Thứ Tư, 30 tháng 9, 2020

[picoCTF] Forensics picoGym challenge

 Hello buddy! Today I will introduce some new stuffs. 

I'm in self-training for CTF competition. And according to the need of my team, I decide to explore Forensics area. I hope this decision will make it work and I can absorb more and more knowledge for pentesting.

So, I will kick off with picoCTF, this place is better for every beginner . Let's start!

like1000: 250pts


Follow the hint, this chall requires player to write a script , make it work to solve the problem. Download the .tar file and extract it 



Alright! It contains another archived file named "999.tar" and txt file. After doing some research, I realize the issue : You must extract all the .tar file (may be 999 times) and find which file (all file named "filler.txt") contains flag.

For sure this must be solved by script (or if you have time , you can manually extract this 999 times 💀). I decide to write a small script by Python 3. After looking through tarfile module and think a way to find flag after extracting, I completely done (script).

Here is the result 



the flag was contained in flag.png

shark on wire 2: 300pts



This chall is the next of Sharkonwire series. Let's download the pcap file and open with wireshark


I start with this filter so I can analyze which packet or frame with flag or related to it .


Follow the UDP stream, after some minutes, I realize that packet with "start" string and another with "end"  


Between them, about 15-20 packets from ip 10.0.0.66 are sent out, so I do this filter


All destination ports are the same : 22 . I focus on source port which a little bit different. Ignore first number on each port, we actually have a range of ASCII letter. I write a small python script to get all number we need and decode them. 



Webnet0:350pts


Another challenge related to Wireshark . Just download the key and pcap file

Another hint is about TLS protocol

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this article we will focus on the role of TLS in web application security
This is RSA key . After 15 minutes searching about how to decrypt the TLS protocol with RSA key, I figured out this stuff , and it's all I need to configure the wireshark and claim the points





c0rrupt :250 points


Firsly, we should download the file 


As we can see, the file has not extension. So, we must find the type of this file . 

Let's look through the header 


After searching, I realize that this may be the wrong header comparing to PNG header



 So, I decide to edit this to PNG header. Do this !


Take half an hour reading about PNG header , I guess I must change some chunk to the right value, compare to this image:



PNG check tool report as I thought. 



fix IHDR chunk : 43 22 44 52 → 49 58 44 52
fix IDAT chunk :  AB 44 45 44  49 44 41 54


fix pHYs CRC : 49 52 24 F0  
→ 38D82C82

After fixing 




Rename the file as add .png extension to it and open up 



Bingo!

WebNet1:450 points




Smilar to WebNet0, the chall gives us .pcap file and RSA key file. So, I repeat all steps manually and will not focus in details . Just import the RSA file key , configure IP addr , port and WireShark decrypt it automatically. 

After analyzing all TLS packets, I found out this



Combine both and we have flag :D 

We need to go deeper : 20 Points



A challeng from Root me at medium level . Let's dig into it !


The challenge give us a picture with jpg extesion 


So, I guess we must analyze as "deeper" as possible . The challeng's descripton is :"Russian Dolls"- means that doll inside doll (Matryoska doll) - so I think maybe another picture(s) inside this challenge's picture... Let's check this. 

Firstly, as usual, strings command 



JFIF-Exif-JFIF-Exif-JFIF, too much . Send to https://29a.ch/photo-forensics/  


After 4 or 5 minutes skimming the surface, I ensure that is nothing intersting . So, I decide to go on with Binwalk 


Seems a bit stranger here, I bet this result is different from other "normal" jpg file. Check it out! This is normal result .


I think I'm in the right direction and I need to find the way to extract these hidden file from this picture. Keep searching ...

Useful information


 Another CTF challenge with the same idea 


But when I try these commands above , It's not work . 

Fortunately, when I stuck, I found this useful stuff which guides a way to extract file(s) from file using Binwalk :




We made it ! Let's open it one by one and get the flag !



I figure out this tool (Binwalk) may be the most essential tool in forensics . Hope to try this tool with another interesting challege



Job Interview


After download and unzip, I figure out this challenge's file has .e01 extension, strange to me. Let's learn about this 

                             The Structure of E01 file

An EnCase image file is encoded with disk image storage and compression standards used in the E01 format. These E01 files are affixed with the .e01 extension and are used by the EnCase application. The data stored in the E01 file can then be accessed by mounting the E01 disk image file using EnCase or other compatible applications implemented with support for the E01 disk image format. The forensic and technical content of an E01 file can be used in judiciary proceedings as evidence that may be used in criminal cases among other legal cases.
This pretty doc gave me everything useful about this format type. Some others interesting information






Another chall relate to .e01 file

We should download ewf-tools to work with this type of file. 


Follow the guide, I 
create a directory and use it as mountpoint, in order to mount the EWF container:


As you can seen, after mounting, we found the ewf1 file!


Extract this file with tar command, I find out a file named 
bcache24.bmc (not familiar to me)


That's complexity!
However, I found a way to work with it.



What a mess! But everything is on the right direction -we must keep searching the flag ..

On Windows




Bingo!

Continue..

Happy Hacking!




Không có nhận xét nào:

Đăng nhận xét

Phổ Biến

Follow by Email