Skip to main content

PicoCTF2018 - Forensics - Recovering from the Snap


PicoCTF2018 - Forensics - Recovering from the Snap

Objective:

There used to be a bunch of animals[1] here, what did Dr. Xernon do to them?


Hints:
(1) Some files have been deleted from teh disk image, but are they really gone?


Solution:

I used foremost to recover the files from the DD image.

let's mount the DD to see what is inside visible to my OS

@kali:/$ sudo mkdir /mnt/disk_image
@kali:/$ sudo mount -o loop -t auto /home/circusmonkey404/Downloads/animals.dd /mnt/disk_image

let's see whats in there

kali:/mnt/disk_image$ ls
dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg

4 files named after animals

let's through Foremost at it and see what it finds

kali:/mnt/disk_image$ ls
dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg

Let's check and see what foremost found

@kali:~/Downloads$ ls
animals.dd  husky.png  incidents.json  output_Tue_Sep_24_10_45_31_2019  passwd
@kali:~/Downloads$ cd output_Tue_Sep_24_10_45_31_2019/
@kali:~/Downloads/output_Tue_Sep_24_10_45_31_2019$
ls

let's check audit.txt


here is the output from cat

@kali:~/Downloads/output_Tue_Sep_24_10_45_31_2019$ cat audit.txt
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File

Foremost started at Tue Sep 24 10:45:31 2019
Invocation: foremost -T animals.dd
Output directory: /home/*********/Downloads/output_Tue_Sep_24_10_45_31_2019
Configuration file: /etc/foremost.conf
------------------------------------------------------------------
File: animals.dd
Start: Tue Sep 24 10:45:31 2019
Length: 10 MB (10485760 bytes)

 Num     Name (bs=512)           Size     File Offset     Comment

0:    00000077.jpg          617 KB           39424    
1:    00001313.jpg          481 KB          672256    
2:    00002277.jpg          380 KB         1165824    
3:    00003041.jpg          248 KB         1556992    
4:    00003541.jpg          314 KB         1812992    
5:    00004173.jpg          458 KB         2136576    
6:    00005093.jpg          383 KB         2607616    
7:    00005861.jpg           39 KB         3000832    
Finish: Tue Sep 24 10:45:31 2019

 8 FILES EXTRACTED
   
jpg:= 8
------------------------------------------------------------------

 Foremost finished at Tue Sep 24 10:45:31 2019


8 files extracted, that's more then the 4 we saw originally

lets check out the jpgs found in the jpg folder

opening it up in the GUI

Here is the picture with the flag 00005861.jpg

picoCTF{th3_5n4p_happ3n3d}



















Labels:

Comments

Post a Comment

Popular posts from this blog

HacktheBox - Retired - Frolic

HacktheBox - Retired - Frolic Recon Let's start out with a threader3000 scan Some interesting results here Port 22 and 445 aren't uncommon… but 1880 and 9999 are.. Let's let nmap run through these ports  Option Selection: 1 nmap -p22,445,1880,9999 -sV -sC -T4 -Pn -oA 10.10.10.111 10.10.10.111 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-05 16:17 EDT Nmap scan report for 10.10.10.111 Host is up (0.060s latency). PORT     STATE SERVICE     VERSION 22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   2048 87:7b:91:2a:0f:11:b6:57:1e:cb:9f:77:cf:35:e2:21 (RSA) |   256 b7:9b:06:dd:c2:5e:28:44:78:41:1e:67:7d:1e:b7:62 (ECDSA) |_  256 21:cf:16:6d:82:a4:30:c3:c6:9c:d7:38:ba:b5:02:b0 (ED25519) 445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 1880/tcp open  http        Node.js (Express middlewar...
Post a Comment
Read more

Hack The Box - Retired - Laboratory

HackTheBox - Laboratory - Retired Starting off with a quick scan using threader6000 /opt/threader3000/threader6000.py 10.10.10.216 Ports 22,80,443 came back. Run nmap against these ports. nmap -p22,80,443 -sV -sC -T4 -Pn -oN 10.10.10.216 10.10.10.216 nmap -p22,80,443 -sV -sC -Pn -T4 -oN 10.10.10.216 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-13 17:43 EDT Nmap scan report for laboratory.htb (10.10.10.216) Host is up (0.060s latency). PORT    STATE SERVICE  VERSION 22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: |   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) |   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp  open  http     Apache httpd 2.4.41 |_...
Post a Comment
Read more

A collection of online Security CTF and Learning sites

 Hellbound Hackers    Embedded Security CTF Arizona Cyber Warfare Range Over The Wire - Bandit Pico CTF 2018 Hack The Box.eu Root Me: Challenges/Forensic RingZero CTF Vulnerable By Design - Vulnerable VMs Murder Mystery SQL Challenge Incident Response Challenge Authentication Lab Walkthroughs Defcon CTF Archives Matrix Holiday Hack Cyber Defenders | Blue Team and CTF Crypto Hack - learning Crypto Video Learning Zero to Hero Pentesting by The Cyber Mentor
Post a Comment
Read more