Docker>> Files_Leakage>> 返回
项目作者: islamgab

项目描述 :
Cybertalent CTF Files Leakage - Digital Forensics
高级语言:
项目地址: git://github.com/islamgab/Files_Leakage.git
创建时间: 2020-04-18T03:30:55Z
项目社区:https://github.com/islamgab/Files_Leakage
开源协议:
下载


{ islamgab }

Writeups

Description

  • Challenge Name: Files Leakage
  • Points: 100
  • Level: medium

Tools

Pcap File contents

  1. Pdf Files:
  3. - 3911-Exhibit-AB-20170128-26.pdf
  4. - DarkSeaSkies_1_0_CONOP.pdf
  5. - DarkSeaSkies_1_0_URD.pdf
  6. - deobfuscate.pdf
  7. - Deobfuscation is in NP.pdf
  8. - DerStarke_v1_4_DOC.pdf
  9. - Experiences in Malware Binary Deobfuscation.pdf
  11. Wav File:
  13. - 23329117.WAV

Easy method to get pass
I created a wordlist from all file for challenge and for pcap also with all possible length

  1. $ for i in $(ls); do strings $i | awk length"$1<5" >> wordlist_len5.txt; done
  2. $ for i in $(ls); do strings $i | awk length"$1<6" >> wordlist_len6.txt; done
  3. $ for i in $(ls); do strings $i | awk length"$1<7" >> wordlist_len7.txt; done
  4. $ for i in $(ls); do strings $i | awk length"$1<8" >> wordlist_len8.txt; done
  5. $ for i in $(ls); do strings $i | awk length"$1<9" >> wordlist_len9.txt; done
  7. cat * > wordlist_len5-9.txt

then i found tool deepsound to john

  1. $ deepsound2john 23329117_Fixed > hash.txt
  2. $ john --wordlist=wordlist_len5-9.txt hash.txt # **Make sure that wordlist UTF-8**

Advanced Method to get pass

first thing take look to https://en.wikipedia.org/wiki/Design_of_the_FAT_file_system

and look for “VFAT long file names” image up

All file have marked “E5” Symbole as deleted file from “KINGSTON” USB flash disk

0xe5 mean file deleted in Frame 34 in OFFSET 0290 this offset Ref for Section in Frame 935

  1. filename : @dh00m@.txt
  2. content: @dh00m@
  3. # before deleted from flash memory
  4. filename: [0xe5]dh00m@.txt
  5. contenet : @dh00m@ << content not changed becouse may be want to restore it

That’s make sense as this is a password

Get Pass @dh00m@
and get flag file content this

  1. uuuuuuuuuuuuuuuu4zzzzzzzzzzzzzzz
  2. yyyyyyyyycjjjjjjjjjjjjjjjjjjjjjj
  3. ssssssssssssssssssssssssssssssem
  4. iiiiiiiiii9vvvvvvvvvvvvvvvvvvvvv
  5. zzzzzzzzzzzzzzzzzzzzzzzz8zzzzzzz
  6. ooo1wwwwwwwwwwwwwwwwwwwwwwwwwwww
  7. ...
  8. ...
  9. nnnnnnnnnnnn2ooooooooooooooooooo
  10. mmmmmmmmmmmmmm8wwwwwwwwwwwwwwwww
  11. jjjjjjjjjjjjjjjjjjj9ssssssssssss

here we found a uniq char in all line i keep it on this pos and sort it one time left becouse 32 line and once sort it below i get the flag

  1. uuuuuuuuuuuuuuuu[4]zzzzzzzzzzzzzzz
  2. yyyyyyyyy[c]jjjjjjjjjjjjjjjjjjjjjj
  3. ssssssssssssssssssssssssssssss[e]m
  4. iiiiiiiiii[9]vvvvvvvvvvvvvvvvvvvvv
  5. zzzzzzzzzzzzzzzzzzzzzzzz[8]zzzzzzz
  6. ooo[1]wwwwwwwwwwwwwwwwwwwwwwwwwwww
  7. mmmm[6]ppppppppppppppppppppppppppp
  8. iiiiiiiiiiiiiiiiiiiiicuuuuuuuuuu
  9. rrrrrrrr1yyyyyyyyyyyyyyyyyyyyyyy
  10. ...
  11. ...
  12. ...
  13. nnnnnnnnnnnn2ooooooooooooooooooo
  14. mmmmmmmmmmmmmm8wwwwwwwwwwwwwwwww
  15. jjjjjjjjjjjjjjjjjjj9ssssssssssss
  1. f6f166231c912e854e790caf8e8cace9

Flag = f6f166231c912e854e790caf8e8cace9

Thank you