Forensic - UnforgottenBits
picoCTF 2023
Catégorie : Forensic
📜Scenario
🔎Solve
First we download a compressed file named disk.flag.img.gz
We decompress it with $ gzip -d disk.flag.img.gz
We got a beautiful disk image with 3 partition now
$ file disk.flag.img
disk.flag.img: DOS/MBR boot sector; partition 1 : ...; partition 2 : ...; partition 3 : ...
To solve this chall we gonna use Autopsy, but we can also mount the disk image to retrieve some of the useful information, see how at the end of the write up.
First, create a case and provide disk image file to analyses it
Once you have arrived at the project, you will see the tree structure of the disk which is composed as follows :
Once the tree structure has been built, you can see the contents of the elements you have at hand.
- In the gallery folder we got images -> Maybe we can use steganography on it to see if there's anything hidden in it
- The irclogs folder contain chat logs from the leagues of legends game -> Maybe some interesting information
- Maildir contain mail that the user receive -> Maybe some interesting information
- Maildir contain notes that the user may taken -> Weird word but maybe useful later
Let's go back to our image, firstly we can extract them but we don't have any password.
We find our happiness in the #avidreader13.log file
In this is a conversation between two characters, and as you can see we found vital informations. We found a passphrase to use for steghide akalibardzyratrundle and also an encryption key
salt=0f3fa17eeacd53a9 key=58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 iv=7a12fd4dc1898efcd997a1b9496e7591
Now with the steghide password we try to find more informations on .bmp
steghide --extract -sf 1.bmp
Enter passphrase:
wrote extracted data to "les-mis.txt.enc".
$ steghide --extract -sf 2.bmp
Enter passphrase:
wrote extracted data to "dracula.txt.enc".
$ steghide --extract -sf 3.bmp
Enter passphrase:
wrote extracted data to "frankenstein.txt.enc".
But the password dosen't work for the last image
$ steghide --extract -sf 4.bmp
Enter passphrase:
steghide : could not extract any data with that passphrase !
No problem, let's just get on with deciphering the three data files we get
$ openssl enc -aes-256-cbc -d -in les-mis.txt.enc -out lesmis_decrypted -salt -iv 7a12fd4dc1898efcd997a1b9496e7591 -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508
$ openssl enc -aes-256-cbc -d -in dracula.txt.enc -out dracula_decrypted -salt -iv 7a12fd4dc1898efcd997a1b9496e7591 -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508
$ openssl enc -aes-256-cbc -d -in frankenstein.txt.enc -out frankenstein_decrypted -salt -iv 7a12fd4dc1898efcd997a1b9496e7591 -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508
Unfortunately for us this three text are rabbit hole for sure, even though I enjoyed reading these extracts from classical literature...
Our next goal so, is to look for the passphrase we can use to extract information from 4.bmp.
To do this we will look in a file that we have not yet touched, the notes folder who contain 3 text files
$ cat 1.txt
chizazerite
$ cat 2.txt
guldulheen
$ cat 3.txt
I keep forgetting this, but it starts like: yasuoaatrox...
Moreover, if we look at the recent e-mails in the Maildir/new/ folder we find this one which seems interesting
subject: Deleting emails
to: Sten Walker <yone786@gmail.com>
from: Bob Bobberson <azerite17@gmail.com>
Yone,
This is just a reminder to delete all of our emails and scrub your trash can as well. We don't want our precious light falling into the wrong hands. You know the punishment for such 'crimes'.
To the Light and All it reveals,
- The Azerite Master
This mean that somewhere in the memory we have to find a compromising e-mail deleted... :D
So let's dig on the Deleted Files section, as everyone know, in a well composed email we can find the keyword subject. So we make a research of of files in the Deleted Files section with the keyword subject.
We find a mail named Unalloc_7058_391307264_1045430272
Okay so our mysterious Bob Bobberson also called The Azerite Master have given some advices to our target Sten Walker alias yone786
Especially a beautiful explanatory scheme who explain to the user that 4 random words in a row is a good password
From the above screenshot we can tell that four common random words put together will be a difficult password to guess. If you could recall we found an incomplete passphrase earlier...
$ cat 3.txt
I keep forgetting this, but it starts like: yasuoaatrox...
So I build a wordlist with this python script.
He is not perfect it works and I apply a filter with the startwith method to take less time
So we know that the password start by yasuoaatrox
import itertools
with open('lol_champ_list.txt', 'r') as file:
champions = file.read().splitlines()
for champ in champions:
champions[champions.index(champ)] = champ.replace(" ", "").lower()
print(champions)
associations = itertools.combinations(champions, 4)
with open('lol_champ_wordlist.txt', 'w') as file:
for association in associations:
words = ''.join(association)
if words.startswith("yasuoaatrox"):
file.write(words + '\n')
Now we just have to bruteforce the steghide password
For this I use stegcracker
$ stegcracker 158-7.bmp lol_champ_wordlist.txt
StegCracker 2.1.0 - (https://github.com/Paradoxis/StegCracker)
Copyright (c) 2023 - Luke Paris (Paradoxis)
StegCracker has been retired following the release of StegSeek, which
will blast through the rockyou.txt wordlist within 1.9 second as opposed
to StegCracker which takes ~5 hours.
StegSeek can be found at: https://github.com/RickdeJager/stegseek
Counting lines in wordlist..
Attacking file '158-7.bmp' with wordlist 'lol_champ_wordlist.txt'..
Successfully cracked file with password: yasuoaatroxashecassiopeia
Tried 2022 passwords
Your file has been written to: ledger.1.txt.enc
yasuoaatroxashecassiopeia
We got it !
But it is still encrypted 😭
And obviously the previous parameters do not work...
At this time I have no ideas where to look for these famous parameters to decode the ledger of our dear yone.
So I try to back to basic aaand open the disk image with VSCode...
We never know...
After somethings like 2 hours and more than 500 000 lines read I find somethings strange !
Look at this
01010010100.01001001000100.01001010000100.00101010010101.01000100100100.00100100000100.01000100000101.01000100001010.00000100000001.00001001010000.00000100010010.01000100010010.01001001001000.10001001000101.01001001010000.00001001000100.01001001010001.00000100000010.01000100010000.00001001001000.10000100010100.01000000010100.01001010000010.00101001010000.00001010101000.10000100100100.00101001000100.01000100010100.01001001010001.00000100010010.01000100010000.00001001000101.01000100010010.01000100010001.00000100001000.10001001000101.01001001001010.00000100010100.01000100000100.01000100010001.00000100000001.00000100001010.00000100010001.00001001000100.01000100000001.00000100001010.00000100001000.10000100000001.00000100010010.01001001001010.00000100000100.01000100010001.00000100001000.10001001010000.00001001010000.00000100000101.01001001000100.01000100010010.01000100010010.01001001000100.01000100010010.01000100000101.01001001000100.01001001001010.00000100010100.01000100010001.00000100000100.01000100000100.01000100000010.01000100010001.00001001000101.01000100010010.01000100000010.01001001010001.00001001001010.00001001001000.10000100000100.01001001000101.01001001000101.01000100010010.01001001010000.00000100010010.01001001001000.10001001000100.01000100010010.01000100010001.00000100000101.01000100010000.00001001001010.00001001000100.01000000010100.01001001010101.01001010100010.00100100100100.00100100010100.01000100000001.00000100010010.01000100001000.10000100001010.00000100010010.01001001010000.00000100001000.10000100010010.01001001010001.00001001001000.10000100010010.01001001001010.00001001000101.01000100000010.01001001001000.10000100001010.00001001000100.01000100001000.10000100010000.00001001010001.00000100000010.01000100010010.01001001010001.00000100000001.00001001010001.00001001010000.00001001000101.01000100000010.01000100000010.01000100010100.01001001010001.00000000010100.010
Its strange isn't it ?
But what the hell am I supposed to do with this? It doesn't help me !
At this moment of the chall we are supposed to remenber that at the beginning of the investigation we find a folder.
Do you remember ?
Yeah the .lynx folder that contain browsing-history file !
Inside we found a couple of visited website including the one we are interested in, https://www.wikiwand.com/en/Golden_ratio_base.
Among all these false leads...
www.google.com
https://www.google.com/search?q=number+encodings&source=hp&ei=WeC9Y77KJ_iwqtsP0sGu6A0&iflsig=AK50M_UAAAAAY73uaRxDkbHRUH8jn4OVhOgM8riUqvVI&ved=0ahUKEwj-2r_EgL78AhV4mGoFHdKgC90Q4dUDCAk&uact=5&oq=number+encodings&gs_lcp=Cgdnd3Mtd2l6EAMyBggAEBYQHjIFCAAQhgMyBQgAEIYDMgUIABCGAzIFCAAQhgM6DgguEIAEELEDEIMBENQCOgsIABCABBCxAxCDAToRCC4QgAQQsQMQgwEQxwEQ0QM6CAgAELEDEIMBOgsILhCABBCxAxCDAToFCAAQgAQ6CAgAEIAEELEDOggILhCABBDUAjoHCAAQgAQQCjoHCC4QgAQQClAAWI0VYPAXaABwAHgDgAHDA4gB-iKSAQkwLjMuNS40LjOYAQCgAQE&sclient=gws-wiz
https://en.wikipedia.org/wiki/Church_encoding
https://cs.lmu.edu/~ray/notes/numenc/
https://www.wikiwand.com/en/Golden_ratio_base
Indeed we can deduce that it is the right encoding thanks to the form of the data extracted above 01....10.11....10.00....11
Now how to exctract it ?
Read the docs as our dear yone ! x)
PHI = (1 + 5 ** 0.5) / 2 # Get the golden number
with open('golden_bin.txt', 'r') as file:
encoded_string = file.read()
splitted_string = encoded_string.split('.')
standard_form = []
for i in range(len(splitted_string)-1):
if i ==0:
standard_form.append(splitted_string[i]+'.'+splitted_string[i+1][:3])
else:
standard_form.append(splitted_string[i][3:]+'.'+splitted_string[i+1][:3])
secret_key = ''
for p in standard_form:
integer_part, fractional_part = p.split(".")
# Convert the integer part to decimal
decimal_value = 0
for i in range(len(integer_part)):
decimal_value += int(integer_part[i]) * (PHI ** (len(integer_part) - i - 1))
# Convert the fractional part to decimal
if len(fractional_part) > 0:
fractional_value = 0
for i in range(len(fractional_part)):
fractional_value += int(fractional_part[i]) * (2 ** -(i + 1))
decimal_value += fractional_value
secret_key += chr(round(decimal_value))
print(secret_key)
$ python3 decode_golden.py
salt=2350e88cbeaf16c9
key=a9f86b874bd927057a05408d274ee3a88a83ad972217b81fdc2bb8e8ca8736da
iv=908458e48fc8db1c5a46f18f0feb119f
Now we have everything we need to decode the ledger.1.txt.enc file !
$ openssl enc -aes-256-cbc -d -in ledger.1.txt.enc -out ledger_decrypted -salt -iv 908458e48fc8db1c5a46f18f0feb119f -K a9f86b874bd927057a05408d274ee3a88a83ad972217b81fdc2bb8e8ca8736da
$ cat ledger_decrypted
avidreader13 PAID
Les Mis, Dracula, Frankenstein, Swiss Family
Robinson, Don Quixote, A Tale of Two Cities
513u7h PAID
Don Quixote
masterOfSp1n PAID
Swiss Family Robinson, A Tale of Two Cities
AwolCoyote PAID
Les Mis, Dracula
picoCTF UNPAID
picoCTF{f473_53413d_b9299d1c}
Lets gooo !!
We got it !
Flag : picoCTF{f473_53413d_b9299d1c}
How to mount our disk image
Use the fdisk command as bellow
$ fdisk -l disk.flag.img
Disk disk.flag.img: 1 GiB, 1073741824 bytes, 2097152 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x6d2da2f5
Device Boot Start End Sectors Size Id Type
disk.flag.img1 * 2048 206847 204800 100M 83 Linux
disk.flag.img2 206848 731135 524288 256M 82 Linux swap / Solaris
disk.flag.img3 **731136** 2097151 1366016 667M 83 Linux
Multiply that number by 512 we get the offset value of the partition we are interested in : 374341632.
So, now we'll be using this command
$ sudo mount -t ext4 -o loop,offset=374341632 disk.flag.img /mnt/
Then check the /mtn/ and the /home/ directory to see if we correctly mounted the partition
