FIC 2018 – Random forensics challenges write-up

CERT-DVT Forensics, Writeups

1 Introduction

Several security challenges have taken place during the FIC 2018 event.
Thanks to all organizers, authors and sponsors related to there challenges.
Here are some several write-ups of night and second day CTFs, mostly forensic.

2 Forensic – 50

We get a pcap file : Extract.pcapng.
I fire up wireshark, and due to the name of file, I launch foremost on it too.

File: Extract.pcapng
Start: Tue Jan 23 21:28:18 2018
Length: 1 MB (1900172 bytes)
Num Name (bs=512) Size File Offset Comment

0: 00003505.png 48 KB 1795007 (736 x 658)
Finish: Tue Jan 23 21:28:19 2018

png:= 1

The flag is on this png file :

So I close wireshark…

3 bashjail – 100

This one was not solved by me, but I love the technique to display the flag 😉

We were faced to a bash jail challenge type.
Here is the output :

$ ssh jail1@ -p 2222
jail1@'s password: 
Essayez de lire le fichier flag.txt :D

Et voici un partie du code dans lequel vous etes :

while :
 echo "Votre payload :"
 read input
 if sanitize "$input"
 echo -e '\033[0;31mHop, hop, hop ! Certains caractères sont interdits\033[0m'
 output=`/bin/sh -c "$input"`
Votre payload :

A couple of week ago, the CCC Junior CTF has proposed a similar challenge:

We use the octal representation technique to spawn a bash shell :

Votre payload :
bash-4.4# ls
bash-4.4# id
bash-4.4# pwd

But unfortunately, we haven’t the echo return of our commands. We began to think about sending a reverse shell, when one of team find this quick solution :

bash-4.4# export PS1=$(cat flag.txt)

Pretty efficient, and as bonus :

ENSIBS{b45H_0utPu7_4re_fUn!!}export PS1=$(whoami)
rootshutdown -h now

4 forensic – 150

We got an hiberfil.sys for this one, with a comment like “I wrote the password in file but forget to save it”.

Volatility works with hiberfil but for performance issue, it’s better to copy it with imagecopy module :

# vol -f hiberfil.sys --profile=Win7SP0x64 imagecopy -O hiberfil.raw

After that we begin to look it with classical modules like pstree, filescan, clipboard, etc.
The first hit was found with screenshot module :

# vol -f hiberfil.raw --profile=Win7SP0x64 screenshot

Where we see this :

The user wrote down in notepad, but the title of notepad shows than he/she didn’t save it.
After few other tests, we found this module I’ve never used before:

# vol --info | grep editbox
Volatility Foundation Volatility Framework 2.6
editbox - Displays information about Edit controls. (Listbox experimental.)
# vol -f hiberfil.raw --profile=Win7SP0x64 editbox
Volatility Foundation Volatility Framework 2.6
Wnd Context : 1\WinSta0\Default
Process ID : 1288
ImageFileName : notepad.exe
IsWow64 : No
atom_class : 6.0.7600.16385!Edit
value-of WndExtra : 0x212800
nChars : 56
selStart : 56
selEnd : 56
isPwdControl : False
undoPos : 52
undoLen : 2
address-of undoBuf: 0x219bc0
undoBuf : Mà
/!\ Password for


5 Forensic – 250

We’ve got a file USB_Partition.img, with description like “We extracted this usb key from a bad guy, but we encountered space issues during the extraction “.

$ file USB_Partition.img 
USB_Partition.img: DOS/MBR boot sector, code offset 0x58+2, OEM-ID "mkfs.fat", Media descriptor 0xf8, sectors/track 62, heads 125, hidden sectors 2048, sectors 102400 (volumes > 32 MB) , FAT (32 bit), sectors/FAT 788, serial number 0x8a252437, label: " "

Because of description, I firstly run testdisk on it and find, then undelete, a file memo.kdbx.

It’s a Keepass password database, and we need a password or key file to open it.

There were a lot of "noises" in this USB extract :
$ mkdir mnt
$ sudo mount USB_Partition.img mnt
$ cd mnt
$ ls -larht

drwxr-xr-x 2 root root 512 Mar 21 2017 Cliches
drwxr-xr-x 2 root root 13K Mar 21 2017 flags
drwxr-xr-x 4 root root 1.0K Mar 21 2017 CrackMapExec-master
drwxr-xr-x 5 root root 2.5K Mar 21 2017 peepdf-master
-rwxr-xr-x 1 root root 5.9M Mar 21 2017 Guide_securite_industrielle_Version_finale.pdf
-rwxr-xr-x 1 root root 264K Mar 21 2017 ANSSI-CSPN-CER-I-02_Criteres_pour_evaluation_en_vue_d_une_CSPN_v1-1.pdf
-rwxr-xr-x 1 root root 1.4M Mar 21 2017 anssi-cspn-2016_10.pdf
-rwxr-xr-x 1 root root 760K Mar 22 2017 Template_Document.docx

_ The directory “flags” content a lot countries flags pictures 😉
_ peepdf tools sources are in it too, and pdfextract tools highlight than one pdf appear weird
_ There is also another tool named CrackMapExec, but I don’t look deeper on it

However, I suspect the file Template_Document.docx to be interesting because of date/time modification. Indeed, all files has the same timestamp except this one :

For all files :

Modify: 2017-03-21 23:28:12.000000000 +0100
Change: 2017-03-21 23:28:12.000000000 +0100

For Template_Document.docx :

Modify: 2017-03-22 00:02:28.000000000 +0100
Change: 2017-03-22 00:03:49.000000000 +0100

It seems the author modified this file at the end to be compliant with the rest of challenge, or something… maybe to put a password on it?

After unzipping the docx, a file named “help.png” appears in ‘word’ folder instead of ‘media’. It was a qrcode.

# zbarimg help.png 
scanned 1 barcode symbols from 1 images in 0.02 seconds

It’s also the password for the keepass database file recovered at the beginning.

6 Forensic – ???

I don’t know the number of points rewarded by this one.
This challenge takes place during the second day of FIC event.
We’ve got a PNG file, with the simple description “All is in RAM”.

# file Acissi_2k18.png 
Acissi_2k18.png: PNG image data, 340 x 50, 8-bit/color RGBA, non-interlaced
# du -h Acissi_2k18.png 
303M Acissi_2k18.png
# binwalk Acissi_2k18.png

0 0x0 PNG image, 340 x 50, 8-bit/color RGBA, non-interlaced
152 0x98 Zlib compressed data, best compression, uncompressed size >= 68121
21710 0x54CE Zip archive data, at least v2.0 to extract, compressed size: 316783029, uncompressed size: 1090610472, name: "locky.raw"
316804833 0x12E20EE1 End of Zip archive

Ok there is a zip file after the png.

# dd if=Acissi_2k18.png bs=21710 skip=1
14591+1 records in
14591+1 records out
316783145 bytes (317 MB) copied, 5.90328 s, 53.7 MB/s
# 7z x

7-Zip [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)

Processing archive:

Extracting locky.raw

Everything is Ok

Size: 1090610472
Compressed: 316783145
# file locky.raw 
locky.raw: ELF 64-bit LSB core file x86-64, version 1 (SYSV)
# strings locky.raw | grep BOOT_IMAGE
 a07e8 file=/cdrom/preseed/custom.seed boot=casper initrd=/casper/initrd.gz quiet splash -- BOOT_IMAGE=/casper/vmlinuz 
1ec3a98 Command line: file=/cdrom/preseed/custom.seed boot=casper initrd=/casper/initrd.gz quiet splash -- BOOT_IMAGE=/casper/vmlinuz 

It appears to be a linux memory dump and after googling ‘/casper/vmlinuz’, it seems to be a live iso boot of Ubuntu distribution.
After few tests with another member of the team, he eventually finds that the good profile is available on github project page of volatility :

# -f locky.raw --profile=Linuxubuntu14x64 linux_banner
Volatility Foundation Volatility Framework 2.6
Linux version 3.16.0-28-generic (buildd@batsu) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #38-Ubuntu SMP Sat Dec 13 16:13:28 UTC 2014 (Ubuntu 3.16.0-28.38~14.04.1-generic 3.16.7-ckt1)

Work fine, let’s play.
There are a lot of “noises” in this dump, like bash history for example :

# -f locky.raw --profile=Linuxubuntu14x64 linux_bash | wc -l
Volatility Foundation Volatility Framework 2.6

But at the end we find something suspicious

 3660 bash 2017-01-12 08:58:01 UTC+0000 ./init_
 3660 bash 2017-01-12 08:58:05 UTC+0000 sudo ./init_
 3660 bash 2017-01-12 08:58:26 UTC+0000 sudo su
 3660 bash 2017-01-12 08:58:55 UTC+0000 sudo chmod 777 init_ 
 3660 bash 2017-01-12 08:58:58 UTC+0000 ./init_
# -f locky.raw --profile=Linuxubuntu14x64 linux_getcwd | grep init_
Volatility Foundation Volatility Framework 2.6
init_ 3704 /home/cyborg/Downloads

Let’s try to recover this file:

# -f locky.raw --profile=Linuxubuntu14x64 linux_find_file -f /home/cyborg/Downloads/init_ -D .
Volatility Foundation Volatility Framework 2.6
ERROR : volatility.debug : The requested file doesn't exist

It fails but extracting the process works better.

# -f locky.raw --profile=Linuxubuntu14x64 linux_pstree
....gnome-terminal 3651 1000 
.....gnome-pty-helpe 3659 1000 
.....bash 3660 1000 
......init_ 3704 1000 
# -f locky.raw --profile=Linuxubuntu14x64 linux_procdump -D . -p 3704
Volatility Foundation Volatility Framework 2.6
Offset Name Pid Address Output File
------------------ -------------------- --------------- ------------------ -----------
0xffff880005783d20 init_ 3704 0x0000000008048000 ./init_.3704.0x8048000
# file init_.3704.0x8048000 
init_.3704.0x8048000: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/, stripped

After a quick look on it, we find this string generation :

| 0x0804848e c7442408000. mov dword [esp+0x8], 0x0
| 0x08048496 c7442404000. mov dword [esp+0x4], 0x0
| 0x0804849e c744240f2a4. mov dword [esp+0xf], 0x616c462a
| 0x080484a6 c74424135f6. mov dword [esp+0x13], 0x633d675f
| 0x080484ae c7442417644. mov dword [esp+0x17], 0x24314064
| 0x080484b6 c744241b695. mov dword [esp+0x1b], 0x35725f69
| 0x080484be c744241f5e6. mov dword [esp+0x1f], 0x6735685e
| 0x080484c6 c7442423646. mov dword [esp+0x23], 0x6e766d64
| 0x080484ce c7442427363. mov dword [esp+0x27], 0x2a353a36
| 0x080484d6 c644242b00 mov byte [esp+0x2b], 0x0

This stands for: *Fla_g=cd@1$i_r5^h5gdmvn6:5*

But cd@1$i_r5^h5gdmvn6:5 doesn’t valid the challenge!
Nothing on description talks about a possible flag format.
I spend an hour on it.
The binary isn’t very complicated, but doesn’t appear to do something on this string. I think I missed something in dump, but nothing relevant…
Eventually I submit the complete string with “*” and “Fla_g=”, and that it.
GG me to lost one hour on 3:30 hours CTF long.


Yvan Genuer