Archive

Posts Tagged ‘forensics’

CSAW CTF 2016 Watchword 250 Forensics

September 18, 2016 Leave a comment

Here is the challenge description,

Canned epic hidden snek flavored cookies have shy gorilla.

password = password

and a link to this video

It’s a mp4 type video. Checking the metadata blob revealed a base64 encoded string,

meta

b64

So the challenge has to do something with the steghide. Check out the challenge description as well, they have mentioned about the passphrase (password = password). Steghide uses a passphrase to embed data in a cover file (only JPEG, BMP, WAV, AU).  We got an MP4 file that steghide won’t support and steghide is part of the challenge.

[Failed attempt]

You may skip reading this part.

The frame movement was little weird, so I thought I would export all the frames as JPEG files and then use steghide. I used this method to export the frames and the recording ratio was set to 1 (with this setting it extracts every frame). Once the video was stopped, there were around 275 frames generated by VLC. You can download the frames from here. Now, I have a set of JPEG images in place, now let’s try to use the [passphrase = “password”] with steghide.

script_brute

It did not work as expected, the stdout was “steghide: could not extract any data with that passphrase!“… :/ :/. Now what?? Let’s go back to the video and check if there are any signs of hidden files using a hexeditor. And what have we got??

png_hex

Now let’s extract the PNG image out of it. I had to do it by writing a script, as there were  dependency issues installing binwalk. You could alternatively use foremost as well.

After running the script, we got a PNG image file,

png_magic

Wow! looks awesome.. but still the fact is steghide won’t support PNG image. Then why steghide was given as a clue in the challenge file? Let’s dig deep.  I repeated almost all the steps from the beginning and I couldn’t find any lead from here. Histogram analysis, LSB, and other standard steganography techniques failed as well. It was little difficult to guess a pattern by just looking at the pixel values.

After an hour or later, the first hint was released, then it was pretty straight forward. The hint was to use stepic. and here is the detailed explanation.

$ stepic –decode –image-in=PNG_Magic.png –out=new_image.jpg

Using stepic we got another image and now it is a JPEG file (new_image.jpg). Finally, the clue given inside the challenge file makes sense,

new_image

Let’s pull out the hidden text file from the obtained image,

steg

So here it is,

W^7?+dsk&3VRB_4W^-?2X=QYIEFgDfAYpQ4AZBT9VQg%9AZBu9Wh@|fWgua4Wgup0ZeeU}c_3kTVQXa}eE

This doesn’t look like a base64 encoded string. Check the format. Base64 only contains, ‘+ and /’ as special characters, but we have several others (^,|,_,?,} etc). I was unable to crack this last part, which I left to my teammates to solve it. In the mean time there was another hint released [It’s not base64, but it uses the Python 3 base64 module].   Later, couple of my teammates ( dnivra, gokul_krishna) managed to quickly identify the encoding technique and it was found to be base64 b85 type encoding.

flag

So the flag is : flag{We are fsociety, we are finally free, we are finally awake!} Yaaayyyy!!!! 250 on the board!!! 😀 \m/

So summing up,

  1. Extract the png image from the mp4 video,
  2. Use stepic to uncover a jpeg file,
  3. Use steghide to extract a b85 type base64 string,
  4. Decode it and get the flag.
Advertisements

CSAW CTF 2014 Forensics 200 why not sftp writeup

September 22, 2014 1 comment

question_why_not_sftp

There were many interesting protocols involved in the given pcap file like TLS, ICMP, and FTP. I thought the challenge will be to decrypt the SSL traffic but not after noticing the FTP traffic. I applied the “ftp” filter and then I could see the traffic between the two IP addresses “172.16.4.235” and “172.16.4.236”. As you go through the packet summary you can see the IP address”172.16.4.235″ requesting for a zip file, nearly at the end. I have already written an article in my blog on how to reconstruct the files transferred using FTP protocol. You can read about it here. Apply the filter “ftp-data” to get the transferred file.

whynotsftp

 

You can even see the zip file header and a file called flag.png in the beginning. When I extracted the zip file I got a png type image containing the flag.

flag

Installing Volatility in Ubuntu

May 22, 2014 1 comment

Volatility is a memory forensics framework, to analyse ram memory dumps for Windows, Linux, and Mac. In order to analyse a operating system’s RAM memory in Volatility, you need to build the corresponding operating system’s profile. By default the Windows profile is built inside Volatility. Other than Windows, if you are analysing a Linux or a Mac memory dump, then you have to build the profiles accordingly. Most important thing to note is, you cannot build a profile for a Ubuntu 3.13 system to analyse a memory dump from Ubuntu 3.10 system. In this article, I am going to show you how you can install volatility in your machine and in the next blog I will show you how to create linux profiles to analyse Linux based RAM memory. Please see, I am using Ubuntu 12.04, amd_64. Also, install the packages in the order which is followed before. Make sure that there are no errors appearing while installing the dependencies and libraries.

[Update] You can also refer to Volatility’s github for the latest updates about dependencies.

Step 1: Installing dependencies

h1dd3ntru7h@bi0s:~$ sudo apt-get install subversion pcregrep libpcre++-dev python-dev -y

Step 2: Installing PyCrypto

You can either use pip to install the library or you can download the source from here and install.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf pycrypto-2.6.1.tar.gz

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ python  setup.py build

h1dd3ntru7h@bi0s:~/Apps/pycrypto-2.6.1$ sudo python setup.py build install

Step 3: Installing Distrom

Distrom is a disassemble library for x86/AMD64. You can download the source from here.

h1dd3ntru7h@bi0s:~/Apps/distorm3$ unzip distorm3.zip

h1dd3ntru7h@bi0s:~/Apps$ cd distorm3/

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build

h1dd3ntru7h@bi0s:~/Apps/distorm3$ python setup.py build install

Step 4: Installing Yara

Volatility supports many plugins which helps to identify malwares from memory dumps. Many plugins which are based on malwares uses Yara library. You can download the recent version availabe, but for this demo I am using the older version of the yara.

h1dd3ntru7h@bi0s:~/Apps$ wget http://yara-project.googlecode.com/files/yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$tar -zxvf yara-1.4.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-1.4/
h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo ./configure

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make

h1dd3ntru7h@bi0s:~/Apps/yara-1.4$ sudo make install

Step 5: Installing Yara Python

Please follow the instructions in Step 4 before installing Yara Python. You can download the Yara Python1.4a source from here. Please see, if you downloaded a different version of Yara in step 4, then do download a compatible version of Yara Python.

h1dd3ntru7h@bi0s:~/Apps$ tar -zxvf yara-python-1.4a.tar.gz

h1dd3ntru7h@bi0s:~/Apps$ cd yara-python-1.4a/

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ python setup.py build install

h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ echo “/usr/local/lib” >> /etc/ld.so.conf
h1dd3ntru7h@bi0s:~/Apps/yara-python-1.4a$ ldconfig

We are done with installing the dependencies, now  will install the Volatility framework. Please download the source from here. You can download and use it wherever you want. Once after downloading, extract to a directory.

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python setup.py build install

This will complete the installation and if everything went in the right way, then you should get a similar stdout,

h1dd3ntru7h@bi0s:~/Desktop/F0r3ns1c5/Memory_Forensics/New/volatility-2.3.1$ python vol.py -h
Volatility Foundation Volatility Framework 2.3.1
Usage: Volatility – A memory forensics analysis platform.

Options:
  -h, –help            list all available options and their default values.
                        Default values may be set in the configuration file
                        (/etc/volatilityrc)
  –conf-file=/home/h1dd3ntru7h/.volatilityrc
[stripped]

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

bi0s

CTF | Amrita

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......