Ujjawal Saini

PicoCTF 2022 Forensics walkthrough – Part 2

Sat, 08 Oct 2022 13:59:49 +0000

In this article, we will attempt to solve picoCTF 2022 Forensics challenges 4 to 9.

Let's get started!

Challenge 4 – Packets Primer

The description says to download the linked packet capture file and analyse it. Let's start by opening up our terminal and download the file.

curl -LO "https://artifacts.picoctf.net/c/200/network-dump.flag.pcap"

Let's now use Wireshark to open our downloaded packet capture. Wireshark is a free and open-source packet analyser. To open it, I simply typed wireshark followed by our file name. wireshark network-dump.flag.pcap

While I was scrolling through the packets, in packet No. 4 I found the flag

Hexdump:

0000   08 00 27 93 ce 73 08 00 27 af 39 9f 08 00 45 00   ..'..s..'.9...E.
0010   00 70 50 c2 40 00 40 06 d1 b3 0a 00 02 0f 0a 00   .pP.@.@.........
0020   02 04 be 6e 23 28 27 ec d4 b7 bd 26 99 bc 80 18   ...n#('....&....
0030   01 f6 18 75 00 00 01 01 08 0a 8d cf e9 65 68 f0   ...u.........eh.
0040   f1 c3 70 20 69 20 63 20 6f 20 43 20 54 20 46 20   ..p i c o C T F 
0050   7b 20 70 20 34 20 63 20 6b 20 33 20 37 20 5f 20   { p 4 c k 3 7 _ 
0060   35 20 68 20 34 20 72 20 6b 20 5f 20 62 20 39 20   5 h 4 r k _ b 9 
0070   64 20 35 20 33 20 37 20 36 20 35 20 7d 0a         d 5 3 7 6 5 }.

Flag: picoCTF{p4ck37_5h4rk_b9d53765}

Challenge 5 – Redaction gone wrong

Let's start this challenge by downloading the linked PDF file. curl -LO "https://artifacts.picoctf.net/c/264/Financial_Report_for_ABC_Labs.pdf"

When opened the PDF:

The hint says: “How can you be sure of the redaction?”

I opened the file in LibreOffice Draw, and I was able to move the black boxes, which revealed the flag. If you are on Windows, you can also use MS Word.

Flag: picoCTF{C4n_Y0u_S33_m3_fully}

Challenge 6 – Sleuthkit Intro

Let's start by downloading the disk image. curl -LO "https://artifacts.picoctf.net/c/114/disk.img.gz"

Since it is gzip compressed data I used binwalk to extract it which created a folder _disk.img.gz.extracted. You can also use gunzip: binwalk -e disk.img.gz

Using mmls on disk.img to find the size of Linux partition, as instructed in the challenge description: mmls disk.img The Linux partition size is: 0000202752

Now let's connect to the access checker program using netcat. nc saturn.picoctf.net 52279

After I entered the Linux partition size, it gave me the flag.

Flag: picoCTF{mm15_f7w!}

Challenge 7 – Sleuthkit Apprentice

First, we downloaded the file curl -LO "https://artifacts.picoctf.net/c/331/disk.flag.img.gz"

Extracted the file gzip -d disk.flag.img.gz

To make things a little easier, I opened Thunar File Manager by simply typing thunar in my current working directory and then right-clicked on the disk.flag.img file and clicked on “Disk Image Mounter” to mount it.

Under devices, I see these two new partitions mounted:

After meandering for a while, in 130 MB Volume, I found a folder named root which I was unable to open cd: Permission denied: “root/”. So I escalated my privilege and then tried to run cd as root.

Inside it, I found a folder named my_folder which had a file named flag.uni.txt inside. I ran cat on the file and found the flag.

Flag: picoCTF{by73_5urf3r_adac6cb4}

Alternative: You can also use Autopsy to analyse the image.

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

Challenge 8 – Eavesdrop

The hint says:

Let's start by downloading the linked packet capture. curl -LO "https://artifacts.picoctf.net/c/359/capture.flag.pcap"

And open it in wireshark

After going through a bunch of packets, I found something interesting

Then I right-clicked on the packet and clicked on follow TCP Stream

After I followed the TCP stream, I am able to see the conversation between them. Here we found something interesting, openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 A command to decrypt a file named file.des3 which was transmitted over port 9002

I then cleared our current filter and applied tcp.port == 9002 filter and found an interesting “Salted” packet, which is likely the file they were talking about in their conversation.

I then right-clicked on the packet and clicked on Follow Stream

Changed the Show data as: to Raw and clicked on Save as and saved the file as file.des3 in our current directory.

Then I ran file command on the file that we just exported: file file file.des3 And it turned out to be openssl enc'd data with salted password

Let's run the command we found earlier on this file, which already has the password in it after k tag which is “supersecretpassword123”. It gave us a warning, but it also successfully created a new file.txt file, let's now cat the file to see the content within it. And we found the flag.

Flag: picoCTF{nc_73115_411_dd54ab67}

Challenge 9 – Operation Oni

Let's start this challenge by downloading the linked disk image file. curl -LO "https://artifacts.picoctf.net/c/374/disk.img.gz"

The challenge in the above image also gives us a command to connect to the remote machine. ssh -i key_file -p 55949 ctf-player@saturn.picoctf.net

As it is a gzip file, let's extract it. gunzip disk.img.gz After extracting it, we got the disk.img file.

To analyse this image, again I would recommend using Autopsy, but in this article we're going to use binwalk. binwalk -e disk.img

After cd-ing into _disk.img.extracted we found two folders.

After running find in the current directory, I found some interesting results find . | grep "ssh"

Let's try to cat the first private key in our result cat ./ext-root-0/root/.ssh/id_ed25519

So, now we have a ssh private key. Let's try to use it to connect to our remote machine.

By simply replacing the key_file to key path we found, I ran the given command, but encountered an error. ssh -i ./ext-root-0/root/.ssh/id_ed25519 -p 55949 ctf-player@saturn.picoctf.net

The error says: Permissions 0644 for './ext-root-0/root/.ssh/id_ed25519' are too open.

Let's try to modify its permission and re-run the command. I ran ls -l ./ext-root-0/root/.ssh/id_ed25519 to check the permission of our key, and it turned out that it was world readable, so then I ran chmod 600 ./ext-root-0/root/.ssh/id_ed25519 to change its permission.

After this, I re-ran the command and connected successfully to the remote machine

I ran the ls and found a file named flag.txt, I cat-ed it, and found the key.

Flag: picoCTF{k3y_5l3u7h_af277f77}

~ spignelon | Ujjawal Saini

PicoCTF 2022 Forensics walkthrough - Part 1

Fri, 30 Sep 2022 08:02:14 +0000

In this article, we will attempt to solve picoCTF 2022 Forensics challenges 1 to 3.

This post assumes you are familiar with what CTF is, if not then feel free to check out this introduction to CTF video by LiveOverFlow:

So, let's get started.

Challenge 1 – Enhance

As we can see in the description that we are provided with a download link of an image file and no hints.

Let's start by firing up our terminal and grabbing the image using curl and open it.

curl -LO "https://artifacts.picoctf.net/c/137/drawing.flag.svg"

When opened:

It looks like there's nothing here. Let's try something else. Let's try to cat this image file.

cat drawing.flag.svg

Output:

Upon looking closely at the end of the output, we see that before every, there's a little fragment of the flag. Let us now concatenate this and remove the spaces from between: Flag: picoCTF{3nh4nc3d_24374675}

Challenge 2 – File types

Let's begin this challenge by downloading the linked PDF file. curl -LO "https://artifacts.picoctf.net/c/324/Flag.pdf"

When I tried to open the linked Flag.pdf, I faced an error:

When I clicked on hint it said:

It is possible for this file to not be a PDF, let us now check it using the “file” command in our Linux terminal. file command is used to determine file type.

file Flag.pdf

Running this command revealed that this is not a PDF file, but it's a “shell archive text”. Let us now try to rename it to .sh extension, give it executable permission and then try to execute it. mv Flag.pdf Flag.sh chmod +x Flag.sh ./Flag.sh

It threw an error uudecode: command not found After doing a quick internet search I found Arch Linux's manual for uudecode and under package information found the package name: “extra/sharutils”

Let us now install it: sudo pacman -S sharutils

Now after I re-executed the Flag.sh did ls, I found a new file named flag in my directory.

After again running file command on our new flag, it is revealed that it is current ar archive.

To extract it I then used binwalk: binwalk -e

Which then created a folder named _flag.extracted which then contained a file named 64 which turned out to be gzip compressed data

Again, we can use binwalk to extract this file. Upon doing so, we got a folder _64.extracted which contained two files flag and flag.gz, both compressed data, one lzip and the other one gzip.

I tried extracting the flag lzip file using binwalk -e flag, but it didn't work. So I tried extracting it using lzip command, and the output file flag.out turned out to be LZ4 compressed data lzip -k -d flag

Then I extracted the lz4 data and then ran file command on the output file2.out, and it turned out to be LZMA compressed data lz4 -d flag.out flag2.out

Then the to extract the lzma file I executed lzma -d -k flag2.out But it gave me an error: lzma: flag2.out: No such file or directory So I renamed the flag2.out to flag2.lzma and ran the command again: lzma -d -k flag2.lzma Which successfully executed and created a new file named flag2 which then turned out to be lzop compressed data upon running file command.

To extract the lzop file, I then installed the lzop package using sudo pacman -S lzop. After changing the name of the file flag2 to flag2.lzop I ran: lzop -d -k flag2.lzop -o flag3 Which then created the file named flag3 which turned out to be lzip compressed data and then again, to extract it I ran: lzip -k -d flag3 Which created flag3.out, XZ compressed data

Then after renaming flag3.out to flag4.xz, I extracted flag4.xz using the xz command, which created flag4 which turned out to be an ASCII text. mv flag3.out flag4.xz xz -d -k flag4.xz

After running cat on flag4 which is an ASCII file, I got: 7069636f4354467b66316c656e406d335f6d406e3170756c407431306e5f 6630725f3062326375723137795f37396230316332367d0a

So to decode it from hex I went over to CyberChef which gave me the flag:

picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_79b01c26}

Challenge 3 – Lookey here

Let's begin this challenge by downloading the linked anthem.flag.txt file.

This time it is what it says, a text file.

After viewing it in using less I realised it's a very long text file, so I ran wc to count the lines: wc -l anthem.flag.txt Output: 2146 anthem.flag.txt

So I ran grep to search through it if it contains our flag or not. grep pico anthem.flag.txt

And we've found the flag: picoCTF{gr3p_15_@w3s0m3_58f5c024}

~ spignelon | Ujjawal Saini

Termbin - Netcat-based command line pastebin.

Fri, 30 Sep 2022 08:01:45 +0000

Today we will learn how we can share the output of a command from our terminal using nothing but netcat.

What is pastebin?

A pastebin or text storage site is a type of online content-hosting service where users can store plain text (e.g. source code snippets for code review via Internet Relay Chat (IRC)) Source: Wikipedia

How to use termbin?

Using termbin is really simple. As you head over to https://termbin.com/ you will see:

Usage

echo just testing! | nc termbin.com 9999 cat ~/some_file.txt | nc termbin.com 9999 ls -la | nc termbin.com 9999

So the format is: command | nc termbin.com 9999

When “command” executes, “|” will redirect its output to “termbin.com” on port “9999” via “nc” (netcat).

Installing netcat

Most linux distributions come with netcat preinstalled, for in case you're using Termux or a linux distribution which doesn't come with netcat preinstalled then you can install it using yourm package manager. On Debian/Ubuntu: sudo apt-get install netcat On Fedora sudo dnf install nc On Arch Linux: sudo pacman -S gnu-netcat

Demonstration

Let's try to create a termbin of manpage of netcat. man nc | nc termbin.com 9999 Output: https://termbin.com/sln3

Alias

For more ease, you can also create an alias of the command and simply pipe the output to it. echo 'alias tb="nc termbin.com 9999"' >> .bashrc Then to use it, simply type: command | tb

Now you can share the above URL with anyone you like, post it on a forum asking for help with an error, or sharing your code with your colleagues.

~ spignelon | Ujjawal Saini

Uploading files from terminal on file hosting service, and unlimited cloud storage

Fri, 30 Sep 2022 08:00:41 +0000

In this post I will show you how you can upload files anonymously directly from your terminal, and can have unlimited cloud storage all for free.

BayFiles is a website and file hosting service created by two of the founders of The Pirate Bay. BayFiles works by letting users upload files to its servers and share them online. Users are provided with a link to access their files, which can be shared with anyone on the internet so that they can download the files associated with the particular link. A unique aspect of this file hosting service is that it does not provide a search function for its users or any sort of file directory that could be used to navigate its online file base. BayFiles can be used and accessed by people without requiring them to sign up for it. Source: Wikipedia Another similar popular service is anonfiles.

Searching for the API

As you can see when you open the anonfiles.com, there is an option of API at the bottom of the page. https://anonfiles.com/docs/api

Understanding the API

The request example under upload in the aforementioned link is: curl -F "file=@test.txt" https://api.anonfiles.com/upload So as we can see in the above command they're using curl. curl is a tool for transferring data from or to a server. We also need to replace test.txt with the name of the file we want to upload.

Installing curl

You can use package manager on the distro of your choice to install curl. For Ubuntu/Debian based distros: sudo apt-get install curl For Arch Linux: sudo pacman -S curl

Many linux distros comes with curl preinstalled. To check the version of curl installed on your system type: curl -V

Uploading files

For demonstration I am going to upload a file named “26bugc.jpg” You would also need to change the current directory to the directory where the file you want to upload is stored. The file I am uploading is stored in my home directory.

Replacing the test.txt with the file name: curl -F "file=@26bugc.jpg" https://api.anonfiles.com/upload Output: {"status":true,"data":{"file":{"url":{"full":"https://anonfiles.com/f7LaKftby3/26bugc_jpg","short":"https://anonfiles.com/f7LaKftby3"},"metadata":{"id":"f7LaKftby3","name":"26bugc.jpg","size":{"bytes":97116,"readable":"97.12 KB"}}}}}

The full and short URL above are the link to our uploaded file. Full: https://anonfiles.com/f7LaKftby3/26bugc_jpg Short: https://anonfiles.com/f7LaKftby3

Frequently Asked Questions:

How long will my files be online? For as long as possible unless the file violates our Terms of Use.

What are the limit of uploads? You are free to upload as long as you don't exceed the following restrictions: Max 20 GB per file Max 500 files or 50 GB per hour. Max 5,000 files or 100 GB per day.

Any restrictions on downloads? No. We do not enforce any form of bandwidth limitations on downloads.

Similar / Alternatives

I have curated similar websites, which works exactly like the one we saw above:

anonfiles: curl -F "file=@test.txt" https://api.anonfiles.com/upload
BayFiles: curl -F "file=@test.txt" https://api.bayfiles.com/upload
openload: curl -F "file=@test.txt" https://api.openload.cc/upload
Lolabits: curl -F "file=@test.txt" https://api.lolabits.se/upload
vShare: curl -F "file=@test.txt" https://api.vshare.is/upload
hotfile: curl -F "file=@test.txt" https://api.hotfile.io/upload
Rapidshare: curl -F "file=@test.txt" https://api.rapidshare.nu/upload
Upvid: curl -F "file=@test.txt" https://api.upvid.cc/upload
Letsupload: curl -F "file=@test.txt" https://api.letsupload.cc/upload
Megaupload: curl -F "file=@test.txt" https://api.megaupload.nz/upload
MYfile: curl -F "file=@test.txt" https://api.myfile.is/upload
filechan: curl -F "file=@test.txt" https://api.filechan.org/upload

Each of these privacy oriented file hosting service is absolutely free, has no time limit, provides unlimited bandwidth, 20GB filesize limit, and unlimited file storage. You can also upload files on these websites directly from your browser of use your terminal like we've learnt above. Although these files are not listed anywhere and cannot be accessed by anyone on the internet without the link, if you want to upload some private and personal files consider encrypting them before uploading so only you can access them.

~ spignelon | Ujjawal Saini

Auto-updating hosts file using cronjob

Fri, 30 Sep 2022 08:00:15 +0000

In this post I will show you how you can easily set your hosts file in “/etc/hosts” to automatically update with the help of cron.

What is cron?

cron is the time-based job scheduler in Unix-like computer operating systems. cron enables users to schedule jobs (commands or shell scripts) to run periodically at certain times, dates or intervals. It is commonly used to automate system maintenance or administration.

Installing Cron on Your System

You can use package manager on the distro of your choice to install cron. For Ubuntu/Debian based distros: sudo apt install cron For Arch Linux: sudo pacman -S cronie For Fedora: sudo dnf install cronie

Enabling cron daemon to run on boot

sudo systemctl enable cronie For Ubuntu/Debian based: sudo systemctl enable cron

Crontab format

The basic format for a crontab is: minute hour day_of_month month day_of_week command

minute values can be from 0 to 59.
hour values can be from 0 to 23.
day_of_month values can be from 1 to 31.
month values can be from 1 to 12.
day_of_week values can be from 0 to 6, with 0 denoting Sunday.

Now if we want to run a command every Monday at 5:00pm we use: 0 17 * * 1 command ( 17 is 5pm in 24 hour clock format ). You can use cron.help for more help to understand the syntax.

Setting up your cronjob using crontab

We will use sudo for this since it requires root privilege to edit “/etc/hosts” file. sudo crontab -e I personally use StevenBlack's hosts file to block advertisements and malicious domains so I would use: 0 17 * * 1 curl https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts > /etc/hosts The above command will fetch the updated hosts file every Monday at 5:00pm using curl from the above URL and overwrite the current “/etc/hosts” file. After adding the above command, save and exit crontab editor.

~ spignelon | Ujjawal Saini