Recently I participated in an entry level CTF and solved few forensics challenges in it.
Somepang (Forensics 50 points)
A pcap file was given : <link to file>
Upon opening the file in Wireshark, you could see that it has ICMP packets. And the interesting fact is that two bytes are unique in each echo-reply packets but repeats several times within the same.
I wrote a python script to extract last two bytes from the pcap.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2.7 | |
| from pcapfile import savefile | |
| import base64 | |
| testcap = open('somepang.pcap', 'r') | |
| capfile = savefile.load_savefile(testcap, verbose=True) | |
| msg = "" | |
| for i in xrange(0, len(capfile.packets)-1, 2): | |
| msg += str(capfile.packets[i])[-2:] | |
| data = base64.decodestring(msg) | |
| f = open('somepang-flag.jpg', 'w') | |
| f.write(data) | |
| f.close() | |
| testcap.close() | |
| print "[+] Result in: somepang-flag.jpg" |
Flag: RC3-2016-PANG-ME-LIKE-ONE-OF-YOUR-FRENCH-GORILLAZ
My Lil Droid (Forensics 100 Points)
This is one among the easiest task in the forensics section. A Youtube.apk files was given.
I used strings and searched with RC3 and then with 2016. I was able to find base64 encoded strings which looks like a flag (RC3-2016-SOMESTRING)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| (ctftools) ➜ youtube [0] strings youtube.apk|grep "RC3-" | |
| (ctftools) ➜ youtube [1] strings youtube.apk|grep "2016" | |
| 2016-06-22T14:35:33-07:00 | |
| 2016-06-22T14:35:33-07:00a | |
| 2016-06-22T14:34:18-07:00 | |
| 2016-06-22T14:34:18-07:00 | |
| build.tool=Blaze, release blaze-2016.04.14-4 (mainline @119748905) | |
| build.time=Tue May 31 15\:02\:21 2016 (1464732141) | |
| UkMz-2016-R09URU0yMQ== | |
| (ctftools) ➜ youtube [0] echo -ne "UkMzR09URU0yMQ==" | base64 -d | |
| RC3GOTEM21 |
Flag: RC3-2016-GOTEM21
Graphic Design (Forensics 200)
A blender object file was given. Upon loading the object file in blender application, a 3D model was dinosaur was opened. I was able to see various layers and disabled all of them except the layer named def_not_the_flag_Text.002
Flag: RC3-2016-St3GG3rz
Breaking News (Forensics 300)
A zipfile was given and it contained 20 zip files. Usually, zip file end with a signature PK followed by bunch of 0x00s. But while inspecting the tail of certain zip (4, 9, 10, 12, 15) files, I could see base64 encoded strings.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/env python2 | |
| import binascii | |
| import base64 | |
| flag="" | |
| for i in range(0, 20): | |
| f = open('Chapter' + str(i) + '.zip', 'r') | |
| content = f.read() | |
| hex_text = binascii.hexlify(content) | |
| if int(hex_text[-2:], 16) != 0: | |
| flag_hex = (hex_text[-16:].rstrip('=')).decode('hex') | |
| flag += base64.b64decode(flag_hex + '=' * (-len(flag_hex) % 4)).strip('\n') | |
| f.close() | |
| print flag |
Flag: RC3-2016-DUKYFBLS
DTrump (Forensics 400 )
File: dtrump.img.zip was given and it contains a ISO 9660 CD-ROM filesystem data ‘CDROM’.
I mounted the ISO into my machine.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ➜ rc3 [0] sudo mount -t iso9660 -o loop,rw dtrump.img /mnt/disk | |
| mount: /dev/loop0 is write-protected, mounting read-only | |
| ➜ rc3 [0] cd /mnt/disk/ | |
| ➜ disk [0] ls | |
| Desktop Documents Downloads examples.desktop Music Pictures Public rr_moved secretfiles Templates Videos | |
| ➜ disk [0] cd secretfiles | |
| ➜ secretfiles [0] ls master [5fe6ff3] deleted untracked | |
| document.txt README.md Workbook1.xlsx.gpg | |
| ➜ secretfiles [0] cat document.txt master [5fe6ff3] deleted untracked | |
| passowrd123 | |
| ➜ secretfiles [0] git status master [5fe6ff3] deleted untracked | |
| On branch master | |
| Your branch is up-to-date with 'origin/master'. | |
| Changes not staged for commit: | |
| (use "git add/rm <file>…" to update what will be committed) | |
| (use "git checkout — <file>…" to discard changes in working directory) | |
| deleted: private.key | |
| Untracked files: | |
| (use "git add <file>…" to include in what will be committed) | |
| README.md | |
| Workbook1.xlsx.gpg | |
| document.txt | |
| no changes added to commit (use "git add" and/or "git commit -a") | |
| ➜ secretfiles [0] git checkout private.key master [5fe6ff3] deleted untracked | |
| fatal: Unable to create '/mnt/disk/secretfiles/.git/index.lock': Read-only file system | |
| ➜ secretfiles [128] |
I was able to find a folder called secretfiles, which is a git repository. As the ISO is always mounted as read-only, I was not able to checkout the deleted private.key file. There is an excel file called Workbook1.xlsx.gpg which is encrypted using this private key. Hence I copied the secretfiles directory into my filesystem where I can read/write. I used the private key to decrypt the XLSX file.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ➜ secretfiles [0] git checkout private.key | |
| ➜ secretfiles [0] ls master [5fe6ff3] untracked | |
| document.txt private.key README.md Workbook1.xlsx.gpg | |
| ➜ secretfiles [0] gpg –import private.key master [5fe6ff3] untracked | |
| gpg: key 8FFDF6D6: secret key imported | |
| gpg: key 8FFDF6D6: public key "ThugG (lolz) <nope@gmail.com>" imported | |
| gpg: Total number processed: 1 | |
| gpg: imported: 1 (RSA: 1) | |
| gpg: secret keys read: 1 | |
| gpg: secret keys imported: 1 | |
| ➜ secretfiles [2] gpg –output Workbook1.xlsx -d Workbook1.xlsx.gpg master [5fe6ff3] untracked | |
| gpg: encrypted with 1024-bit RSA key, ID E22CB12D, created 2016-11-18 | |
| "ThugG (lolz) <nope@gmail.com>" | |
| ➜ secretfiles [0] kde-open Workbook1.xlsx |
The LibreOffice opened up with a password prompt and I provided password123 which was determined by examining the document.txt file. The flag was present in the sheet 2.
Flag: RC3-2016-SNEAKY21
FOR-BIN-SEC 