This week CyberTalents hosted a Digital Forensics CTF with a dozen challenges related to steganography, memory dumps, pcap capture files, audio files, etc. Lots of fun but also lots of banging my head against a wall 🙂
Habibamod is sending a secret signal, tune your receiver.
We are given a pcap file that you can download below if you want to try this out yourself:
I open it up in
Wireshark, and not having much information on what I’m looking for, I check out the involved protocols. This is a small traffic capture file that only counts 22 packets, and what we are seeing is someone accessing a web server on port 8080. One of the things we can do when trying to understand what’s going on in a
pcap file is to “render” the packets by choosing the
Follow TCP Stream either by using the keyboard shortcut or by right-clicking and choosing the Follow / TCP Stream option as seen below:
As a result, another window opens up showing us the content of the TCP stream.
What we see here is that a user has posted information to the local host on port 8080 and the web server has replied by a server error.
Note: This is a small traffic capture file so there is only 1 TCP stream (id = 0). In larger capture files there can be multiple TCP/UDP/HTTP/etc. streams and it is possible to check them out simply by incrementing the value of stream in the bottom right hand corner of the stream window (see above).
There really isn’t much to see here so let’s focus on the data that was posted by the user. It’s composed of “data”, a series of periods and exclamation points, and “encoder” which is probably base64 encoded given that there are 2 equal (=) signs at the end of the string. The data part looks like it could be Morse code or binary, since there are only 2 different types of characters. I want to check out that base64-looking text too.
This seems to be a part of the code that was used to encode the data. We clearly see that ‘0’ was replaced by ‘.’ and ‘1’ by ‘!’. So this is probably binary data. I opt to copy the data string into a file called
data.txt so I can manipulate it more easily. Next, I apply the reverse find/replace to decode the binary data:
Now that we have the binary text, we have lots of solutions to convert it to ascii such as pasting it in Cyberchef, using Python or Perl. Let’s use Perl for once:
And there’s our flag!
A cyber criminal is hiding information in the file below. Can you capture the flag ? Hint: It's longer than you think and not in rockyou but fuzzers lists could be useful.
We are given a file that you can download below if you want to try this out yourself:
I had to zip the file to upload it here but initially it wasn’t zipped, so please unzip it before analyzing it.
Let’s do some quick recon on the file we are given. It’s only 949 bytes long so it’s a small file to begin with.
Ok so we’re obviously in presence of a hexdump and looking at the header, it looks like a
PKZIP archive that contains the file
secret.txt. Let’s convert this back to binary and extract the file! I mean, it’s called
secret.txt, it MUST hide some exciting information, right?!
So how am I going to do this? Well there’s this very useful tool, when it comes to hex manipulation, that’s called
xxd. And if you simply run
xxd binary_name, it will print out a hexdump for you. And the fun thing is that
xxd also allows the reverse operation, recreating a binary from its hexdump. All that’s needed is to use the
-r flag. Let’s try it:
Yup, looks like we’ve recreated a zip archive alright! Let’s unzip it and get our much deserved flag!
Oh dear! This zip archive is password protected! How are we going to crack this? There are a few tools out there such as
john to achieve this. In this case I will use
john the ripper. With john, it is necessary to first create the hash using the
zip2john utility and then run john on that hash file.
Ok my hash file is ready, I’m all set to run john on the hash. But I need to choose a wordlist. The tip says that I shouldn’t use rockyou but rather a fuzzing wordlist. So after some trial and error, I finally find the wordlist that comes up with the password:
And there’s our password, “hacker_crackdown” (shudder).
Interestingly enough, it took less than a second to find the password although this password was on line 36,774 out of 141,713!
Can we finally unzip the secret file and read the flag? Let’s see!
There it is. Yes, files are sneaky indeed!
Just get the flag.
Ok! 🙂 I guess this challenge didn’t need to give out more hints. We are given the following file that you can download below if you want to try this out yourself:
I start my recon as always by
file, and finding out that it could be a PNG, I run
pngcheck as well, which warns me that there is an error in the file footer. I check out the last 256 bytes of the file using
xxd and sure enough there are binary strings after the IEND which should close all PNG files.
The image displays correctly though, so this goes to show that it is fairly easy to hide data in an image! Let’s decode these binary strings now like we did above.
Success! The flag had been hiding in data that had been added after the PNG IEND chunk.
Little Boy Story
The little boy has a wonderful story to tell. Can you figure out what it is?
We are given the following file that you can download below if you want to try this out yourself:
On this file, I find nothing at all when I run
stegsolve. But then in my checklist comes
zsteg, and I’m back in business:
There’s where our flag was hiding! In the Least Significant Bits of our image! Hiding data in the least significant bits in an interesting steganography technique because the changes to the image will be almost imperceptible to the human eye. Check out this article if you want to learn more.
All in all I was only able to solve 4 of the 12 challenges so I’m eager to read write-ups about the other 8! Many thanks to the CyberTalents team for putting this event together.
If I could have solved these in a smarter or more efficient way, please let me know in the comments below. It will help me and others who will read this page. Cheers!