PicoCTF 2022 Forensics walkthrough – Part 2
In this article, we will attempt to solve picoCTF 2022 Forensics challenges 4 to 9.
Let's get started!
Challenge 4 - Packets Primer
The description says to download the linked packet capture file and analyse it. Let's start by opening up our terminal and download the file.
curl -LO "
https://artifacts.picoctf.net/c/200/network-dump.flag.pcap
"
Let's now use Wireshark to open our downloaded packet capture. Wireshark is a free and open-source packet analyser. To open it, I simply typed wireshark followed by our file name.
wireshark network-dump.flag.pcap
While I was scrolling through the packets, in packet No. 4 I found the flag
Hexdump:
0000 08 00 27 93 ce 73 08 00 27 af 39 9f 08 00 45 00 ..'..s..'.9...E.
0010 00 70 50 c2 40 00 40 06 d1 b3 0a 00 02 0f 0a 00 .pP.@.@.........
0020 02 04 be 6e 23 28 27 ec d4 b7 bd 26 99 bc 80 18 ...n#('....&....
0030 01 f6 18 75 00 00 01 01 08 0a 8d cf e9 65 68 f0 ...u.........eh.
0040 f1 c3 70 20 69 20 63 20 6f 20 43 20 54 20 46 20 ..p i c o C T F
0050 7b 20 70 20 34 20 63 20 6b 20 33 20 37 20 5f 20 { p 4 c k 3 7 _
0060 35 20 68 20 34 20 72 20 6b 20 5f 20 62 20 39 20 5 h 4 r k _ b 9
0070 64 20 35 20 33 20 37 20 36 20 35 20 7d 0a d 5 3 7 6 5 }.
Flag: picoCTF{p4ck37_5h4rk_b9d53765}
Challenge 5 - Redaction gone wrong
Let's start this challenge by downloading the linked PDF file. curl -LO "
https://artifacts.picoctf.net/c/264/Financial_Report_for_ABC_Labs.pdf
"
When opened the PDF:
The hint says:
"How can you be sure of the redaction?"
I opened the file in LibreOffice Draw, and I was able to move the black boxes, which revealed the flag. If you are on Windows, you can also use MS Word.
Flag: picoCTF{C4n_Y0u_S33_m3_fully}
Challenge 6 - Sleuthkit Intro
Let's start by downloading the disk image.
curl -LO "
https://artifacts.picoctf.net/c/114/disk.img.gz
"
Since it is gzip compressed data
I used binwalk to extract it which created a folder _disk.img.gz.extracted
. You can also use gunzip
:
binwalk -e disk.img.gz
Using mmls on disk.img
to find the size of Linux partition, as instructed in the challenge description:
mmls disk.img
The Linux partition size is: 0000202752
Now let's connect to the access checker program using netcat.
nc
saturn.picoctf.net
52279
After I entered the Linux partition size, it gave me the flag.
Flag: picoCTF{mm15_f7w!}
Challenge 7 - Sleuthkit Apprentice
First, we downloaded the file
curl -LO "
https://artifacts.picoctf.net/c/331/disk.flag.img.gz
"
Extracted the file
gzip -d disk.flag.img.gz
To make things a little easier, I opened Thunar File Manager by simply typing thunar
in my current working directory and then right-clicked on the disk.flag.img
file and clicked on "Disk Image Mounter" to mount it.
Under devices, I see these two new partitions mounted:
After meandering for a while, in 130 MB Volume, I found a folder named root
which I was unable to open cd: Permission denied: “root/”
. So I escalated my privilege and then tried to run cd
as root.
Inside it, I found a folder named my_folder
which had a file named flag.uni.txt
inside. I ran cat
on the file and found the flag.
Flag: picoCTF{by73_5urf3r_adac6cb4}
Alternative: You can also use Autopsy to analyse the image.
Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera's memory card.
Challenge 8 - Eavesdrop
The hint says:
Let's start by downloading the linked packet capture.
curl -LO "
https://artifacts.picoctf.net/c/359/capture.flag.pcap
"
And open it in wireshark
After going through a bunch of packets, I found something interesting
Then I right-clicked on the packet and clicked on follow TCP Stream
After I followed the TCP stream, I am able to see the conversation between them.
Here we found something interesting, openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123
A command to decrypt a file named file.des3
which was transmitted over port 9002
I then cleared our current filter and applied tcp.port == 9002
filter and found an interesting "Salted" packet, which is likely the file they were talking about in their conversation.
I then right-clicked on the packet and clicked on Follow Stream
Changed the Show data as:
to Raw
and clicked on Save as and saved the file as file.des3
in our current directory.
Then I ran file command on the file that we just exported:
file file file.des3
And it turned out to be openssl enc'd data with salted password
Let's run the command we found earlier on this file, which already has the password in it after k tag which is "supersecretpassword123".
It gave us a warning, but it also successfully created a new file.txt file, let's now cat
the file to see the content within it.
And we found the flag.
Flag: picoCTF{nc_73115_411_dd54ab67}
Challenge 9 - Operation Oni
Let's start this challenge by downloading the linked disk image file.
curl -LO "
https://artifacts.picoctf.net/c/374/disk.img.gz
"
The challenge in the above image also gives us a command to connect to the remote machine. ssh -i key_file -p 55949
ctf-player@saturn.picoctf.net
As it is a gzip file, let's extract it.
gunzip disk.img.gz
After extracting it, we got the disk.img
file.
To analyse this image, again I would recommend using Autopsy, but in this article we're going to use binwalk.
binwalk -e disk.img
After cd
-ing into _disk.img.extracted
we found two folders.
After running find
in the current directory, I found some interesting results
find . | grep "ssh"
Let's try to cat
the first private key in our result
cat ./ext-root-0/root/.ssh/id_ed25519
So, now we have a ssh private key. Let's try to use it to connect to our remote machine.
By simply replacing the key_file
to key path we found, I ran the given command, but encountered an error.
ssh -i ./ext-root-0/root/.ssh/id_ed25519 -p 55949
ctf-player@saturn.picoctf.net
The error says: Permissions 0644 for './ext-root-0/root/.ssh/id_ed25519' are too open.
Let's try to modify its permission and re-run the command.
I ran ls -l ./ext-root-0/root/.ssh/id_ed25519
to check the permission of our key, and it turned out that it was world readable, so then I ran chmod 600 ./ext-root-0/root/.ssh/id_ed25519
to change its permission.
After this, I re-ran the command and connected successfully to the remote machine
I ran the ls
and found a file named flag.txt
, I cat
-ed it, and found the key.
Flag: picoCTF{k3y_5l3u7h_af277f77}
Subscribe to my newsletter
Read articles from Ujjawal Saini directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Ujjawal Saini
Ujjawal Saini
Data Scientist and Software Engineer. Privacy and Security Advocate.