Hello buddy! Today I will introduce some new stuffs.
I'm in self-training for CTF competition. And according to the need of my team, I decide to explore Forensics area. I hope this decision will make it work and I can absorb more and more knowledge for pentesting.
So, I will kick off with picoCTF, this place is better for every beginner . Let's start!
like1000: 250pts
Follow the hint, this chall requires player to write a script , make it work to solve the problem. Download the .tar file and extract it
Alright! It contains another archived file named "999.tar" and txt file. After doing some research, I realize the issue : You must extract all the .tar file (may be 999 times) and find which file (all file named "filler.txt") contains flag.
For sure this must be solved by script (or if you have time , you can manually extract this 999 times 💀). I decide to write a small script by Python 3. After looking through tarfile module and think a way to find flag after extracting, I completely done (script).
Here is the result
shark on wire 2: 300pts
This chall is the next of Sharkonwire series. Let's download the pcap file and open with wireshark
I start with this filter so I can analyze which packet or frame with flag or related to it .
Follow the UDP stream, after some minutes, I realize that packet with "start" string and another with "end"
Between them, about 15-20 packets from ip 10.0.0.66 are sent out, so I do this filter
All destination ports are the same : 22 . I focus on source port which a little bit different. Ignore first number on each port, we actually have a range of ASCII letter. I write a small python script to get all number we need and decode them.
Webnet0:350pts
Another challenge related to Wireshark . Just download the key and pcap file
Another hint is about TLS protocol
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this article we will focus on the role of TLS in web application security
This is RSA key . After 15 minutes searching about how to decrypt the TLS protocol with RSA key, I figured out this stuff , and it's all I need to configure the wireshark and claim the points
c0rrupt :250 points
Firsly, we should download the file
As we can see, the file has not extension. So, we must find the type of this file .
Let's look through the header
After searching, I realize that this may be the wrong header comparing to PNG header
So, I decide to edit this to PNG header. Do this !
Take half an hour reading about PNG header , I guess I must change some chunk to the right value, compare to this image:
PNG check tool report as I thought.
fix IHDR chunk : 43 22 44 52 → 49 58 44 52
fix IDAT chunk : AB 44 45 44 → 49 44 41 54
fix pHYs CRC : 49 52 24 F0 → 38D82C82
After fixing
Bingo!
WebNet1:450 points
Smilar to WebNet0, the chall gives us .pcap file and RSA key file. So, I repeat all steps manually and will not focus in details . Just import the RSA file key , configure IP addr , port and WireShark decrypt it automatically.
After analyzing all TLS packets, I found out this
Combine both and we have flag :D
We need to go deeper : 20 Points
A challeng from Root me at medium level . Let's dig into it !
So, I guess we must analyze as "deeper" as possible . The challeng's descripton is :"Russian Dolls"- means that doll inside doll (Matryoska doll) - so I think maybe another picture(s) inside this challenge's picture... Let's check this.
Firstly, as usual, strings command
JFIF-Exif-JFIF-Exif-JFIF, too much . Send to https://29a.ch/photo-forensics/
After 4 or 5 minutes skimming the surface, I ensure that is nothing intersting . So, I decide to go on with Binwalk
Seems a bit stranger here, I bet this result is different from other "normal" jpg file. Check it out! This is normal result .
I think I'm in the right direction and I need to find the way to extract these hidden file from this picture. Keep searching ...
Useful information
Another CTF challenge with the same idea
But when I try these commands above , It's not work .
Fortunately, when I stuck, I found this useful stuff which guides a way to extract file(s) from file using Binwalk :
I figure out this tool (Binwalk) may be the most essential tool in forensics . Hope to try this tool with another interesting challege
Job Interview
After download and unzip, I figure out this challenge's file has .e01 extension, strange to me. Let's learn about this
 |
The Structure of E01 file |
An EnCase image file is encoded with disk image storage and compression standards used in the E01 format. These E01 files are affixed with the .e01 extension and are used by the EnCase application. The data stored in the E01 file can then be accessed by mounting the E01 disk image file using EnCase or other compatible applications implemented with support for the E01 disk image format. The forensic and technical content of an E01 file can be used in judiciary proceedings as evidence that may be used in criminal cases among other legal cases.
This pretty doc gave me everything useful about this format type. Some others interesting information
Another chall relate to .e01 file
Follow the guide, I create a directory and use it as mountpoint, in order to mount the EWF container:
Extract this file with tar command, I find out a file named bcache24.bmc (not familiar to me)
That's complexity!
However, I found a way to work with it.
What a mess! But everything is on the right direction -we must keep searching the flag ..
 |
| On Windows |
Bingo!
Continue..
Happy Hacking!
Không có nhận xét nào:
Đăng nhận xét