CSAW CTF - 50 - Kill - Forensics

Information#

Version#

By Version Comment
noraj 1.0 Creation

CTF#

  • Name : CSAW CTF Qualification Round 2016
  • Website : https://ctf.csaw.io/
  • Type : Online
  • Format : Jeopardy
  • CTF Time : link

Description#

Is kill can fix? Sign the autopsy file?

kill.pcapng

Solution#

  • If you look at the presumed PcapNg file you can see it is certainly broken because you can't open it with Whireshark and the file command shows it as raw data.
┌─[root@parrot]─[~/CTF/CSAW/2016/Qualification/50-kill-forensics]
└──╼ #file kill.pcapng
kill.pcapng: data
  • It's certainly more than just a wrong header signature so we'll use the pcapcfix tool to fix this.
  • As there is no more header we have to use --pcapng option because default behaviour of the tool is to repair as a simple pcap file.
┌─[root@parrot]─[~/CTF/CSAW/2016/Qualification/50-kill-forensics]
└──╼ #/root/CTF/tools/pcapfix-1.1.0/pcapfix --pcapng kill.pcapng
pcapfix 1.1.0 (c) 2012-2014 Robert Krause

[*] Reading from file: kill.pcapng
[*] Writing to file: fixed_kill.pcapng
[*] File size: 2288848 bytes.
[*] Unknown file type. Assuming PCAPNG format.
[-] Unknown block type!: 0xaaddddaa ==> SKIPPING.
[-] Block size mismatch (0x1a2b3c4d != 0x0000008c) ==> CORRECTED.
[-] Found 128 bytes of unknown data ==> SKIPPING.
[-] No Section Block header found ==> CREATING.
[*] Progress:  20.02 %
[*] Progress:  40.01 %
[*] Progress:  60.04 %
[*] Progress:  80.05 %
[+] SUCCESS: 4 Corruption(s) fixed!
  • Now look at the file, it seems better!
┌─[root@parrot]─[~/CTF/CSAW/2016/Qualification/50-kill-forensics]
└──╼ #file fixed_kill.pcapng
fixed_kill.pcapng: pcap-ng capture file - version 1.0
  • Now open the Pcap-Ng file with wireshark.
  • This is mainly a SFTP exchange so it may be interesting to look at downloaded filess with this filter: Filter ftp.request.command == STOR.
  • Filter show us 7 downloaded files at frame 53, 130, 693, 760, 813, 2325 and 2480. 5 jpg files (image) and 2 mp4 files (video).
  • So let's extract images first. For that we need the jpg header file signature. It can be found here on Wikipedia.
JPEG RAW `FF D8 FF DB`
JFIF begin with `FF D8 FF E0`
EXIF `FF D8 FF E1`
  • The one interesting for us is JFIF.
  • Press CTRL + F, select Hex value as Display filter.
  • Note that it's not necessary as the begining of the stream is not far after the STOR request command.
  • We won't need to extract mp4 file, flag is in one of the images.
  • Now there is two way to do it: the smart way and the dumb way.
  • Dumb way: see the flag in the ASCII representation of the frame 696 (girls.jpg). Ok it works, but if the flag have be not so badly hidden you won't have seen it, for example if it was display on the image.
  • Smart way: Let's extract images.
  • Now that we know where are the files stream, we can extract files as mention:
    • Right click on the first frame of the stream.
    • Click on Follow TCP Stream.
    • Select Raw representation.
    • Save it on your disk.
  • Do the same with next images.
  • We can note that all images are seeable execpt girls.jpg. So what? A broken file again? Not really, if you want to see the file header in order to fix it, you discover that the flag was just injected in the file header.
  • Let's see the raw hex dump of the image:
┌─[root@parrot]─[~/CTF/CSAW/2016/Qualification/50-kill-forensics]
└──╼ #xxd -l83 extract_girls.jpg
00000000: ffd8 ffe0 bae0 4a46 4946 0001 0101 0001  ......JFIF......
00000010: 0001 0000 fffe 003d 666c 6167 7b72 6f73  .......=flag{ros
00000020: 6573 5f72 5f62 6c75 655f 7669 6f6c 6574  es_r_blue_violet
00000030: 735f 725f 7233 645f 6d61 7962 335f 6861  s_r_r3d_mayb3_ha
00000040: 7261 6d62 6165 5f69 735f 6e6f 745f 6b69  rambae_is_not_ki
00000050: 6c6c 7d                                  ll}

Thanks to Shankar Raman.

Share