Home > CTF, Forensics > Break In CTF Miscellaneous qn 7

Break In CTF Miscellaneous qn 7

qn7

Download the challenge file from here

After looking at the question the first thought which came into my mind was to clear junk bytes and then to extract the files. It took me very long time to solve this challenge, even though knowing that my approach is partially correct. The story goes like this: For the first time when I tried to pull out the archived files, it popped an error stating that there are some damage sections, with some suggestions to fix the error.

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/QN7$ bzip2 -d memory.bz2

bzip2: Data integrity error when decompressing.
    Input file = memory.bz2, output file = memory

It is possible that the compressed file(s) have become corrupted.
You can use the -tvv option to test integrity of such files.

You can use the `bzip2recover’ program to attempt to recover
data from undamaged sections of corrupted files.

bzip2: Deleting output file memory, if it exists.

When I tried running the bzip2recover tool it divided the file and gave the two fragments of it.

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/QN7$ bzip2recover memory.bz2
bzip2recover 1.0.6: extracts blocks from damaged .bz2 files.
bzip2recover: searching for block boundaries …
   block 1 runs from 80 to 49183
   block 2 runs from 49232 to 4445784
   block 3 runs from 4445833 to 4447040 (incomplete)
bzip2recover: splitting into blocks
   writing block 1 to `rec00001memory.bz2′ …
   writing block 2 to `rec00002memory.bz2′ …
bzip2recover: finished

Then I tried extracting the fragments. Unfortunately the rec00001 had some errors and rec00002 didn’t appeared to be faulty, it managed to pull a tar file out of it. I didn’t really cared about the the second fragment at first, and I was trying to re-fragment the rec00001 once again and to reconstruct the file. I tried to do some integrity checks on the file, which once again resulted with the same error.

h1dd3ntru7h@bi0s:~/Desktop/ctf/felicity/QN7$ bzip2 -tvv rec00001memory.bz2
  rec00001memory.bz2:
    [1: huff+mtf file ends unexpectedly
You can use the `bzip2recover’ program to attempt to recover
data from undamaged sections of corrupted files.

But still I had a hope that at least I can part some useful information from the 2nd fragment ( rec00002). When I extracted the bzip2 file, it gave me a tar file. Again I extracted the tar file it again gave me a tar.bz2 file. I tried 5 times but still output appeared to be same. I got disappointed and I don’t know how to query about this issue to google. At last I went up to admin straight away in IRC and asked for help. I told whatever I did so far. He told me to care only about the second fragment and then he told me I am on the right track. So I manually extracted the bzip2 file and the tar file for around 15 times, but the output had a similar pattern. After extracting the bzip2 file it gave a tar file, if you untar it, it will give you another bzip2 file. In all the cases, the name of the file remained the same. So I just wrote a code which can do it until it reaches a state where it can extract something different from the bzip2 and tar file. Just follow these steps before running the simple script.

1. Keep the rec00002memory.bz2 file in a separate folder.

2. Get into that folder and do bzip2 -d rec0002memory.bz2

3. You will get a tar file. Extract it using tar xvf rec0002memory

4. If you do that you will get a file pack.tar.bz2 file. Now save the snippet given below in the folder where you have pack.tar.bz2 and execute the script.


import os,sys
while True:
    os.system('bzip2 -d pack.tar.bz2')
    os.system('tar -xvf pack.tar')
    os.system('rm pack.tar')

Once after running this code, it will extract all the contents inside the tar and bz2 files. It will take 3 seconds to complete and then you will get some error message, ignore it or close the terminal and see the directory contents. You will see part.zip. Wow! Looks cool! I tried unzipping the compressed folder, it prompted for a password. By using the hint (password length is 6 + Sin__) in the website, I was able to crack it using fcrackzip tool. I don’t remember the key to unlock it. Finally the flag is : 50777990200c4f6d5d3bd3525e29cf77 . Happily got 200 pts ;).

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

bi0s

CTF | Amrita

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......

%d bloggers like this: