picoCTF 2018 Write-up [Forensics]

まえがき

前回の続きです.
今回はForensicsのWrite-upを書こうと思います.

satto.hatenadiary.com

Forensics

Forensics Warmup 1 - Points: 50

Can you unzip this file for me and retreive the flag?

f:id:satto1237:20181015165900j:plain

アプローチ:読む

jpgを開く picoCTF{welcome_to_forensics}

Forensics Warmup 2 - Points: 50

Hmm for some reason I can't open this PNG? Any ideas?

アプローチ:ファイル形式を確認

> file flag.png
flag.png: JPEG image data, JFIF standard 1.01, resolution (DPI), density 75x75, segment length 16, baseline, precision 8, 909x190, frames 3
> mv flag.png flag.jpg

picoCTF{extensions_are_a_lie}

f:id:satto1237:20181015170154j:plain

Reading Between the Eyes - Points: 150

Stego-Saurus hid a message for you in this image, can you retreive it?

f:id:satto1237:20181015171132p:plain

アプローチ:steganographyツールを使う

解く方法は色々とある

picoCTF{r34d1ng_b37w33n_7h3_by73s}

Recovering From the Snap - Points: 150

There used to be a bunch of animals here, what did Dr. Xernon do to them?

アプローチ:foremost

> file animals.dd
animals.dd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, root entries 512, sectors 20480 (volumes <=32 MB), Media descriptor 0xf8, sectors/FAT 20, sectors/track 32, heads 64, serial number 0x9b664dde, unlabeled, FAT (16 bit)
> foremost animals.dd
Processing: animals.dd
|*|

f:id:satto1237:20181015172715p:plain

picoCTF{th3_5n4p_happ3n3d}

admin panel - Points: 150

We captured some traffic logging into the admin panel, can you find the password?

アプローチ:通信内容を確認する

pcap形式でファイルが渡されるので普通はwiresharktsharkを使いますが今回は通信が暗号化されていないのでstringsの結果をgrepするだけでできます.

> strings data.pcap | grep picoCTF
user=admin&password=picoCTF{n0ts3cur3_13597b43}

picoCTF{n0ts3cur3_13597b43}

hex editor - Points: 150

This cat has a secret to teach you. You can also find the file in /problems/hex-editor_2_c1a99aee8d919f6e42697662d798f0ff on the shell server.

f:id:satto1237:20181015173851j:plain

アプローチ:バイナリファイルの可読部分を表示する

> strings hex_editor.jpg | grep pico
Your flag is: "picoCTF{and_thats_how_u_edit_hex_kittos_22C1d865}"

picoCTF{and_thats_how_u_edit_hex_kittos_22C1d865}

Truly an Artist - Points: 200

Can you help us find the flag in this Meta-Material? You can also find the file in /problems/truly-an-artist_2_61a3ed7216130ab1c2b2872eeda81348.

f:id:satto1237:20181015175052p:plain アプローチ:ファイルのメタ情報を確認

exiftoolでメタ情報を確認するとflagがでます.
stringsgrepするだけでもできます

> exiftool 2018.png 
ExifTool Version Number         : 11.10
File Name                       : 2018.png
Directory                       : .
File Size                       : 13 kB
File Modification Date/Time     : 2018:09:28 17:26:37+09:00
File Access Date/Time           : 2018:10:15 17:44:40+09:00
File Inode Change Date/Time     : 2018:10:15 17:42:36+09:00
File Permissions                : rwxrwx---
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 1200
Image Height                    : 630
Bit Depth                       : 8
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Artist                          : picoCTF{look_in_image_7e31505f}
Image Size                      : 1200x630
Megapixels                      : 0.756

picoCTF{look_in_image_7e31505f}

now you don't - Points: 200

We heard that there is something hidden in this picture. Can you find it?

アプローチ:画像処理

ダウンロードしたpngコントラストを調整するとflagが見えます.

picoCTF{n0w_y0u_533_m3}

f:id:satto1237:20181015180023p:plain

f:id:satto1237:20181015180036p:plain

Lying Out - Points: 250

Some odd traffic has been detected on the network, can you identify it? More info here. Connect with nc 2018shell1.picoctf.com 50875 to help us answer some questions.

f:id:satto1237:20181015180436p:plain

You've been given a dataset of 4800 internet traffic logs for your
organization's website. This dataset covers the number of unique IP addresses
sending requests to the site in 15-minute "buckets", across a 24-hour day.
The attached plot will help you see the daily pattern of traffic. You should
see 3 spikes of traffic: one in the morning, one at midday, and one in the
evening.

Your organization needs your help to figure out whether some recent activity
indicates unusual behavior. It looks like some logs have higher-than-usual
traffic in their time bucket: many more unique IP addresses are trying to
access the site than usual. This might be evidence that someone is trying to
do something shady on your site.

アプローチ:traffic.pngを見ながら質問に答える

> nc 2018shell1.picoctf.com 50875
You'll need to consult the file `traffic.png` to answer the following questions.


Which of these logs have significantly higher traffic than is usual for their time of day? You can see usual traffic on the attached plot. There may be multiple logs with higher than usual traffic, so answer all of them! Give your answer as a list of `log_ID` values separated by spaces. For example, if you want to answer that logs 2 and 7 are the ones with higher than usual traffic, type 2 7.
    log_ID      time  num_IPs
0        0  01:30:00     9726
1        1  02:45:00    11578
2        2  02:45:00     9846
3        3  02:45:00     9971
4        4  03:15:00    10155
5        5  04:15:00    11583
6        6  06:15:00    11589
7        7  09:30:00     9874
8        8  11:00:00    11016
9        9  12:00:00    14125
10      10  12:00:00    13715
11      11  13:00:00    12936
12      12  20:45:00     9925
13      13  20:45:00    10282
1 5 6 11
Correct!


Great job. You've earned the flag: picoCTF{w4y_0ut_ff5bd19c}

picoCTF{w4y_0ut_ff5bd19c}

What's My Name? - Points: 250

Say my name, say my name.

アプローチ:say my nameはDNS

6.5MB程度のmyname.pcapが降ってきます. まともに当該パケットを探すと大変そうなので問題文に従い,dns関連パケットを確認します.
picoCTF{w4lt3r_wh1t3_ddfad6f8f4255adc73e862e3cebeee9d}

まとめ