Thursday, September 30, 2010

CSAW CTF - Forensics Write-up

The forensics challenge given at CSAW CTF weren't exactly what I was expecting, but still we achieved to solve most of it. Here are my write-ups for the 4 challenges.

Challenges were made by Efstratios Gavas (@xtrat), Director of cyber security labs at NYU Poly! Awesome :)

1: What is the street address?


We are given a file, that resembles a JPEG picture but with wrong header :
$ hexdump -C 1.jpg | head -n1
00000000  ff db ff e0 00 10 4a 46  49 46 00 01 01 01 00 48  |......JFIF.....H|
We can assume the file has been damaged, so just fix the wrong b with expected 8.
$ hexdump -C 1-header-fixed.jpg | head -n1
00000000  ff d8 ff e0 00 10 4a 46  49 46 00 01 01 01 00 48  |......JFIF.....H|
Now we can see the picture, damaged, but we can still read Alexandria Center on the building windows. It doesn't take long to find the building on wikipedia, on Google maps and we finally have its address:
450 East 29th Street
New York, NY 10016, United Stats
(646) 223-3880

The most difficult part was then to find the correct way to send the correct address to the server... it took us a long time to realize we just had to send the first line in its full version (no E/E./St/St.):
$ send "450 East 29th Street"
KEY FOUND FOR What is the street address?.  100 POINTS AWARDED!

Note: send is a small bash function I made to make flag sending easier for our team, it basically uses curl to make the POST request:
send() {
  curl -Gs -d team=<team> -d password=<password> \
    --data-urlencode "key=$1" 'http://128.238.66.100/submit.php'
  echo
}



2: Hash me.


We are given a tar archive containing different files. One of them have the JPEG header, one of them the footer. We can assume the others are just the different parts, so our mission is to reconstruct the parts and assemble them to get the full picture. From then, we'll try different file hashes: md5, sha1, etc. It appeared to be too easy for Dad` who quickly got it:
$ tar xf 2.tar ; cd 2

$ cat 465893 330404 208409 192959 283415 232579 \
  428750 466450 358848 203839 > 2-reconstructed.jpg

$ md5sum 2-reconstructed.jpg
fdcf752c21f20ddbf02ddcc2025d5c2c 2-reconstructed.jpg

$ send fdcf752c21f20ddbf02ddcc2025d5c2c
KEY FOUND FOR Even block size reconstruction.  200 POINTS AWARDED!



3: What Am I Drinking?


We are given the following picture. Looks like he or she is drinking a Cafes Richard tea. But which one? We spent hours trying to send all teas offered by Cafes Richard, in different formats, but without luck.

Steganography didn't give any good result with stegdetect or stegbreak, but seeing that no team was getting the challenge, the CTF staff gave us hints:
BREAKING NEWS:  EFSTRATIOS WAS HACKED AND THE CONTENTS OF HIS COMPUTER WERE
UPLOADED TO THE INTERNET.  STRAT ASSUMED THIS WOULD HAPPEN AND ENCRYPTED
ANYTHING RELEVANT TO CSAW.  HOWEVER, GOING THROUGH THE CONTENT, YOU MANAGE
TO FIND REMNANTS OF THE POPULAR STEGANOGRAPHY PROGRAM STEGHIDE.
Using steghide and "cafes richard", we can extract the hidden data:
$ steghide extract -sf 3.jpg -p "cafes richard"
wrote extracted data to "embedded.txt".

$ cat embedded.txt
ec2aaddcd885b726ce022f6dda4cc10f  what-am-i-drinking.jpg

$ send ec2aaddcd885b726ce022f6dda4cc10f
KEY FOUND FOR What Am I Drinking? 300 POINTS AWARDED!


4: Rick Ashtley is inside me.


We are given a file named 4.tc, which is - according to its extension - a TrueCrypt container.

Using the title as a hint we try to run a small brute-force over the container and a wordlist using "Rick As(h)tley" - was the "h" intentional? - in mixed lower/upper case. No luck. Same with his famous song "Never gonna give you up", and a few words we can add to our wordlist.

Again, seeing that no team was getting the challenge, the CTF staff gave us hints:
IN ADDITION TO STEGHIDE, YOU ALSO FIND THE PHRASE "Use what you already know."
ALL OVER HIS COMPUTER.  YOU ASSUME THIS IS IN REGARD TO FORENSICS 4.
!IMPORTANT:  IF YOU ARE TRYING TO SOLVE PART 1 TO FORENSICS 4,
YOU SHOULD APPEND A SPACE TO THE END OF ALL KEYS YOU TRY.

After some tries, it appears that the TrueCrypt volume can be opened with the previous key plus space (don't tell me how we were supposed to find that):
$ mkdir 4

$ sudo truecrypt -t -p "ec2aaddcd885b726ce022f6dda4cc10f " \
  -k "" --protect-hidden=no 4.tc 4/

$ ls -lh 4/
total 3.4M
-rwx------ 1 root root 3.4M Sep 19 19:10 rick.avi*
We get this famous music video by Rick Astley, with the first key appearing on screen at the middle of the video:
$ send "C955E7A54"
KEY FOUND FOR Open Truecrypt1 200 POINTS AWARDED!

Then I tried some forensics on the TrueCrypt volume, for instance by decrypting the volume and not mounting it for further analysis:
$ sudo truecrypt -t -p "ec2aaddcd885b726ce022f6dda4cc10f " \
  -k "" --protect-hidden=no 4.tc 4/

$ truecrypt -t -l
1: /tmp/4.tc /dev/mapper/truecrypt1 -

$ dd if=/dev/mapper/truecrypt1 of=4.tc.decrypted
9728+0 records in
9728+0 records out
4980736 bytes (5.0 MB) copied, 0.187657 s, 26.5 MB/s

$ file 4.tc.decrypted
4.tc.decrypted: x86 boot sector
A quick look with The Sleuth Kit or file carving tool foremost doesn't reveal anything interesting. As expected with TrueCrypt, the free space is random data so it does not help.

We didn't find this one but later learned that one had to use the file inside the container as a key file to open the hidden volume. Indeed:
$ sudo truecrypt -t -p "" -k rick.avi --protect-hidden=no 4.tc 4/

$ ls -lh 4/
total 512
-rwx------ 1 root root 33 Sep 19 19:43 you-have-suffered-enough.txt*

$ cat 4/you-have-suffered-enough.txt
0c7817b9142c9e4141e50bad95a1d33c
That's the key. Why not, but I'm not sure one often puts the keyfile of his or her precious hidden volume inside the main volume :)

That's all for the forensics!

1 comment: