2021-04-27
HackTheBoxCTF writeup: Forensic challenges (the ones I tried)
More about the HackTheBox & CryptoHack Cyber Apocalypse 2021 I participated inOldest trick in the book
The download for this challenge was a .pcap file. I know pcap files! So I dug into this one. A team mate told me there was a suspicous amount of ICMP traffic in the pcap file. I started looking at that data and noticed something:0000 b7 ae 04 00 00 00 00 00 50 4b 03 04 14 00 00 00 ........PK...... 0010 00 00 72 9e 8d 52 65 9b 50 4b 03 04 14 00 00 00 ..r..Re.PK...... 0020 00 00 72 9e 8d 52 65 9b 50 4b 03 04 14 00 00 00 ..r..Re.PK...... Data: b7ae040000000000504b0304140000000000729e8d52659b… [Length: 48]That looks a lot like a ZIP file header. With some repetition? Carving the data from bytes 0x09 to 0x28 in the ICMP data and making one file from it gave an invalid file. But carving the data from bytes 0x09 to 0x18 (16 bytes per ICMP packet with 48 bytes of data, not very efficient) gave a valid ZIP file. A bit of crude awk got the data out of the file:$ cat awkscript #!/bin/sh tshark -V -r older_trick.pcap 'icmp.type==8'| egrep '^00[01]' | \ awk ' { if ($1 == "0000"){ print $10 " " $11 " " $12 " " $13 " " $14 " " $15 " " $16 " " $17 } if ($1 == "0010"){ print $2 " " $3 " " $4 " " $5 " " $6 " " $7 " " $8 " " $9 } } 'This gave a hexdump. Recover the file with xxd -r -p hexdump testfile.zip. The next challenge was the contents:$ unzip -l testfile.zip Archive: testfile.zip Length Date Time Name --------- ---------- ----- ---- 24 2021-04-13 19:51 fini/addons.json 2663 2021-04-13 20:24 fini/addonStartup.json.lz4 216 2021-04-13 20:26 fini/broadcast-listeners.json 229376 2021-04-13 01:02 fini/cert9.db 197 2021-04-13 01:00 fini/compatibility.ini 939 2021-04-13 01:01 fini/containers.json 229376 2021-04-13 20:33 fini/content-prefs.sqlite 524288 2021-04-13 20:33 fini/cookies.sqlite 32768 2021-04-13 20:24 fini/cookies.sqlite-shm 524704 2021-04-13 20:34 fini/cookies.sqlite-wal 1027 2021-04-13 01:13 fini/extension-preferences.json 36584 2021-04-13 19:51 fini/extensions.json 5242880 2021-04-13 01:01 fini/favicons.sqlite 32768 2021-04-13 20:24 fini/favicons.sqlite-shm 1311712 2021-04-13 20:34 fini/favicons.sqlite-wal 262144 2021-04-13 20:33 fini/formhistory.sqlite 683 2021-04-13 01:01 fini/handlers.json 294912 2021-04-13 19:54 fini/key4.db 669 2021-04-13 19:54 fini/logins.json 98304 2021-04-13 20:34 fini/permissions.sqlite 504 2021-04-13 01:01 fini/pkcs11.txt 5242880 2021-04-13 20:33 fini/places.sqlite 32768 2021-04-13 20:24 fini/places.sqlite-shm 2328264 2021-04-13 20:33 fini/places.sqlite-wal 11743 2021-04-13 20:25 fini/prefs.js 65536 2021-04-13 20:33 fini/protections.sqlite 180 2021-04-13 20:24 fini/search.json.mozlz4 90 2021-04-13 20:24 fini/sessionCheckpoints.json 18 2021-04-13 01:01 fini/shield-preference-experiments.json 1108 2021-04-13 20:34 fini/SiteSecurityServiceState.txt 4096 2021-04-13 01:01 fini/storage.sqlite 50 2021-04-13 01:01 fini/times.json 32768 2021-04-13 01:01 fini/webappsstore.sqlite 32768 2021-04-13 20:24 fini/webappsstore.sqlite-shm 163992 2021-04-13 19:55 fini/webappsstore.sqlite-wal 140 2021-04-13 01:11 fini/xulstore.json --------- ------- 16743139 36 filesAnd I searched for what the flag was in this data but could not find it. This is where team work did its magic: another team member took the zip file and started working on it. He found a saved password which was indeed the flag.Low Energy Crypto
From the zip file here came low_energy_crypto.pcapng which was a capture of bluetooth low energy traffic. It contained serial port traffic which had a public key in PEM format followed by some digital data. Yet another case of team work: I shared the public key with the team and another member managed to get the matching private key. After that it was some more searching how much of the binary data was to be fed to the decrypt command. In this case 64 bytes.$ openssl rsautl -inkey low_energy_privkey.pem -decrypt -in low_energy_crypto_test.bin ; echo