Skip to main content

Posts

Showing posts with the label Forensics

RingZeroCTF - Forensics - I made a dd of Agent Smith usb key

RingZeroCTF - Forensics - I made a dd of Agent Smith usb key Objective Get Flag Solution: I loaded the DD file up in autopsy to look at deleted files Started a generic case added the DD  I chose analyze to let autopsy do the dirty work now I checked the deleted files found the flag in the first orphaned file

RingZeroCTF - Forensics - Dr Pouce

Ringzer0CTF – Forensics - Dr. Pouce Objective: Find in which city DR Pouce is keeped ! Then find who is the evil man? answer format : cityfirstnamelastname Solution: So this is a zip file that contains two files. We are just going to use meta data to find the answer to these two questions. The first question: In which city is Dr. Pouce being kept? We will use the jpg file to see if there is any geo-location data I the jpg Cool there is some geo data let's open it up in openstreet to see where it is Downtown Halifax https://www.openstreetmap.org/?mlat=44.646231&mlon=-63.573287&zoom=15#map=15/44.6462/-63.5733 now I poked around to see if there was info In jpg about who took the picture but there wasn't so I opened the  PDF and looked at the Document properties there it was Author: Steve Finger so HalifaxSteveFinger is the flag

RingZero CTF - Forensics – Public Key Recovery

RingZero CTF - Forensics – Public Key Recovery Objective: Get the public key given the private key -----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQDwkrxVrZ+KCl1cX27SHDI7EfgnFJZ0qTHUD6uEeSoZsiVkcu0/ XOPbz1RtpK7xxpKMSnH6uDc5On1IEw3A127wW4Y3Lqqwcuhgypd3Sf/bH3z4tC25 eqr5gA1sCwSaEw+yBxdnElBNOXxOQsST7aZGDyIUtmpouI1IXqxjrDx2SQIDAQAB AoGBAOwd6PFitnpiz90w4XEhMX/elCOvRjh8M6bCNoKP9W1A9whO8GJHRnDgXio6 /2XXktBU5OfCVJk7uei6or4J9BvXRxQpn1GvOYRwwQa9E54GS0Yu1XxTPtnBlqKZ KRbmVNpv7eZyZfYG+V+/f53cgu6M4U3SE+9VTlggfZ8iSqGBAkEA/XvFz7Nb7mIC qzQpNmpKeN4PBVRJBXqHTj0FcqQ5POZTX6scgE3LrxVKSICmm6ungenPXQrdEQ27 yNQsfASFGQJBAPL2JsjakvTVUIe2JyP99CxF5WuK2e0y6N2sU3n9t0lde9DRFs1r mhbIyIGZ0fIkuwZSOqVGb0K4W1KWypCd8LECQQCRKIIc8R9iIepZVGONb8z57mA3 sw6l/obhfPxTrEvC3js8e+a0atiLiOujHVlLqD8inFxNcd0q2OyCk05uLsBxAkEA vWkRC3z7HExAn8xt7y1Ickt7c7+n7bfGuyphWbVmcpeis0SOVk8QrbqSNhdJCVGB TIhGmBq1GnrHFzffa6b1wQJAR7d8hFRtp7uFx5GFFEpFIJvs/SlnXPvOIBmzBvjU yGglag8za2A8ArHZwA1jXcFPawuJEmeZWo+5/MWp0j+yzQ== -----END RSA PRIVA

RingZero CTF - Forensics - I Love cat

RingZero CTF - Forensics - I Love cat Objective: I love cat! Do you? User: cat Password: cat ssh challenges.ringzer0team.com port 10252 Solution: So let's start up and SSH to challenges.ringzer0team.com on port 10252 Login as            cat pass                  cat Lets start by seeing what is in our directory cat@lxc-forensics-252:~$ ls commands  flag.txt is it as easy as just catting the flag.txt file? cat@lxc-forensics-252:~$ cat flag.txt **************************** WHERE IS THE FLAG ? **************************** Nope lets see what else is in the directory cat@lxc-forensics-252:~$ ls -al total 20 drwxr-xr-x 3 root root 4096 Jul 17 18:36 . drwxr-xr-x 3 root root 4096 Jul 17 18:23 .. -rw-r--r-- 1 root root  221 Jul 17 18:30 .bash_profile drwxr-xr-x 2 cat  cat  4096 Jul 17 18:25 commands -rw-r--r-- 1 root root  116 Jul 17 18:36 flag.txt a directory name commands cat@lxc-forensics-252:~$ cd commands/ -rbas

PicoCTF2018 - Forensics - What's My Name?

PicoCTF2018 - Forensics - What's My Name? Objective : Say my name, say my name [1] . Hints: (1) If you visited a website at an IP address, how does it know the name of the domain? Solution so the hint is point us to DNS, since that is the service that translates names to ip so I just filtered the pcap for DNS  There are only two DNS packets in the capture the first is a a query to dns to find out the ip for thisismyname.com 55 1418.342859 192.168.2.12 192.168.2.1 DNS 316 Standard query response 0xaaa0 ANY thisismyname.com A 192.168.2.13 CNAME myname.com MX 5 myname.com MX 10 mx2.myname.com MX 20 mx3.myname.com NS ns1.myname.com NS ns2.myname.com TXT SOA ns1.thisismyname.com The second is the server's response here is the result of following the UDP ... .........thisismyname.com.......)............... .....thisismyname.com..............,..... .........,. .myname...........,.....>.........,... .mx2.>.........,.....mx3.>........Q....n

PicoCTF2018 - Forensics - now you don't

PicoCTF2018 - Forensics - now you don't Objective : We heard that there is something hidden in this picture [1] . Can you find it? Hints : (1) There is an old saying: if you want to hide the treasure, put it in plain sight. Then no one will see it. (2) Is it really all one shade of red? Solution : I used irfanview to get through this one. As the hint suggests, eventhough it looks like its just one solid color there is another color present. Load up infranview and you see just red if you go to image and replace color you can choose to replace a specific color with anohter I chose to replace it with black Original image: Modified Image: picoCTF{n0w_y0u_533_m3}

PicoCTF2018 - Forensics - Truly an Artist

PicoCTF2018 - Forensics - Truly an Artist Objective: Can you help us find the flag in this Meta-Material [1] ? You can also find the file in /problems/truly-an-artist_0_4f3e3848bbbfc5cfcfa404bd18b8ac96. Solution: found the password in the exif data using exiftool @kali:~/Downloads$ exiftool 2018.png ExifTool Version Number         : 11.65 File Name                       : 2018.png Directory                       : . File Size                       : 13 kB File Modification Date/Time     : 2019:09:24 11:22:57-07:00 File Access Date/Time           : 2019:09:24 11:23:36-07:00 File Inode Change Date/Time     : 2019:09:24 11:22:59-07:00 File Permissions                : rw-r--r-- File Type                       : PNG File Type Extension             : png MIME Type                       : image/png Image Width                     : 1200 Image Height                    : 630 Bit Depth                       : 8 Color Type                      : RGB Compression       

PicoCTF2018 - Forensics - hex editor

PicoCTF2018 - Forensics - hex editor Objective: This cat [1]  has a secret to teach you. You can also find the file in /problems/hex-editor_3_086632ac634f394afd301fb6a8dbadc6 on the shell server. Solution: so from the objective it looks like our flag will be in the hex of the picutre. I downloaded the picture and openend it with hexeditor @kali:/home$ hexeditor /home/***********/Downloads/hex_editor.jpg Since we now the flag starts with I used W to search for pico, I chose search for text string File: /home/*****************/Dow   ASCII Offset: 0x00000000 / 0x00012975 ()  00000000  FF D8 FF E0  00 10 4A 46   49 46 00 01  01 00 00 01   ......JFIF...... 00000010  00 01 00 00  FF DB 00 43   00 05 03 04  04 04 03 05   .......C........ 00000020  04 04 04 05  05 05 06 07   0C 08 07 07  07 07 0F 0B   ................ 00000030  0B 09 0C 11  0F 12 12 11   0F 11 11 13  16 1C 17 13   ................ 00000040  14 1A 15 11  11 18 21 18   1A 1D 1D 1F  1F 1F 13 17   ......!...

PicoCTF2018 - Forensics - admin panel

PicoCTF2018 - Forensics - admin panel Objective: We captured some traffic [1] logging into the admin panel, can you find the password Solution: Downloaded the file and opened with wireshark towards the bottom of the capture I saw where the admin panel is being displayed. I found the next POST up in the log and found the password )ßò )yÜÄEö|@@ºÀ¨Ã€¨~P0].[¾Ã¥T ð×wPOST /login HTTP/1.1 Host: 192.168.3.128 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://192.168.3.128/ Content-Type: application/x-www-form-urlencoded Content-Length: 53 Connection: keep-alive Upgrade-Insecure-Requests: 1 user=admin&password=picoCTF{n0ts3cur3_9feedfbc}

PicoCTF2018 - Forensics - Recovering from the Snap

PicoCTF2018 - Forensics - Recovering from the Snap Objective: There used to be a bunch of animals[1] here, what did Dr. Xernon do to them? Hints: (1) Some files have been deleted from teh disk image, but are they really gone? Solution: I used foremost to recover the files from the DD image. let's mount the DD to see what is inside visible to my OS @kali:/$ sudo mkdir /mnt/disk_image @kali:/$ sudo mount -o loop -t auto /home/circusmonkey404/Downloads/animals.dd /mnt/disk_image let's see whats in there kali:/mnt/disk_image$ ls dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg 4 files named after animals let's through Foremost at it and see what it finds kali:/mnt/disk_image$ ls dachshund.jpg  frog.jpg  music.jpg  rabbit.jpg Let's check and see what foremost found @kali:~/Downloads$ ls animals.dd  husky.png  incidents.json  output_Tue_Sep_24_10_45_31_2019  passwd @kali:~/Downloads$ cd output_Tue_Sep_24_10_45_31_2019/ @kali:~/Downloads/

PicoCTF2018 - Forensics - Desrouleaux

PicoCTF2018 - Forensics - Desrouleaux Objective: Our network administrator is having some trouble handling the tickets for all of of our incidents. Can you help him out by answering all the questions? Connect with nc 2018shell.picoctf.com 63299. incidents.json [1] Solution: You'll need to consult the file `incidents.json` to answer the following questions. What is the most common source IP address? If there is more than one IP address that is the most common, you may give any of the most common ones. 186.120.220.162 Correct!      I just looked at my list to see which source ip was used most How many unique destination IP addresses were targeted by the source IP address 186.120.220.162? 3 Correct!         I just counted the number of uqnique destiations for that IP What is the number of unique destination ips a file is sent, on average? Needs to be correct to 2 decimal places. 1.11 Correct!     I looked at my output and 8 were unique and only 1 went t

PicoCTF2018 Forensics Forensics Warmup 2

PicoCTF2018 Forensics Forensics Warmup 2 Objective: Hmm for some reason I can't open this PNG [1] ? Any ideas? Solution: Downloaded the file, its name is flag.png, try to open in in GUI and it gives an error lets run file against it and see what kind of file it might be @kali:~/Downloads$ file flag.png flag.png: JPEG image data, JFIF standard 1.01, resolution (DPI), density 75x75, segment length 16, baseline, precision 8, 909x190, components 3 ok lets change the extension to jpg @kali:~/Downloads$ cp flag.png flag.jpg now we can open it in the GUI picoCTF{extensions_are_a_lie}

PicoCTF2018 Forensics Forensics Warmup

PicoCTF2018 Forensics Forensics Warmup Objective: Can you unzip this file [1]  for me and retreive the flag? Solution: So this one is just a zip file, unzip it and you get a jpg of the flag picoctf{welcome_to_forensics}