Its been long playing CTF. Am back again.
Question :
Hint : Forensics2 - Ext4 or btrfs …… err I forgot
File : f200
Tools :
FiletypeID , network miner , mount command , online sha512 hash generator. arj ,arc
Solution :
Lets get the hidden data. Shall we ?
To start with forensics challenges, always look at the file type.
A tcpdump file. Well wireshark or network miner ? your choice..i choose network miner for this.
After the hints were given,I did this. hence its clear its a filesystem. so i sorted out based on size and downloaded file named :
aaa , daa , f9 , eaa , cad , baa , caa , bac , cac , bab , cab , cae .
now after quickly looking at the filetype all the files i mentioned which i extracted where archived using different compression algorithms like :
aaa - 7zip compressed archive
bab - ARJ compressed archive
caa - Tar compressed archive
daa - Rzip compressed archive
eaa - Zoo compressed archive
every decompression leads to a different filesystem. But what are we interested in ?
LOOK AT THE HINT [btrfs or ext4] , yes its btrfs which is compressed in bab by ARJ compressed archive.
apt-get install arj (to install in linux)
though it gets stuck at 74% which i dont know why. but extracts something atleast. Lets dig if we got flag.
file f2 is extracted lets quickly do a file command and check what is the filesystem. The rest you can try and find out the filesystems.
Perfect match for the hint. Isn't it ?
Well now lets mount this using the mount command :
mount -t btrfs f2 /mnt
Now is the tough part of finding the folder containing the flag. I did a tree command though it wasnt useful much as there were 249 directories and 1109 files.
I used my old friend cat .. something stupidly found though .
cat */*/*/*/*/*
output gave me some hope :
EXtcommentf-l-a-g{lossles:;@B� %tEXtdate:create2015-09-23T05:20:42-07:00_�B� %tEXtdate:modify2015-09-23T05:20:42-07:00~ g�� IEND�B`� 0d8f7]� �`FG:/�IAd�PNG
After bit searching found the file to be abcde
file command shows that its a arc file.
Location of file : /media/root/44482191-c394-4864-9dc6-1d7d8b49c5d2/vaQ1Dg/7JLc3R/ktCBdI/az7zY6/OdzAzw/abcde
command : arc x abcde
3 files as output 0ca45 , 0d8f7 , 07bb9
of which 07bb9 looked promising .
wait ?? what ?? thats not the flag ??
I did a strings on the file , if you can see above we saw metadata from cat . dint we ? and tat was supposed to be for file 0ca45 , but whats it for 07bb9 ?
Seriously ?? yes .. and surprisingly its not flag{sha512(lossless_data_compres)}
and the flag is supposedly to be flag{sha512(07bb9 file)} , hence find the sha 512 checksum of file 07bb9 and submit it as flag{checksum}
Flag : flag{b70b003b1aa96c5b44e4cbb564196e43531d9cbdd5c27cca36e85ff89bf71a8109725b64834ae6232ce3110bf4a4f75a27dd7050aba9f4362ed729b333c0a5ed}
and you get :
Question :
Hint : Forensics2 - Ext4 or btrfs …… err I forgot
File : f200
Tools :
FiletypeID , network miner , mount command , online sha512 hash generator. arj ,arc
Solution :
Lets get the hidden data. Shall we ?
To start with forensics challenges, always look at the file type.
A tcpdump file. Well wireshark or network miner ? your choice..i choose network miner for this.
After the hints were given,I did this. hence its clear its a filesystem. so i sorted out based on size and downloaded file named :
aaa , daa , f9 , eaa , cad , baa , caa , bac , cac , bab , cab , cae .
now after quickly looking at the filetype all the files i mentioned which i extracted where archived using different compression algorithms like :
aaa - 7zip compressed archive
bab - ARJ compressed archive
caa - Tar compressed archive
daa - Rzip compressed archive
eaa - Zoo compressed archive
every decompression leads to a different filesystem. But what are we interested in ?
LOOK AT THE HINT [btrfs or ext4] , yes its btrfs which is compressed in bab by ARJ compressed archive.
apt-get install arj (to install in linux)
though it gets stuck at 74% which i dont know why. but extracts something atleast. Lets dig if we got flag.
file f2 is extracted lets quickly do a file command and check what is the filesystem. The rest you can try and find out the filesystems.
Perfect match for the hint. Isn't it ?
Well now lets mount this using the mount command :
mount -t btrfs f2 /mnt
Now is the tough part of finding the folder containing the flag. I did a tree command though it wasnt useful much as there were 249 directories and 1109 files.
I used my old friend cat .. something stupidly found though .
cat */*/*/*/*/*
output gave me some hope :
EXtcommentf-l-a-g{lossles:;@B� %tEXtdate:create2015-09-23T05:20:42-07:00_�B� %tEXtdate:modify2015-09-23T05:20:42-07:00~ g�� IEND�B`� 0d8f7]� �`FG:/�IAd�PNG
so one of the file has a png in it.
After bit searching found the file to be abcde
file command shows that its a arc file.
Location of file : /media/root/44482191-c394-4864-9dc6-1d7d8b49c5d2/vaQ1Dg/7JLc3R/ktCBdI/az7zY6/OdzAzw/abcde
command : arc x abcde
3 files as output 0ca45 , 0d8f7 , 07bb9
of which 07bb9 looked promising .
wait ?? what ?? thats not the flag ??
I did a strings on the file , if you can see above we saw metadata from cat . dint we ? and tat was supposed to be for file 0ca45 , but whats it for 07bb9 ?
Seriously ?? yes .. and surprisingly its not flag{sha512(lossless_data_compres)}
and the flag is supposedly to be flag{sha512(07bb9 file)} , hence find the sha 512 checksum of file 07bb9 and submit it as flag{checksum}
Flag : flag{b70b003b1aa96c5b44e4cbb564196e43531d9cbdd5c27cca36e85ff89bf71a8109725b64834ae6232ce3110bf4a4f75a27dd7050aba9f4362ed729b333c0a5ed}
and you get :
No comments:
Post a Comment
enter valid comments.Suggestions are most welcome and would be interested in correcting my mistakes.