Archive

Posts Tagged ‘mma ctf 2015 forensics writeup’

MMA CTF 2015 Forensics stream writeup

September 7, 2015 1 comment

MMA_CTF_Scoreboard

I played a CTF after a very long gap. We secured 33rd (team bi0s) position out of 650+ teams in the contest by knocking down 17 challenges.

Download the challenge file from here

The challenge involves the following tasks,

  1. Extract the x-mms-framed binary ( streaming data ) from the given traffic captured file.
  2. Recover the media stream from the x-mms-framed binary.

As per the Microsoft documentation [1] [2],

The file is actually used to stream real time data between client (can be Windows Media Player or VLC etc) and server (Microsoft Media Servers). The receiver of the streaming data is the client and the sender is  server. Unlike HTTP this version of HTTP protocol maintains the state. The protocol attempts to facilitate scenarios where the multimedia file is being transferred and rendered simultaneously. One important thing to notice is, it doesn’t provide a mechanism for a client to discover the URL to the server.

After reading more on the Microsoft documentation I understood we can recover the media streams. So I focused on searching a program which can host this reconstructed file from Wireshark as server and a client which can communicate with the server and decode the media stream as a ASF video file. We used these programs which can do the task. Once after uploading we opened the GetASFStreamer ( client) which decoded and saved the video file where we had the flag. As a note, please use these programs in Windows XP. I did not get the ASF video file saved, when I followed the same steps (mentioned above) in a Windows 7 machine.

stream_capture

stream

So the flag is,

mma_Ctf

References:

[1] https://msdn.microsoft.com/en-us/library/cc251059.aspx

[2] https://msdn.microsoft.com/en-us/library/cc251177.aspx

Advertisements

MMA CTF 2015 Splitted writeup Forensics

September 7, 2015 5 comments

Download the challenge file from here

The challenge involved, a little bit of thinking to solve in a simple way, if you are unsure about the zip file structure. A zip file was split into 8 different parts and it was sent to the host 192.168.3.10. The task is, reconstruct the fragments of the zip file, arrange it in order adhering to the zip file structure. Once you do it you will get a valid Adobe Photoshop file ( .psd). Then extract the image to view the flag. This works only if you reconstruct the zip file in the order mentioned in the zip file structure. Since it is just a 30 points challenge, I didn’t spend much time in thinking about solving in a proper way. Here is the idea (#lame 😀 :P) I came up with,

  1. Reconstruct the fragments from the Wireshark. If you are doing it by hand make sure to strip the HTTP headers in the beginning. The best way is to Export the HTTP objects. Find my reconstructed fragments from here
  2. Identify the header and footer of a zip file. Zip file header always starts with the magic number 50 4B 03 04 14 00… (HEX), PK…….(ASCII). Now the footer, it looks something like this,footer_zip
  3. You have identified the header and footer. So the number of remaining fragments from the pcap file is 6 (excluding the header and footer) out of 8. So there are 6! (spelled as six factorial) ways to arrange these fragments to get a valid zip file. We just wrote a script using Python to do complete this task (I owe my sincere thanks 😛 to b3h3m0th for helping me with this script).
#!/usr/bin/env python

import itertools
import zipfile
import os

body_n = [1, 3, 4, 6, 7, 8]
header = "2_header.raw"
footer = "5_footer.raw"

def generate_file(sequence, i):
    final_file = "final_" + str(i) + ".zip"
    open(final_file, "w").close()
    final = open(final_file, "a")

    header_data = open(header, "r").read()
    footer_data = open(footer, "r").read()

    final.write(header_data)
    for item in sequence:
        d = open(item, "r").read()
        final.write(d)
    final.write(footer_data)
    final.close()

    try:
        content = zipfile.ZipFile(final_file)
        content.extractall()
        print "\n\n\n\n [*] permutation", i, "SUCCESS !!! "
        print "\n [i] Successful Sequence:\n\n"
        print header
        for item in sequence:
            print item
        print footer

    except:
        os.remove(final_file)

def main():
    perms = []
    body_list = [str(i) + ".raw" for i in body_n]
    permsobj = itertools.permutations(body_list)
    while True:
        try:
            perms += [permsobj.next()]
        except StopIteration:
            break

    i=1
    for item in perms:
        generate_file(item, i)
        i = i+1

if __name__ == "__main__":
    main()

When you run this script you will get the sequence (2_header.raw, 6.raw, 7.raw, 3.raw.. etc) as well as the valid zip file.

permutationUnzip the valid zip file which is reconstructed using this script. The file name would be final_443.zip. When you unzip you will get a psd file. We used a psd file parser to get the layered images. After running the parser on the psd file we got the flag.

psd_parse

One of the image had our flag,

レイヤー

[EDIT] Another way to reconstruct the ZIP file

Here is a elegant way to solve the challenge. I came to know about this method from the comments.

capture

Filter the http packets. When you click on a GET request packet you can see the “Range” field( in the HTTP section). Now carefully look the range of values(Range field) in all the packets, you will notice a sequence, With that we can reconstruct the zip file.

Packet No: 14  Range : 2345-2813

Packet No: 24  Range : 0 – 468

Packet No: 34  Range : 1407 – 1875

Packet No: 44  Range : 2814 – 3282

Packet No: 54  Range : 3283 – 3744

Packet No: 64  Range : 469 – 937

Packet No: 74  Range : 938 – 1406

Packet No: 84  Range : 1876 – 2344

Now order these packets in increasing order and then write it to a file. So the order should be: Packet number : 24, 64, 74, 34, 84, 14, 44, 54. Or export the data streams in these order, rearrange it to get the valid zip file.

This Week In 4n6

Your weekly roundup of Digital Forensics and Incident Response news

RAM Slack - Random Thoughts from a Computer Forensic Examiner

Random Thoughts from a Computer Forensic Examiner

InCTF

behind the scenes

DFIR Journal

Trials and Tribulations of a DFIR life

I dont know zilch !

For the noobs out there like me

X-Ways Forensics Practitioner's Guide

The Guide to X-Ways Forensics!

Forensic Focus - Articles

Digital forensics articles and research papers

my abbreviations......

gain,learn and share knowledge!!!!

digirati82

Windows Logging Service (WLS), DFIR, etc.

Belkasoft Forensic: The Digital Evidence Blog

Searching for, analyzing and recovering digital evidence

Gail Tredwell. Amma. Truth. Lies. Scandals. Fraud. And. Reality

Three things cannot be long hidden: the sun, the moon, and the truth.

Integriography: A Journal of Broken Locks, Ethics, and Computer Forensics

Musings about UAVs, search & rescue, computer forensics, cyber security, and the state of play in all .....

Life is beautiful

when the mind is full with love, you see beauty in every thing

Techno Krat

.... Dare To Try .......