IceCTF 2018: Forensics write-ups
Post
Cancel

# IceCTF 2018: Forensics write-ups

## Forensics 1. Modern Picasso

Challenge description: Here’s a rendition of some modern digital abstract art. Is it more than art though?

We get the following GIF to work with:

Picasso.gif

And we immediately notice that there are black signs that seem to contain the flag. So our mission is

1. To decompose the GIF into different frames
2. To overlay the frames in order to get an image

The first part was easy, as just googling ‘gif to png converter’ showed a lot of websites that did it. I got 66 different images which now had to be merged. In order to do so, I decided to use Photoshop CC.

First of all, we add all images as different layers and then rasterize them in order to be able to merge them into one single image.

Steps followed

And then we get the final image, from which we can deduce the flag:

Result from merging

 IceCTF{wow_fast}

## Forensics 2. Hardshells

Challenge description: After a recent hack, a laptop was seized and subsequently analyzed. The victim of the hack? An innocent mexican restaurant. During the investigation they found this suspicous file. Can you find any evidence that the owner of this laptop is the culprit?

1 2 diego@MacBook-Air:~/downloads/IceCTF$file hardshells.zip hardshells.zip: Zip archive data, at least v1.0 to extract  So it’s a zip! As it is password protected we can use fcrackzip to crack it open. After a few minutes we get that the password is tacos. Once extracted, we navigate to the new directory and find a new file, called d. 1 2 diego@MacBook-Air:~/downloads/IceCTF$ file hardshells/d hardshells/d: Minix filesystem, V1, 30 char names, 20 zones 

Minix is a linux file system, so I mount it into my linux VM to see what it contains with the following command:

1 mount /home/parallels/Downloads/d /mnt 

Then, after navigating to the /mnt directory I find yet another file, called dat. However, the file command gave me no clue, as the output was just data. That’s when I decided to look at the file with a hexadecimal editor, Hex Fiend.

We can see the first few bytes are 89 50 55 47 0D 0A 1A 0A, which reminded me of a PNG header (the header of PNGs is 89 50 4E 47 0D 0A 1A 0A). So we just need to change the third byte, 55, to be 4E. Again, we check the new modified file with the file command:

1 dat: PNG image data, 1920 x 1080, 8-bit/color RGBA, non-interlaced 

Looks like we found something!! Let’s rename the file to dat.png.

Dat.png

On the bottom left side we can see the flag:

 IceCTF{look_away_i_am_hacking}

## Forensics 3. Lost in the Forest

Challenge description: You’ve rooted a notable hacker’s system and you’re sure that he has hidden something juicy on there. Can you find his secret?

So this time we have a file system. Upon inspecting it I come across an image named clue in the home directory, but I don’t find anything interest on it. Then, I notice another odd file called hzpxbsklqvboyou. Its contents are encrypted:

1 8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT8NHY25mYthGfs5ndwx2Zk1lcaFGc4pWdVZFQoJmT 

So looks like I’ll have to keep searching… There is a .bash_history!

Files found

I’m going to inspect the contents of the .bash_history. There were many lines, but only two insteresting ones:

1 2 3 wget https://gist.githubusercontent.com/Glitch-is/bc49ee73e5413f3081e5bcf5c1537e78/raw/c1f735f7eb36a20cb46b9841916d73017b5e46a3/eRkjLlksZp cd Downloads ./tool.py ../secret > ../hzpxbsklqvboyou 

Looks like the supposed hacker downloaded a script and then used it to encode some sort of secret and renamed it to the file I found earlier. Let’s reverse it!

First of all, I get the file to check the contents:

1 2 3 4 5 6 7 8 9 10 11 #!/usr/bin/python3 import sys import base64 def encode(filename): with open(filename, "r") as f: s = f.readline().strip() return base64.b64encode((''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])).encode('utf-8')).decode('utf-8')[::-1]*5 if __name__ == "__main__": print(encode(sys.argv[1]) 

I’ll have to write a function to decode the hzpxbsklqvboyou file and then hopefully get the flag. Simple.

1 2 3 4 5 6 7 8 def decode(filename): with open(filename, "r") as f: file = base64.b64decode(f.read()[:40][::-1].encode('utf-8')).decode('utf-8') li = [] for x in range(len(file)): u = chr(ord(file[x]) - ([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) li.append(u) return ''.join(li) 

Then, running the script to decode the file we get our flag!

1 2 diego@MacBook-Air:~/downloads/IceCTF/fs/home/hkr\$ python Pictures/tool.py hzpxbsklqvboyou IceCTF{good_ol_history_lesson}