Paul Jeremiah

Paul Jeremiah

CTFer-Learner-Friend-CyberSec

Inctf21 Pro Finals-Forensics Writeup

3 minute read

Hello Amazing Hackers! , It’s me PJ

In this Blog We are going to have a look at some cool forensic challenges from inctf21 professional by bi0s ,BTW The Winner of INCTF21 Professionals is SSOD

1. XOXO (100pts)

image

Description: Did you know: if a^b=c then a^c=b

Given : xorred png file

 pj@kali~ file encrypted.png
 
encrypted.png: data
  1. We actually Dont know the key , but we know the actual extension(png) which is come after the xor process. then xor the file with magic bytes of png , it will gives the Key to retrive the PNG

Magic Bytes of PNG

xxd -l 10 chall.png                                                                  
00000000: 8950 4e47 0d0a 1a0a 0000                 .PNG......

image

2.Xor the encrypted.png with the key eAsy-x0r

>>> from pwn import  *
>>> encrypted=open("encrypted.png","rb").read()
>>> answer=open("flag.png","wb")
>>> answer.write(xor("eAsy-x0r",encrypted))
396068
>>> answer.close()

image

Here We go ,FLAG :inctf{x0riNg_iS_fUn!!}

2. Look Deeper (200pts)

image

Description :

Ramesh sent me this PDF and told me that there is a weird sound deep in it,
and asked me to find it. Can you help him find the what is hidden deep?

Given :

chall.pdf: PDF document, version 1.1
  1. Evince the pdf

image

echo "ZTN5bl83a2RfdjBfc240el9nYzdfaHUzeXp0=="|base64 -d                                       
e3yn_7kd_v0_sn4z_gc7_hu3yz

I thought vigenere, yes vigenere cipher

image

well, it’s not a flag but let’s take it w3ll_7ry_n0_fl4g_bu7_us3ful

  1. Lets enum the pdf and extract any file
python2 /opt/git.peepdf/peepdf.py -i chall.pdf

PPDF> info

Version 0:
        Catalog: 1
        Info: No
        Objects (8): [1, 2, 3, 4, 5, 6, 7, 8]
        Streams (2): [5, 8]
                Encoded (1): [8]
        Suspicious elements:
                /Names (1): [1]

PPDF> stream 8 > output

wave time !

file output 
output: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz

From Description deep? exactly deepsound!

  1. open the wave in deepsound and input the decrypted cipher as a password
  • open carrier file
  • input password
  • save the flag.zip

image

  • unzip flag.zip

correct the header of flag.png

remove the line ......JFIF...... from flag.png using ghex

>>pj@kali~: xxd flag.png|head                                                                              1 ⨯
00000000: ffd8 ffe0 0010 4a46 4946 0001 0100 0001  ......JFIF......
00000010: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR

        (after)
        
 >>pj@kali~: xxd flag.png|head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452  .PNG........IHDR
00000010: 0000 03c0 0000 02bd 0806 0000 00eb 1d05  ................
00000020: 3000 0036 837a 5458 7452 6177 2070 726f  0..6.zTXtRaw pro

image

Flag : inctf{Kn0w1ng_4b0ut_PDF’s_15_u53fuL}

3. Chunklet (100pts)

reference-inctf-nationals Learning Round

given:

 >>pj@kali~: file chall.png                                                                               130 ⨯
chall.png: data
  1. Correct the png header
>>pj@kali~: xxd -l 10 chall.png 
00000000: 8950 6e47 0d0a 1a0a 0000                 .PnG......
                  (after)                                                                                              
 >>pj@kali~: xxd -l 10 chall.png
00000000: 8950 4e47 0d0a 1a0a 0000                 .PNG......

  1. Replace idhr to IHDR

  2. Replace IADT to IDAT

image

  1. Replace The trailer from INED to IEND
>>pj@kali~: xxd chall.png |tail                
00006de0: 0000 494e 4544 ae42 6082                 ..INED.B`.
                             
                             (AFTER)                           
 >>pj@kali~: xxd chall.png |tail
00006de0: 0000 4945 4e44 ae42 6082                 ..IEND.B`.
  1. feh chall.png

image

Here we Go

Flag : inctf{tH15_w4S_Pr3Ty_EA5y}

4.Tracery

Descrition: Do you know any communications standard which enables to exchange messages over a network.

Given:

file chall.pcap 
chall.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Linux cooked v1, capture length 262144)
  • Wireshark
  • Protocol Heirarchy -> Data image

image

Count the lenght of The Dash , reflects someting to be useful

Copy the Length?? , replace Length to '\n' (find & replace) then save it, below py script can be used to retrive password

  pj@ctf-inctf-pro ~: cat pass|head                      
??.................................................................................................
??......................................................................................................
??...........................................................................................
??............................................................................................................
??..............................................................................................
??...................................................................................................................
??.........................................
??.......................................................................................
??............................................
                                                                                                                                      
pj@ctf-inctf-pro ~: cat script.py   
#code credits goes to pro (Aidenpearce)  
f=open("pass")
data=f.readlines()
chars=[]
for x in data:
        chars.append(chr(len(x)))

for y in range(0,255):
        print("".join(chr(ord(x)+y) for x in chars))


pj@ctf-inctf-pro ~: python3 script.py|grep in
inctf{1_4m_n0t_th3_fl4g_g0t_1t??}

1.data -> tcp -> tcp-

file tcp_savedfile 
tcp_savedfile: data