[PICOCTF] Forensics Challenges Writeup (2024)

https://github.com/Tzion0/CTF/tree/master/PicoCTF/2022/Forensics

Worth to note that we managed to get rank 468 out of 7794 teams in PicoCTF 2022.[PICOCTF] Forensics Challenges Writeup (1)[PICOCTF] Forensics Challenges Writeup (2)

This writeup contains 11 out of 13 Forensics category challenges in PicoCTF 2022 that i solved.

Description

Download this image file and find the flag.

This challenge provided a SVG image file.

To solve it, we just need to view the text inside the SVG image file:

strings drawing.flag.svg

Then concat the flag char by char:

<tspan sodipodi:role="line"x="107.43014"y="132.08501"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3748">p </tspan><tspansodipodi:role="line"x="107.43014"y="132.08942"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3754">i </tspan><tspansodipodi:role="line"x="107.43014"y="132.09383"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3756">c </tspan><tspansodipodi:role="line"x="107.43014"y="132.09824"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3758">o </tspan><tspansodipodi:role="line"x="107.43014"y="132.10265"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3760">C </tspan><tspansodipodi:role="line"x="107.43014"y="132.10706"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3762">T </tspan><tspansodipodi:role="line"x="107.43014"y="132.11147"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3764">F { 3 n h 4 n </tspan><tspansodipodi:role="line"x="107.43014"y="132.11588"style="font-size:0.00352781px;line-height:1.25;fill:#ffffff;stroke-width:0.26458332;"id="tspan3752">c 3 d _ a a b 7 2 9 d d }</tspan>

Flag:

picoCTF{3nh4nc3d_aab729dd}

Description

This file was found among some files marked confidential but my pdf reader cannot read it, maybe yours can.

This challenge provided a .pdf shell text.

This challenge file contains nested file with different type of compression, so we just need to uncompress it one by one and eventually will get the flag:

# Execute shell scriptchmod +x Flag.pdf./Flag.pdf# Extract nested file inside file flagbinwalk -e flagcd _flag.extracted# Uncompress gzmv 64 64.gzgunzip -d 64.gz# Uncompress lzmv 64 64.lzlzip -d 64.lz# Uncompress lz4mv 64 64.lz4lz4 -d 64.lz4# Uncompress lzmamv 64 64.lzmalzma -d 64.lzma# Uncompress lzopmv 64 64.lzoplzop -d 64.lzop# Uncompress lzipmv 64 64.lziplzip -d 64.lzip# Uncompress xzmv 64.lzip.out 64.xzxz -d 64.xz# Unhex to get flagunhex < 64

Flag:

picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_3c79c5ba}

Description

Attackers have hidden information in a very large mass of data in the past, maybe they are still doing it.

This challenge provided a text file.

We just need to grep for flag format to obtain the flag:

grep pico anthem.flag.txt

Flag:

picoCTF{gr3p_15_@w3s0m3_4c479940}

Description

Download the packet capture file and use packet analysis software to find the flag.

This challenge provided a pcap file.

Solution to get flag:

Open pcap file with wireshark -> Right click any of the TCP packet -> Follow -> TCP Stream

Flag:

picoCTF{p4ck37_5h4rk_ceccaa7f}

Description

Download the disk image and use mmls on it to find the size of the Linux partition. Connect to the remote checker service to check your answer and get the flag.

This challenge provided a disk image file.

As stated in description, we just need to use the mmls command:[PICOCTF] Forensics Challenges Writeup (3)

Answer:

202752

[PICOCTF] Forensics Challenges Writeup (4)

Flag:

picoCTF{mm15_f7w!}

Description

Download this disk image and find the flag.

This challenge provided a disk image file.

We need to find the flag inside the partition of disk image.

Step 1

[PICOCTF] Forensics Challenges Writeup (5)

Step 2

[PICOCTF] Forensics Challenges Writeup (6)

Step 3

[PICOCTF] Forensics Challenges Writeup (7)

Flag:

picoCTF{by73_5urf3r_3497ae6b}

Description

Now you DON’T see me.This report has some critical data in it, some of which have been redacted correctly, while some were not. Can you find an important key that was not redacted properly?

This challenge provided a PDF file.

Open the PDF file we can see some sentences were redacted:[PICOCTF] Forensics Challenges Writeup (8)

However, when we highlight all the text (Ctrl + a), we can see the redacted fields, which shows us the flag:

[PICOCTF] Forensics Challenges Writeup (9)

Flag:

picoCTF{C4n_Y0u_S33_m3_fully}

Description

Download this packet capture and find the flag.

This challenge provided a pcap file.

Opening the pcap file using Wireshark and follow the TCP Stream at Stream 0, we can see a conversation:

Hey, how do you decrypt this file again?You're serious?Yeah, I'm serious*sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123Ok, great, thanks.Let's use Discord next time, it's more secure.C'mon, no one knows we use this program like this!Whatever.Hey.Yeah?Could you transfer the file to me again?Oh great. Ok, over 9002?Yeah, listening.Sent itGot it.You're unbelievable

The key to takeaway from the conversation is how to decrypt the file using openssl:

openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123

By increasing the TCP Stream to 2, we can see a stream starting with Salted_:[PICOCTF] Forensics Challenges Writeup (10)

After that, change the value of field Show and save data as to raw, then click Save as:[PICOCTF] Forensics Challenges Writeup (11)

Next, apply the command we noted down before to decrypt the file we saved just now:

openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123

If the decryption is success, the file.txt will contains the flag.

Flag:

picoCTF{nc_73115_411_5786acc3}

Description

Download this disk image, find the key and log into the remote machine.Remote machine:

ssh -i key_file -p 59367 ctf-player@saturn.picoctf.net

This challenge provided a disk image file.

The first step is to list the partitions inside the disk image:

mmls disk.img

[PICOCTF] Forensics Challenges Writeup (12)

We can see at start of 206848 we have a Linux (0x83). So let’s try to list the files in it, we are specifically looking for SSH key and since SSH key normally starts with id, let’s try to grep for it:

fls -r -o 206848 disk.img | grep id

We can see at the bottom of output shows id_ed25519 and id_ed25519.pub. We can try our luck here by assuming it is the correct SSH key we are looking for:[PICOCTF] Forensics Challenges Writeup (13)

Let’s view the content of it:

icat -o 206848 disk.img 2345

[PICOCTF] Forensics Challenges Writeup (14)

Let’s save the file and remember to chmod 600 <file> before trying to login to remote machine:

ssh -i id_ed25519 -p 59367 ctf-player@saturn.picoctf.net

[PICOCTF] Forensics Challenges Writeup (15)

Flag:

picoCTF{k3y_5l3u7h_b5066e83}

Description

Download this disk image and find the flag.

This challenge provided a disk image file.

Again, first step is to list the partitions inside the disk image:

mmls disk.flag.img

[PICOCTF] Forensics Challenges Writeup (16)

By listing files inside these partitions, we found that 411648 contains the flag file:

fls -r -o 411648 disk.flag.img | grep flag

[PICOCTF] Forensics Challenges Writeup (17)

By viewing the content of flag.txt.enc. We can see it apparently was a OpenSSL encrypted file:

icat -o 411648 disk.flag.img 1782

[PICOCTF] Forensics Challenges Writeup (18)

After saving the file as flag.txt.enc, now we to look for a way to decrypt it, by looking again at the list of files, i found a history file:

fls -r -o 411648 disk.flag.img | grep -v Orphan

[PICOCTF] Forensics Challenges Writeup (19)

By viewing the content of history file, it tells us the way to encrypt the flag:

icat -o 411648 disk.flag.img 1875

[PICOCTF] Forensics Challenges Writeup (20)

So now we have the information about the encryption type and the password, let’s decrypt it:

openssl aes256 -d -in flag.txt.enc -out flag.txt

[PICOCTF] Forensics Challenges Writeup (21)

Flag:

picoCTF{h4un71ng_p457_0a710765}

Description

There’s something fishy about this PIN-code checker, can you figure out the PIN and get the flag?Once you’ve figured out the PIN (and gotten the checker program to accept it), connect to the master server using nc saturn.picoctf.net 55824 and provide it the PIN to get your flag.

This challenge provided a PIN checker program.

This challenge is one of my favourite.

By running the PIN checker program, it prompt us for a 8-digit PIN code:[PICOCTF] Forensics Challenges Writeup (22)

From the hint given by picoCTF, we know that the challenge is about “Timing-based side-channel attacks”

The theory is when a character/number is matched, it will take slightly longer to process than those not matched, so we can determine the correct character/number (PIN) by looking for the longest processing time:[PICOCTF] Forensics Challenges Writeup (23)

I made a script to automate this:

#!/usr/bin/env python3# Timing-based Side Channel Attackfrom pwn import *import timeimport numpy as npimport collectionscontext.log_level = 'error'pin = ["0", "0", "0", "0", "0", "0", "0", "0"]duration = {}for z in range(8): duration.clear() for x in range(48, 58): pin[z] = chr(x) start_time = time.time() print("Pin:", "".join(pin)) p = process("pin_checker") p.sendlineafter("code:\n", "".join(pin).encode()) p.recvline() p.recvline() p.recvline() duration[chr(x)] = "{:.2g}".format(time.time() - start_time) # print(duration[chr(x)]) p.close() """ most_common() : [('0.13', 8), ('0.12', 1), ('0.25', 1)] most_common()[-1] : ('0.25', 1) most_common()[-1][0] : 0.25 """ uniq = collections.Counter(duration.values()).most_common()[-1][0] for key, value in duration.items(): if uniq == value: pin[z] = keyprint("Final pin:", "".join(pin))

By running the script, we can get the final pin number:

48390513

[PICOCTF] Forensics Challenges Writeup (24)

Notes: Since this is time-based and my script isn’t perfect, you may not getting the correct PIN at first try.

Let’s provide it to master server and get the flag![PICOCTF] Forensics Challenges Writeup (25)

Flag:

picoCTF{t1m1ng_4tt4ck_9803bd25}

Thank you so much for reading till here, have a great day ahead !

[PICOCTF] Forensics Challenges Writeup (2024)
Top Articles
Latest Posts
Recommended Articles
Article information

Author: Gregorio Kreiger

Last Updated:

Views: 5699

Rating: 4.7 / 5 (77 voted)

Reviews: 92% of readers found this page helpful

Author information

Name: Gregorio Kreiger

Birthday: 1994-12-18

Address: 89212 Tracey Ramp, Sunside, MT 08453-0951

Phone: +9014805370218

Job: Customer Designer

Hobby: Mountain biking, Orienteering, Hiking, Sewing, Backpacking, Mushroom hunting, Backpacking

Introduction: My name is Gregorio Kreiger, I am a tender, brainy, enthusiastic, combative, agreeable, gentle, gentle person who loves writing and wants to share my knowledge and understanding with you.