PicoCTF 2022 Forensics walkthrough – Part 2

Ujjawal SainiUjjawal Saini
6 min read

In this article, we will attempt to solve picoCTF 2022 Forensics challenges 4 to 9.

Challenges

Link to Part - 1

Let's get started!

Challenge 4 - Packets Primer

Challenge 4

The description says to download the linked packet capture file and analyse it. Let's start by opening up our terminal and download the file.

pcap download

curl -LO "https://artifacts.picoctf.net/c/200/network-dump.flag.pcap"

Let's now use Wireshark to open our downloaded packet capture. Wireshark is a free and open-source packet analyser. To open it, I simply typed wireshark followed by our file name.

Wireshark open

wireshark network-dump.flag.pcap

Wireshark opened

While I was scrolling through the packets, in packet No. 4 I found the flag

Wireshark Flag

Hexdump:

0000   08 00 27 93 ce 73 08 00 27 af 39 9f 08 00 45 00   ..'..s..'.9...E.
0010   00 70 50 c2 40 00 40 06 d1 b3 0a 00 02 0f 0a 00   .pP.@.@.........
0020   02 04 be 6e 23 28 27 ec d4 b7 bd 26 99 bc 80 18   ...n#('....&....
0030   01 f6 18 75 00 00 01 01 08 0a 8d cf e9 65 68 f0   ...u.........eh.
0040   f1 c3 70 20 69 20 63 20 6f 20 43 20 54 20 46 20   ..p i c o C T F 
0050   7b 20 70 20 34 20 63 20 6b 20 33 20 37 20 5f 20   { p 4 c k 3 7 _ 
0060   35 20 68 20 34 20 72 20 6b 20 5f 20 62 20 39 20   5 h 4 r k _ b 9 
0070   64 20 35 20 33 20 37 20 36 20 35 20 7d 0a         d 5 3 7 6 5 }.

Flag: picoCTF{p4ck37_5h4rk_b9d53765}

Challenge 5 - Redaction gone wrong

Challenge 5

Let's start this challenge by downloading the linked PDF file. curl -LO "https://artifacts.picoctf.net/c/264/Financial_Report_for_ABC_Labs.pdf"

When opened the PDF:

redacted PDF

The hint says:

hint 5

"How can you be sure of the redaction?"

I opened the file in LibreOffice Draw, and I was able to move the black boxes, which revealed the flag. If you are on Windows, you can also use MS Word.

Revealed 5

Flag: picoCTF{C4n_Y0u_S33_m3_fully}

Challenge 6 - Sleuthkit Intro

Challenge 6

Let's start by downloading the disk image.

Disk image 1

curl -LO "https://artifacts.picoctf.net/c/114/disk.img.gz"

Since it is gzip compressed data I used binwalk to extract it which created a folder _disk.img.gz.extracted. You can also use gunzip:

extracted image

binwalk -e disk.img.gz

Using mmls on disk.img to find the size of Linux partition, as instructed in the challenge description:

mmls on disk

mmls disk.img The Linux partition size is: 0000202752

Now let's connect to the access checker program using netcat.

netcat checker

nc saturn.picoctf.net 52279

After I entered the Linux partition size, it gave me the flag.

Partition flag

Flag: picoCTF{mm15_f7w!}

Challenge 7 - Sleuthkit Apprentice

challenge 7

First, we downloaded the file

download image 2

curl -LO "https://artifacts.picoctf.net/c/331/disk.flag.img.gz"

Extracted the file

extracted gzip

gzip -d disk.flag.img.gz

To make things a little easier, I opened Thunar File Manager by simply typing thunar in my current working directory and then right-clicked on the disk.flag.img file and clicked on "Disk Image Mounter" to mount it.

Thunar 1

Under devices, I see these two new partitions mounted:

Thunar 2

After meandering for a while, in 130 MB Volume, I found a folder named root which I was unable to open cd: Permission denied: “root/”. So I escalated my privilege and then tried to run cd as root.

root

Inside it, I found a folder named my_folder which had a file named flag.uni.txt inside. I ran cat on the file and found the flag.

flag 7

Flag: picoCTF{by73_5urf3r_adac6cb4}

Alternative: You can also use Autopsy to analyse the image.

Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.

Challenge 8 - Eavesdrop

Eavesdrop

The hint says:

hint 8

Let's start by downloading the linked packet capture.

pcap 2

curl -LO "https://artifacts.picoctf.net/c/359/capture.flag.pcap"

And open it in wireshark

wireshark capture.flag.pcap

wireshark 8

After going through a bunch of packets, I found something interesting

wireshark 9

Then I right-clicked on the packet and clicked on follow TCP Stream

follow stream

After I followed the TCP stream, I am able to see the conversation between them.

conversation

Here we found something interesting, openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 A command to decrypt a file named file.des3 which was transmitted over port 9002

I then cleared our current filter and applied tcp.port == 9002 filter and found an interesting "Salted" packet, which is likely the file they were talking about in their conversation.

salted file

I then right-clicked on the packet and clicked on Follow Stream

follow 2

Changed the Show data as: to Raw and clicked on Save as and saved the file as file.des3 in our current directory.

raw 3

Then I ran file command on the file that we just exported:

file 8

file file file.des3 And it turned out to be openssl enc'd data with salted password

Let's run the command we found earlier on this file, which already has the password in it after k tag which is "supersecretpassword123".

openssl

It gave us a warning, but it also successfully created a new file.txt file, let's now cat the file to see the content within it.

cat flag

And we found the flag.

Flag: picoCTF{nc_73115_411_dd54ab67}

Challenge 9 - Operation Oni

challenge 9

Let's start this challenge by downloading the linked disk image file.

download 9

curl -LO "https://artifacts.picoctf.net/c/374/disk.img.gz"

The challenge in the above image also gives us a command to connect to the remote machine. ssh -i key_file -p 55949 ctf-player@saturn.picoctf.net

As it is a gzip file, let's extract it.

gunzip 2

gunzip disk.img.gz After extracting it, we got the disk.img file.

To analyse this image, again I would recommend using Autopsy, but in this article we're going to use binwalk.

binwalk extract

binwalk -e disk.img

After cd-ing into _disk.img.extracted we found two folders.

cd

After running find in the current directory, I found some interesting results

find 1

find . | grep "ssh"

Let's try to cat the first private key in our result

key

cat ./ext-root-0/root/.ssh/id_ed25519

So, now we have a ssh private key. Let's try to use it to connect to our remote machine.

By simply replacing the key_file to key path we found, I ran the given command, but encountered an error.

ssh error

ssh -i ./ext-root-0/root/.ssh/id_ed25519 -p 55949 ctf-player@saturn.picoctf.net

The error says: Permissions 0644 for './ext-root-0/root/.ssh/id_ed25519' are too open.

Let's try to modify its permission and re-run the command.

permission

I ran ls -l ./ext-root-0/root/.ssh/id_ed25519 to check the permission of our key, and it turned out that it was world readable, so then I ran chmod 600 ./ext-root-0/root/.ssh/id_ed25519 to change its permission.

After this, I re-ran the command and connected successfully to the remote machine

connection successful

I ran the ls and found a file named flag.txt, I cat-ed it, and found the key.

completed ssh

Flag: picoCTF{k3y_5l3u7h_af277f77}

0
Subscribe to my newsletter

Read articles from Ujjawal Saini directly inside your inbox. Subscribe to the newsletter, and don't miss out.

Written by

Ujjawal Saini
Ujjawal Saini

Data Scientist and Software Engineer. Privacy and Security Advocate.