Monday, 1 February 2016

Hackim 2016 Forensics-200

Its been long playing CTF. Am back again.

Question :

Hint : Forensics2 - Ext4 or btrfs …… err I forgot

File : f200

Tools :
FiletypeID , network miner , mount command , online sha512 hash generator. arj ,arc

Solution :

Lets get the hidden data. Shall we ?

To start with forensics challenges, always look at the file type.

A tcpdump file. Well wireshark or network miner ? your choice..i choose network miner for this.

After the hints were given,I did this. hence its clear its a filesystem. so i sorted out based on size and downloaded file named :
aaa , daa , f9 , eaa , cad , baa , caa , bac , cac , bab , cab , cae .

now after quickly looking at the filetype all the files i mentioned which i extracted where archived using different compression algorithms like :

aaa - 7zip compressed archive
bab - ARJ compressed archive
caa - Tar compressed archive
daa - Rzip compressed archive
eaa - Zoo compressed archive

every decompression leads to a different filesystem. But what are we interested in ?

LOOK AT THE HINT [btrfs or ext4] , yes its btrfs which is compressed in bab by ARJ compressed archive.

apt-get install arj (to install in linux)

though it gets stuck at 74% which i dont know why. but extracts something atleast. Lets dig if we got flag.

file f2 is extracted lets quickly do a file command and check what is the filesystem. The rest you can try and find out the filesystems.

Perfect match for the hint. Isn't it ?

Well now lets mount this using the mount command :

mount -t btrfs f2 /mnt

Now is the tough part of finding the folder containing the flag. I did a tree command though it wasnt useful much as there were 249 directories and 1109 files.

I used my old friend cat .. something stupidly found though .

cat */*/*/*/*/*

output gave me some hope :
EXtcommentf-l-a-g{lossles:;@B� %tEXtdate:create2015-09-23T05:20:42-07:00_�B� %tEXtdate:modify2015-09-23T05:20:42-07:00~ g�� IEND�B`� 0d8f7]� �`FG:/�IAd�PNG

so one of the file has a png in it. 

After bit searching found the file to be abcde
file command shows that its a arc file.

Location of file : /media/root/44482191-c394-4864-9dc6-1d7d8b49c5d2/vaQ1Dg/7JLc3R/ktCBdI/az7zY6/OdzAzw/abcde

command : arc x abcde 
3 files as output 0ca45 , 0d8f7 , 07bb9

of which 07bb9 looked promising .

wait ?? what ?? thats not the flag ??

I did a strings on the file , if you can see above we saw metadata from cat . dint we ? and tat was supposed to be for file 0ca45 , but whats it for 07bb9 ?

Seriously ?? yes .. and surprisingly its not flag{sha512(lossless_data_compres)}
and the flag is supposedly to be flag{sha512(07bb9 file)} , hence find the sha 512 checksum of file 07bb9 and submit it as flag{checksum}

Flag : flag{b70b003b1aa96c5b44e4cbb564196e43531d9cbdd5c27cca36e85ff89bf71a8109725b64834ae6232ce3110bf4a4f75a27dd7050aba9f4362ed729b333c0a5ed}

and you get :

No comments:

Post a Comment

enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.