Tuesday, July 13, 2010

smpCTF challenge #5 write-up - Forensic

smpCTF challenge #5 was forensics: we were given the file forensic1-image and instructed to find a flag.

As usual, we start our analysis with file command:
$ file forensic1-image
forensic1-image: rzip compressed data - version 2.1 (15185973 bytes)

We have an rzip file. Install software if needed then extract it:
$ sudo apt-get install rzip

$ mv forensic1-image{,.rz}

$ rzip -d forensic1-image.rz

Then we have an LHA archive, extract it similarly:
$ file forensic1-image
forensic1-image: LHarc 1.x/ARX archive data [lh0]

$ sudo apt-get install lha

$ lha x forensic1-image
FS.tar  - Melted   :  oooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

Then we consecutively have a tar, a bzip2 and a gzip archive to extract:
$ tar xf FS.tar

$ file FS
FS: bzip2 compressed data, block size = 900k

$ mv FS{,.bz2}

$ bzip2 -d FS.bz2

$ file FS
FS: gzip compressed data, was "FS", from Unix,
  last modified: Wed Jun 30 03:42:18 2010, max compression

$ mv FS{,.gz}

$ gzip -d FS.gz

$ file FS
FS: Linux rev 1.0 ext2 filesystem data (large files)

It ends on an ext2 filesystem, mount it (read-only not to modify the file) and list its contents:
$ mkdir x

$ sudo mount -o ro,loop FS x

$ ls -laR x

./x:
total 15396
drwxr-xr-x 3 root root     4096 Jun 30 03:50 .
drwxrwxrwx 1 root root        0 Jul 10 02:30 ..
-rw-r--r-- 1 root root 15723366 Jun 30 03:50 forensic_image
drwx------ 2 root root    16384 Jun 30 03:42 lost+found

./x/lost+found:
total 20
drwx------ 2 root root 16384 Jun 30 03:42 .
drwxr-xr-x 3 root root  4096 Jun 30 03:50 ..

Apparently only one file, copy it and we can always go back if something else was hidden in the filesystem:
$ cp x/forensic_image .

$ sudo umount x

What's next? file does not help that much, so view the header with hexdump:
$ file forensic_image
forensic_image: data

$ hexdump -n 16 -C forensic_image
00000000 00e955434cff011a 000000012d070004 |..UCL.......-...|

UCL? Reminds me Defcon 2008 quals forensics 200: UCL is a portable lossless data compression library written in ANSI C by Markus F.X.J. Oberhumer. Install it and extract the archive:
$ sudo apt-get install libucl1 libucl-dev

$ cp /usr/share/doc/libucl-dev/examples/Makefile \
 /usr/share/doc/libucl-dev/examples/uclpack.c.gz \
 /usr/share/doc/libucl-dev/examples/portab.h .

$ make uclpack
gzip -d uclpack.c.gz
gcc -O2   -c -o uclpack.o uclpack.c
gcc -lucl  uclpack.o   -o uclpack
rm uclpack.c

$ mv forensic_image{,.ucl}

$ ./uclpack -d forensic_image{.ucl,}

UCL data compression library (v1.03, Jul 20 2004).
Copyright (C) 1996-2004 Markus Franz Xaver Johannes Oberhumer
http://www.oberhumer.com/opensource/ucl/

uclpack: block-size is 262144 bytes
uclpack: decompressed 15723366 into 31989760 bytes

We finally obtain a tar archive of joe's home directory:
$ file forensic_image
forensic_image: POSIX tar archive (GNU)

$ tar xf forensic_image

$ ls -l joe
total 777
drwxrwxrwx 1 root root       0 May 23 20:04 Desktop
drwxrwxrwx 1 root root       0 May 24 00:20 Documents
drwxrwxrwx 1 root root       0 May 23 20:05 Downloads
-rwxrwxrwx 1 root root    1149 May 24 00:13 Joe Hacker.asc
-rwxrwxrwx 1 root root    1334 May 24 00:14 JoeHackerPrivate.gpg
drwxrwxrwx 1 root root       0 May 23 20:04 Music
drwxrwxrwx 1 root root       0 Jun 30 02:50 Pictures
drwxrwxrwx 1 root root       0 May 23 20:04 Public
drwxrwxrwx 1 root root       0 May 23 20:04 Templates
drwxrwxrwx 1 root root       0 May 23 20:04 Videos
-rwxrwxrwx 1 root root     167 May 23 19:57 examples.desktop
-rwxrwxrwx 1 root root    4681 May 24 00:18 gppg-stuff.txt
-rwxrwxrwx 1 root root 1580775 Jun 30 03:13 network_sniff.pcap
drwxrwxrwx 1 root root       0 May 24 00:19 scans

Many files, how to find the interesting one? First, let's try with a simple recursive grep on the word flag.
$ grep -Hirn flag joe/
[...]
Binary file joe/network_sniff.pcap matches

Suspicious... let's see more precisely:
$ hexdump -C joe/network_sniff.pcap |grep -C2 -i flag
00177820 8006467fc0a80f84 4a348e7a04470050 |..F.....J4.z.G.P|
00177830 2212c24f7fcd6683 5018faf024f80000 |"..O..f.P...$...|
00177840 474554202f666c61 67672e6a70672048 |GET /flagg.jpg H|
00177850 5454502f312e310d 0a486f73743a2077 |TTP/1.1..Host: w|
00177860 77772e70656e6665 73742e63610d0a55 |ww.penfest.ca..U|
---
00177bc0 0d0a0d0affd8ffe0 00104a4649460001 |..........JFIF..|
00177bd0 0101004800480000 fffe003454686973 |...H.H.....4This|
00177be0 20697320796f7572 20466c61673a2053 | is your Flag: S|
00177bf0 6565696e67206973 206e6f7420616c77 |eeing is not alw|
00177c00 6179732062656c69 6576696e6721ffdb |ays believing!..|

Wow, we were lucky! But it's not funny. Let's ignore the second grep result and properly open the network capture network_sniff.pcap in Wireshark, filter HTTP, and find at the end the HTTP transaction of someone requesting flagg.jpg file:


Select the HTTP response, choose the HTTP payload, recognized by Wireshark as JPEG and use right click/export selected packet bytes to save the file.


The flagg.jpg tells us we're almost done:


Indeed, there is an EXIF comment, that we can extract either with exiv2 tool:
$ exiv2 -p c flagg.jpg
This is your Flag: Seeing is not always believing!

Or with jhead:
$ jhead flagg.jpg
File name    : flagg.jpg
File size    : 38053 bytes
File date    : 2010:07:10 05:03:25
Resolution   : 640 x 400
Comment      : This is your Flag: Seeing is not always believing!

The challenge id was found in the HTML of the challenge page:
<!--Challenge Key: 74bf0f65-->

Update: @roman_soft from int3pids added that file shows the comment (truncated):
$ file flagg.jpg
flagg.jpg: JPEG image data, JFIF standard 1.01, comment: "This is your Flag: Seeing is no"

1 comment:

  1. thanks for your posting.
    I didn't notice the flag of UCL.

    ReplyDelete