picoCTF Forensics

# picoCTF Forensics 使用工具 : - `ghex` => linux圖形化十六進制編輯器 - `oeg` => linux打開和瀏覽圖片文件 - `Xpdf` => 輕量化的Linux PDF閱讀器 - `wireshark` - `aircrack-ng` =>能根據捕獲的數據包對 WEP 密鑰進行破解 - `zsteg` => 破解資料隱藏 - `stepic` => 也是將資料的內容提取出來 - `binwalk` => 是一個針對二進位檔案的分析工具，可用來找出檔案中是否隱藏了其他資料（例如壓縮檔、圖片、可執行檔等） - `dd` => 是 Linux 和 Unix 系統中一個非常強大的命令列工具，主要用途是在設備之間複製位元組資料，可以用來`備份與還原磁碟`,`建立開機碟`,`擷取或寫入 ISO 映像檔` # Eazy ## RED ![image](https://hackmd.io/_uploads/B1-4xGOTye.png) 輸入 `zsteg red.png` ![image](https://hackmd.io/_uploads/BJL8efOpkx.png) ## **Secret of the Polyglot** ![image](https://hackmd.io/_uploads/B10ilQ9M1g.png) Hints : This problem can be solved by just opening the file in different ways xpdf flag2of2-final.pdf ![image](https://hackmd.io/_uploads/BybbImcMJg.png) mv flag2of2-final.pdf flag2of2-final.png ![image](https://hackmd.io/_uploads/ry8mLQ5MJx.png) # Medium ## **Lookey here** ![image](https://hackmd.io/_uploads/HyHLr2BG1l.png) cat anthem.flag.txt | grep pico ![image](https://hackmd.io/_uploads/ry7pB2BG1x.png) ## **endianness-v2** ![image](https://hackmd.io/_uploads/Hkh7xA_MJg.png) 先來看檔案的類型和標頭 `file challengefile` `exiftool challengefile` 看起來header(標頭)有錯 ![image](https://hackmd.io/_uploads/H1ssqRuMJx.png) 用ghex看一下 ![image](https://hackmd.io/_uploads/rkp6oROMJg.png) 忘記JPEG header是什麼，google一下長這樣 "FF D8 FF E0" ![image](https://hackmd.io/_uploads/SkzI30_fJg.png) 所以要把challengefile Header的"E0 FF D8 FF" -> "FF D8 FF E0" 後來發現單純只改Header是不行的，要reverse整個challengefile ```python def reverse_hex_bytes(file_path, output_path): with open(file_path, "rb") as f: data = f.read() reversed_data = bytearray() for i in range(0, len(data), 4): reversed_data.extend(data[i:i+4][::-1]) with open(output_path, "wb") as f: f.write(reversed_data) reverse_hex_bytes("challengefile", "reversed_output") ``` ![image](https://hackmd.io/_uploads/Hy9ZzkFzJx.png) ![image](https://hackmd.io/_uploads/S1hdMJFzke.png) ## **PcapPoisoning** ![image](https://hackmd.io/_uploads/rkoOzUofkg.png) `.pcap`是一種用於儲存網路封包資料的檔案格式 wireshark開啟檔案 ![image](https://hackmd.io/_uploads/SkZoXUozyx.png) tcp contains "pico" ![image](https://hackmd.io/_uploads/H1OK7LjfJx.png) ## **FindAndOpen** ![image](https://hackmd.io/_uploads/rJoU7eaGkx.png) 看了其他Info，就只有這個不一樣，最後有'='，感覺很像base64 ![image](https://hackmd.io/_uploads/B1Xa7xpfJg.png) ![image](https://hackmd.io/_uploads/rJqmNg6fJg.png) ## **Redaction gone wrong** ![image](https://hackmd.io/_uploads/SkegYdgaGJl.png) 檔案一開起來就長這樣 ![image](https://hackmd.io/_uploads/S1X3_gTG1x.png) 丟到word把字體全部反白就會找到flag了 ![image](https://hackmd.io/_uploads/rJ3Cdxpfkl.png) ## **Packets Primer** ![image](https://hackmd.io/_uploads/B1PqKqpf1g.png) 找一下就找到了 ![image](https://hackmd.io/_uploads/H1u2FcTM1l.png) ## **Eavesdrop** ![image](https://hackmd.io/_uploads/BJs3VZkQkg.png) Hints : All we know is that this packet capture includes a chat conversation and a file transfer. ``` - chat conversation Hey, how do you decrypt this file again? You're serious? Yeah, I'm serious *sigh* openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 Ok, great, thanks. Let's use Discord next time, it's more secure. C'mon, no one knows we use this program like this! Whatever. Hey. Yeah? Could you transfer the file to me again? Oh great. Ok, over 9002? Yeah, listening. Sent it Got it. You're unbelievable ``` 有找到data，但不是很熟wireshark，不太知道要則麼複製data的value，參考了下方的影片 https://www.youtube.com/watch?v=DJfT2fI88YE&ab_channel=MustaphaAitIchou 把下方data加入到file.des3 ![image](https://hackmd.io/_uploads/BJYGJVJ7Jl.png) 解密 ``` sudo openssl des3 -d -salt -in file.des3 -out file.txt -k supersecretpassword123 ``` ![image](https://hackmd.io/_uploads/H1p_yVyXkl.png) ## **WPA-ing Out** ![image](https://hackmd.io/_uploads/SyKeF8ymyx.png) Hints: 1. Finding the IEEE 802.11 wireless protocol used in the wireless traffic packet capture is easier with wireshark, the JAWS of the network. 2. Aircrack-ng can make a pcap file catch big air...and crack a password. Hint2就有說可以用aircrack-ng暴力破解password Aircrack-ng 能根據捕獲的數據包對 WEP 密鑰進行破解 ![image](https://hackmd.io/_uploads/SJI69PkmJx.png) ## **Milkslap** (待補) ![image](https://hackmd.io/_uploads/ryv3YSlXkx.png) Hint:Look at the problem category ![image](https://hackmd.io/_uploads/SyY_qSg7ye.png) ![image](https://hackmd.io/_uploads/rk1S9HxQ1e.png) 問題的category css?? ![image](https://hackmd.io/_uploads/rJiCcrl71l.png) ``` wget http://mercury.picoctf.net:29522/concat_v.png ``` ## shark on wire 1 ![image](https://hackmd.io/_uploads/BkqZfYzOJl.png) Hints: 1. Try using a tool like Wireshark 2. What are streams? stream 是一個用來描述一組相關封包的概念 wireshark好像通過分析header，將屬於同一session or 連線的封包分類 ![image](https://hackmd.io/_uploads/SyX1rYMdJg.png) 這時我在猜UPD的streams ![image](https://hackmd.io/_uploads/r1k3LFGu1x.png) 矇了這樣就結束了??? ![image](https://hackmd.io/_uploads/BJ21DYzdyl.png) ## flags are stepic ![image](https://hackmd.io/_uploads/SJCqV-taJl.png) Hint : In the country that doesn't exist, the flag persists 所以要找不是國家的flag ![image](https://hackmd.io/_uploads/H1vM8bFp1g.png) `Ctrl + U` 找到那個國家Upanzi, Republic The ![image](https://hackmd.io/_uploads/SyBL8ZtTkl.png) wget `url+/flags/upz.png` ![image](https://hackmd.io/_uploads/H1198-Fpke.png) 用了zsteg噴出一些不相關的東西這時注意到題目 stepic ，不知道是什麼鬼東西問了一下GPT ![image](https://hackmd.io/_uploads/Bk8lwWtp1e.png) ok 下方是script ```cpp= import stepic from PIL import Image image = Image.open("upz.png") message = stepic.decode(image) print("Message: ",message) ``` ![image](https://hackmd.io/_uploads/BkZ3qbY6yg.png) ## So Meta ![image](https://hackmd.io/_uploads/SJKAjQY6kl.png) ![image](https://hackmd.io/_uploads/SJZl3XYa1x.png) ## WhitePages ![image](https://hackmd.io/_uploads/SyjUHIFakl.png) 還真的是whitepage白的 ![image](https://hackmd.io/_uploads/ryZKSItTkg.png) 輸入 `ghex whitepages.txt` 可以觀察到內文有`\xe2\x80\x83`很特別 ![image](https://hackmd.io/_uploads/Sy0JLUFa1l.png) 如果把它替換成`0`，而其他替換成`1` 來試看看 ```python= from pwn import * with open('whitepages.txt','rb') as f: data = f.read() data = data.replace(b'\xe2\x80\x83',b'0').replace(b' ',b'1') data = data.decode("ascii") #print(data) print(unbits(data).decode("ascii")) ``` ![image](https://hackmd.io/_uploads/SksDDUta1l.png) 參考資料:https://github.com/kevinjycui/picoCTF-2019-writeup/tree/master/Forensics/WhitePages ## extensions ![image](https://hackmd.io/_uploads/r1jRuUtT1l.png) exiftool flag.txt 事實上這個檔案是.png ![image](https://hackmd.io/_uploads/ByNWFIK61e.png) mv flag.txt flag.png xdg-open flag.png ![image](https://hackmd.io/_uploads/HkeHKLKpye.png) ## What Lies Within ![image](https://hackmd.io/_uploads/ryvM-L9Tkg.png) zsteg buildings.png ![image](https://hackmd.io/_uploads/rJ_HZ89Tkx.png) ## like 1000 ![image](https://hackmd.io/_uploads/Hy1-Y8cTkg.png) 他說 a lot 需要解壓縮，像是下方這樣會產出子壓縮檔 ![image](https://hackmd.io/_uploads/HJc7YUqTJx.png) script ```python= import subprocess n=1000 while (n > 0): tar_file = str(n) + ".tar" subprocess.run(["tar","xvf",tar_file]) print(f"{n} Finished!") n = n - 1 ``` ![image](https://hackmd.io/_uploads/BkLOKUc61l.png) ![image](https://hackmd.io/_uploads/ByGYY89TJx.png) ## hideme ![截圖 2025-04-18 下午5.49.01](https://hackmd.io/_uploads/Hy5zxo1ygx.png) zsteg 沒找出東西 ``` binwalk flag.png ``` ![截圖 2025-04-18 下午5.53.09](https://hackmd.io/_uploads/rylXG-sykll.png) ![截圖 2025-04-18 下午5.52.52](https://hackmd.io/_uploads/HyfWWi11el.png) ``` dd if=flag.png of=flag.zip skip=41 ``` ![截圖 2025-04-18 下午6.01.47](https://hackmd.io/_uploads/rywfmjJ1lg.png) ![截圖 2025-04-18 下午6.01.57](https://hackmd.io/_uploads/HkVmmiykle.png) ## Enhance ![image](https://hackmd.io/_uploads/r1E3Tzfygx.png) MIME Type : image/svg+xml ![image](https://hackmd.io/_uploads/Hkpl0fMJge.png) xml用cat也可以print出來 cat drawing.flag.svg ![image](https://hackmd.io/_uploads/r1sBCMG1xg.png) ## Mob psycho ![image](https://hackmd.io/_uploads/BJBg1VzJxe.png) Hints: 1. Did you know you can unzip APK files? 2. Now you have the whole host of shell tools for searching these files. unzip mobpsycho.apk -d psycho ``` ls -R | grep flag -B 20 ``` `-R` : 遞迴(Recursive)列出目錄內容 `-B 20` : --before-context=20的簡寫 ![image](https://hackmd.io/_uploads/HkiFe4fkxx.png) [Link](https://gchq.github.io/CyberChef/) ![image](https://hackmd.io/_uploads/SJo3eNM1xg.png) ## Torrent Analyze ![image](https://hackmd.io/_uploads/ryjPc8LRex.png) 從來沒碰過 Tor 後來查了一下 Torrent是一種 P2P (Peer-to-Peer)檔案分享協議 - 不依賴單一伺服器，檔案由多個使用者共同分享 - 每個使用者可以下載也可以上傳檔案 `.torrent`檔案中包含: - 檔案資訊 - info_hash (唯一識別這個 torrent 的值) - Tracker 位址（協助找到 peers）主要分為三個 : 1. seeds (做種者): - 已經完整下載整個檔案的人 - 提供檔案給其他peer下載 - Seed越多，下載速度通常越快 2. peers (對等節點/已連線但未完成的人): - 正在下載檔案的人 - 同時也會上傳自己已下載的部分給其他peers - Peer中包含 leechers(還沒有完成下載的人) 3. leechers : - 正在下載檔案，但尚未完整擁有 ### protocol **BT-DHT** : 用來找peers的協定，當tracker不存在時，根據 `info_hash` 尋找誰有這個torrent **BT-uTP** : BitTorrent傳輸的一種資料傳輸協定，建立在UDP上 `bt-dht contains "info_hash"` ![image](https://hackmd.io/_uploads/Hyg9BqICeg.png) ```python= `bt-dht contains "info_hash"` ![image](https://hackmd.io/_uploads/ryvuS5IRee.png) import pyshark cap = pyshark.FileCapture('torrent.pcap',display_filter = 'bt-dht contains "info_hash"') info_hash_list = set() for i in cap: #print(i.layers[3]) info_hash = i.layers[3].get_field_by_showname('info_hash').showname_value ## 真的不知道則麼抓 info hash 跑去看了一下別人這行 info_hash_list.add(info_hash) for j in info_hash_list: print(j) ``` hash 值 d59b1ce3bf41f1d282c1923544629062948afadd 7af6be54c2ed4dcb8d17bf599516b97bb66c0bfd 17c1e42e811a83f12c697c21bed9c72b5cb3000d 17c02f9957ea8604bc5a04ad3b56766a092b5556 e2467cbf021192c241367b892230dc1e05c0580e 078e18df4efe53eb39d3425e91d1e9f4777d85ac 17c0c2c3b7825ba4fbe2f8c8055e000421def12c 17d62de1495d4404f6fb385bdfd7ead5c897ea22 ### 參考 https://github.com/noamgariani11/picoCTF-2024-Writeup/blob/main/Forensics/Mob-psycho.md