HackTheBoxCTF writeup: Forensic challenges (the ones I tried) / 2021-04-27

2021-04-27 HackTheBoxCTF writeup: Forensic challenges (the ones I tried) 2 weeks ago
More about the HackTheBox & CryptoHack Cyber Apocalypse 2021 I participated in

Oldest trick in the book

The download for this challenge was a .pcap file. I know pcap files! So I dug into this one. A team mate told me there was a suspicous amount of ICMP traffic in the pcap file. I started looking at that data and noticed something:
0000  b7 ae 04 00 00 00 00 00 50 4b 03 04 14 00 00 00   ........PK......
0010  00 00 72 9e 8d 52 65 9b 50 4b 03 04 14 00 00 00   ..r..Re.PK......
0020  00 00 72 9e 8d 52 65 9b 50 4b 03 04 14 00 00 00   ..r..Re.PK......
        Data: b7ae040000000000504b0304140000000000729e8d52659b…
        [Length: 48]
That looks a lot like a ZIP file header. With some repetition? Carving the data from bytes 0x09 to 0x28 in the ICMP data and making one file from it gave an invalid file. But carving the data from bytes 0x09 to 0x18 (16 bytes per ICMP packet with 48 bytes of data, not very efficient) gave a valid ZIP file.

A bit of crude awk got the data out of the file:
$ cat awkscript 
#!/bin/sh

tshark -V -r older_trick.pcap 'icmp.type==8'| egrep '^00[01]' | \
awk ' {
        if ($1 == "0000"){
                print $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17
        }
        if ($1 == "0010"){
                print $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9
        }
}
'
This gave a hexdump. Recover the file with xxd -r -p hexdump testfile.zip.

The next challenge was the contents:
$ unzip -l testfile.zip 
Archive:  testfile.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
       24  2021-04-13 19:51   fini/addons.json
     2663  2021-04-13 20:24   fini/addonStartup.json.lz4
      216  2021-04-13 20:26   fini/broadcast-listeners.json
   229376  2021-04-13 01:02   fini/cert9.db
      197  2021-04-13 01:00   fini/compatibility.ini
      939  2021-04-13 01:01   fini/containers.json
   229376  2021-04-13 20:33   fini/content-prefs.sqlite
   524288  2021-04-13 20:33   fini/cookies.sqlite
    32768  2021-04-13 20:24   fini/cookies.sqlite-shm
   524704  2021-04-13 20:34   fini/cookies.sqlite-wal
     1027  2021-04-13 01:13   fini/extension-preferences.json
    36584  2021-04-13 19:51   fini/extensions.json
  5242880  2021-04-13 01:01   fini/favicons.sqlite
    32768  2021-04-13 20:24   fini/favicons.sqlite-shm
  1311712  2021-04-13 20:34   fini/favicons.sqlite-wal
   262144  2021-04-13 20:33   fini/formhistory.sqlite
      683  2021-04-13 01:01   fini/handlers.json
   294912  2021-04-13 19:54   fini/key4.db
      669  2021-04-13 19:54   fini/logins.json
    98304  2021-04-13 20:34   fini/permissions.sqlite
      504  2021-04-13 01:01   fini/pkcs11.txt
  5242880  2021-04-13 20:33   fini/places.sqlite
    32768  2021-04-13 20:24   fini/places.sqlite-shm
  2328264  2021-04-13 20:33   fini/places.sqlite-wal
    11743  2021-04-13 20:25   fini/prefs.js
    65536  2021-04-13 20:33   fini/protections.sqlite
      180  2021-04-13 20:24   fini/search.json.mozlz4
       90  2021-04-13 20:24   fini/sessionCheckpoints.json
       18  2021-04-13 01:01   fini/shield-preference-experiments.json
     1108  2021-04-13 20:34   fini/SiteSecurityServiceState.txt
     4096  2021-04-13 01:01   fini/storage.sqlite
       50  2021-04-13 01:01   fini/times.json
    32768  2021-04-13 01:01   fini/webappsstore.sqlite
    32768  2021-04-13 20:24   fini/webappsstore.sqlite-shm
   163992  2021-04-13 19:55   fini/webappsstore.sqlite-wal
      140  2021-04-13 01:11   fini/xulstore.json
---------                     -------
 16743139                     36 files
And I searched for what the flag was in this data but could not find it.

This is where team work did its magic: another team member took the zip file and started working on it. He found a saved password which was indeed the flag.

Low Energy Crypto

From the zip file here came low_energy_crypto.pcapng which was a capture of bluetooth low energy traffic. It contained serial port traffic which had a public key in PEM format followed by some digital data.

Yet another case of team work: I shared the public key with the team and another member managed to get the matching private key. After that it was some more searching how much of the binary data was to be fed to the decrypt command. In this case 64 bytes.
$ openssl rsautl -inkey low_energy_privkey.pem -decrypt -in low_energy_crypto_test.bin ; echo

Tags: , ,

IPv6 check

Running test...
, reachable as koos+website@idefix.net. PGP encrypted e-mail preferred. PGP key 5BA9 368B E6F3 34E4 local copy PGP key 5BA9 368B E6F3 34E4 via keyservers

RSS
Meningen zijn die van mezelf, wat ik schrijf is beschermd door auteursrecht. Sommige publicaties bevatten een expliciete vermelding dat ze ongevraagd gedeeld mogen worden.
My opinions are my own, what I write is protected by copyrights. Some publications contain an explicit license statement which allows sharing without asking permission.
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews
This page generated by $Id: newsitem.cgi,v 1.54 2020/12/31 15:36:31 koos Exp $ in 0.005670 seconds.