode.net 305 logman1337 :You are no longer marked as being away
329a2a :rajaniemi.freenode.net 353 logman1337 @ #XPvCxHRTCFKBBzyb :logman1337 @kee7a
329a79 :rajaniemi.freenode.net 366 logman1337 #XPvCxHRTCFKBBzyb :End of /NAMES list.
32af9a )oS":rajaniemi.freenode.net 352 logman1337 #XPvCxHRTCFKBBzyb ~logman 162.245.177.238 rajaniemi.freenode.net logman1337 H :0 logman
32b01e :rajaniemi.freenode.net 352 logman1337 #XPvCxHRTCFKBBzyb ~kee7a unaffiliated/kee7a kornbluth.freenode.net kee7a H@ :0 kee7a
32b09b :rajaniemi.freenode.net 315 logman1337 #XPvCxHRTCFKBBzyb :End of /WHO list.

Hummm we found an irc connection on freenode, where someone called ‘logman1337’ join the channel  #XPvCxHRTCFKBBzyb…

So, jump on freenode and trying to join this chan :

$ irssi --connect=rajaniemi.freenode.net --port=6665 --nick securimag
...
/j #XPvCxHRTCFKBBzyb

The flag was an user connected named flag{Us3EsS31}

 

  • Forensics 100 – Catz

I have some pictures of catz on my drive! I also had a sensitive file on there, but even after it was deleted, it was still there! I took some extra precautions to prevent prying eyes…
http://public.givemesecurity.info/d17c5ed999bc505ec80e64c714c6d965.tar.bz2

Let’s go to rescue cats !

$ file d17c5ed999bc505ec80e64c714c6d965.tar.bz2
d17c5ed999bc505ec80e64c714c6d965.tar.bz2: gzip compressed data, from Unix, last modified: Thu Mar 5 02:44:09 2015

$ 7z x d17c5ed999bc505ec80e64c714c6d965.tar.bz2

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: d17c5ed999bc505ec80e64c714c6d965.tar.bz2

Extracting d17c5ed999bc505ec80e64c714c6d965.tar

Everything is Ok

Size: 10496000
Compressed: 7546151

$ tar xvf d17c5ed999bc505ec80e64c714c6d965.tar
catz.img


$ file catz.img
catz.img: Linux rev 1.0 ext4 filesystem data, UUID=2d362e1b-69ae-4137-bdbb-4fde2775ac91 (extents) (huge files)

This 10M ext4 file system seems saint, so just try to mount it :

$ mkdir tmp ; mount catz.img tmp ; ls -larth tmp
total 7.3M
drwx------ 2 root root 12K Mar 5 02:01 lost+found
-rw-r--r-- 1 root root 64K Mar 5 02:02 cat.jpg
-rw-r--r-- 1 root root 173K Mar 5 02:02 cat2.jpg
-rw-r--r-- 1 root root 86K Mar 5 02:02 cat3.jpg
-rw-r--r-- 1 root root 53K Mar 5 02:02 cat4.jpg
-rw-r--r-- 1 root root 114K Mar 5 02:02 cat5.jpg
-rw-r--r-- 1 root root 72K Mar 5 02:03 cat6.jpg
-rw-r--r-- 1 root root 67K Mar 5 02:03 cat7.jpg
-rw-r--r-- 1 root root 49K Mar 5 02:03 cat8.jpg
-rw-r--r-- 1 root root 500K Mar 5 02:03 catdog.gif
-rw-r--r-- 1 root root 805K Mar 5 02:04 catgif.gif
-rw-r--r-- 1 root root 2.0M Mar 5 02:04 catsipsip.gif
-rw-r--r-- 1 root root 70K Mar 5 02:04 catreindeer.jpg
-rw-r--r-- 1 root root 36K Mar 5 02:04 catyum.gif
-rw-r--r-- 1 user users 1.1M Mar 5 02:05 catfunnyface.jpg
-rw-r--r-- 1 user users 2.0M Mar 5 02:08 catcuddle.gif
-rw-r--r-- 1 user users 203K Mar 5 02:10 catwindow.jpg
drwxr-xr-x 3 root root 1.0K Mar 5 02:10 .
drwxr-xr-x 3 user users 4.0K Mar 6 11:06 ..

Ok some cat pictures, but nohting interesting was found during first checks :

$ exiftool cat*
...
nothing
...

$ feh cat*
...
nothing
...

$ binwalk *

Well, this is an ext4 FS and because the description speak about it : maybe the flag was deleted.

$ extundelete --restore-all catz.img
WARNING: Extended attributes are not restored.
Loading filesystem metadata ... 2 groups loaded.
Loading journal descriptors ... 149 descriptors loaded.
Writing output to directory RECOVERED_FILES/
Searching for recoverable inodes in directory / ...
2 recoverable inodes found.
Looking through the directory structure for deleted files ...
Restored inode 18 to file RECOVERED_FILES/.cat.jpg
1 recoverable inodes still lost.
Restored inode 17 to file RECOVERED_FILES/file.17

Two files was restored. Sound good.

$ ls -larth
total 24K
drwxr-xr-x 4 user users 4.0K Mar 6 11:10 ..
-rw-r--r-- 1 user users 12K Mar 6 11:10 file.17
-rw-r--r-- 1 user users 54 Mar 6 11:10 .cat.jpg
drwxr-xr-x 2 user users 4.0K Mar 6 11:10 .

$ file file.17 .cat.jpg
file.17: Vim swap file, version 7.4
.cat.jpg: data

When I saw a vi swap file, I prepared my command tools to restore it… but :

$ xxd .cat.jpg
0000000: 6600 6c00 6100 6700 7b00 6600 7500 6700 f.l.a.g.{.f.u.g.
0000010: 6c00 7900 5f00 6300 6100 7400 7300 5f00 l.y._.c.a.t.s._.
0000020: 6e00 6500 6500 6400 5f00 6c00 7500 7600 n.e.e.d._.l.u.v.
0000030: 5f00 3200 7d0a _.2.}.

$ cat .cat.jpg
flag{fugly_cats_need_luv_2}

Flag is in .cat.jpg and also at the end of swap file :

$ xxd file.17
0002fb0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0002fc0: 0000 0000 0000 0000 0000 6620 6c20 6120 ..........f l a
0002fd0: 6720 7b20 6620 7520 6720 6c20 7920 5f20 g { f u g l y _
0002fe0: 6320 6120 7420 7320 5f20 6e20 6520 6520 c a t s _ n e e
0002ff0: 6420 5f20 6c20 7520 7620 5f20 3220 7d00 d _ l u v _ 2 }.

 

  • Forensics 200 – Gone

It seems that my files are gone!
http://public.givemesecurity.info/gone.img.tar.bz2

Another task with a drive :

$ 7z x gone.img.tar.bz2

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_GB.UTF-8,Utf16=on,HugeFiles=on,4 CPUs)

Processing archive: gone.img.tar.bz2

Extracting gone.img.tar

Everything is Ok

Size: 10496000
Compressed: 8310917

$ tar xvf gone.img.tar
1fdb86c25131bb3aa247bada29b29115.img

$ file 1fdb86c25131bb3aa247bada29b29115.img
1fdb86c25131bb3aa247bada29b29115.img: Linux rev 1.0 ext4 filesystem data, UUID=1385df22-b2ce-4b4f-858e-79ae1932ca1a (errors) (extents) (huge files)

We can sucessfull mount it, but the file system appear empty. So I’ll try to fix it.

Firstly with testdisk…

$ testdisk 1fdb86c25131bb3aa247bada29b29115.img
... blabla ...
failed
...

And secondly with ‘standard’ fsck 🙂

$ cp 1fdb86c25131bb3aa247bada29b29115.img gone.img
$ fsck.ext4 -v gone.img
e2fsck 1.42.5 (29-Jul-2012)
ext2fs_open2: The ext2 superblock is corrupt
fsck.ext4: Superblock invalid, trying backup blocks...
gone.img was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Free blocks count wrong for group #0 (6789, counted=488).
Fix<y>? yes
Free blocks count wrong for group #1 (2006, counted=228).
Fix<y>? yes
Free blocks count wrong (8795, counted=716).
Fix<y>? yes
Free inodes count wrong for group #0 (1269, counted=1262).
Fix<y>? yes
Free inodes count wrong (2549, counted=2542).
Fix<y>? yes

gone.img: ***** FILE SYSTEM WAS MODIFIED *****

18 inodes used (0.70%, out of 2560)
2 non-contiguous files (11.1%)
0 non-contiguous directories (0.0%)
# of inodes with ind/dind/tind blocks: 0/0/0
Extent depth histogram: 10
9524 blocks used (93.01%, out of 10240)
0 bad blocks
0 large files

7 regular files
2 directories
0 character device files
0 block device files
0 fifos
0 links
0 symbolic links (0 fast symbolic links)
0 sockets
------------
9 files

$ file gone.img
gone.img: Linux rev 1.0 ext4 filesystem data, UUID=1385df22-b2ce-4b4f-858e-79ae1932ca1a (extents) (huge files)

Appear better, now we can view files when we mount it :

$ mount gone.img tmp ; ls -larth tmp
total 8.0M
drwx------ 2 root root 12K Mar 5 02:47 lost+found
-rw-r--r-- 1 root root 3.5M Mar 5 03:36 file
-rw-r--r-- 1 root root 18 Mar 5 03:36 AE5
-rw-r--r-- 1 root root 2.1M Mar 5 03:37 rand
-rw-r--r-- 1 root root 96K Mar 5 03:37 fil.enc
-rw-r--r-- 1 root root 1.2M Mar 5 03:43 ran2
-rw-r--r-- 1 root root 23K Mar 5 03:45 ran3
-rw-r--r-- 1 root root 1.2M Mar 5 03:46 ran4
drwxr-xr-x 3 root root 1.0K Mar 5 03:46 .
drwxr-xr-x 3 user users 4.0K Mar 6 17:58 ..

We can point out two files on it :

$ file *
AE5: ASCII text
file: data
fil.enc: data
lost+found: directory
ran2: data
ran3: data
ran4: data
rand: data

$ xxd fil.enc | head
0000000: 5361 6c74 6564 5f5f 9439 e6c5 4330 e12e Salted__.9..C0..
0000010: b05c 5638 fff0 2496 9dac c546 aa1a 1dee .\V8..$....F....
0000020: 4e89 7d16 d17c ccf9 162a 6a50 b923 e9bd N.}..|...*jP.#..

$ xxd AE5
0000000: 345b 3731 4133 6a39 5b5c 3232 3f2f 2b75 4[71A3j9[\22?/+u
0000010: 300a                                    0.

‘AE5’ file contain a string like a password and the name of file itself is probably a hint about the cipher used to encrypt fil.enc… I guess.

Well, I isolated these files and created a “cipher” file containing all -aes* supported by openssl tools.

$ ls -larth
total 112K
drwxr-xr-x 4 user users 4.0K Mar 6 18:02 ..
-rw-r--r-- 1 root root 96K Mar 6 18:02 fil.enc
-rw-r--r-- 1 root root 18 Mar 6 18:02 AE5
-rw-r--r-- 1 root root 368 Mar 6 18:02 cipher
drwxr-xr-x 2 root root 4.0K Mar 6 18:02 .

$ cat cipher
-aes-128-cbc
-aes-128-cfb
-aes-128-cfb1
-aes-128-cfb8
-aes-128-ctr
...
-aes128
-aes192
-aes256

Bourrin time :

$ for i in `cat cipher`;do openssl enc -d $i -in fil.enc -pass file:AE5 -out fil$i ; done

Checking results :

$ file fil*
fil-aes128: data
fil-aes-128-cbc: data
fil-aes-128-cfb: PNG image data, 855701748 x 4133316295, 218-bit
fil-aes-128-cfb1: data
fil-aes-128-cfb8: data
fil-aes-128-ctr: PNG image data, 1300 x 1076, 8-bit/color RGBA, non-interlaced
fil-aes-128-ecb: data
fil-aes-128-gcm: SysEx File - AudioVertrieb
fil-aes-128-ofb: PNG image data, 356303344 x 1815138770, 170-bit
fil-aes-128-xts: data
fil-aes192: data
...
fil-aes-256-ofb: data
fil-aes-256-xts: data
fil.enc: data

One of them appear interesting :

$ cp fil-aes-128-ctr fil-aes-128-ctr.png
$ feh fil-aes-128-ctr.png

 

reddit_for200

Pièces jointes

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Post Navigation