So Defcon 20 CTF Prequals 2012 has finished! As in PlaidCTF, I’d like to say thank you to my teammate, Archie!
Let’s start with the Forensics 300 writeup.
The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.
Let’s start examining the file:
francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d for300-47106ef450c4d70ae95212b93f11d05d: data
Looks like the file utility wasn’t able to recognize the type of the file. So let’s inspect it with an hex editor:
So it’s a firmware. That means that it’s time for binwalk, a tool designed to search into binary images for compressed data, filesystems and more.
francisco@sherminator:~/Desktop/binwalk-0.3.9/src$ ./binwalk for300-47106ef450c4d70ae95212b93f11d05d DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------- 108 0x6C LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3008436 bytes 983148 0xF006C PackImg Tag, little endian size: 14690560 bytes; big endian size: 2744320 bytes 983180 0xF008C Squashfs filesystem, little endian, version 4.0, size: 724610815 bytes, 1470 inodes, blocksize: 0 bytes, created: Sat Mar 6 09:29:04 1993
We have a Squashfs in there, a read-only filesystem that is used on Live CDs and router firmware. We will try to extract that filesystem using firmware-mod-kit:
francisco@sherminator:~/firmware-mod-kit-read-only/trunk$ ./extract-ng.sh for300-47106ef450c4d70ae95212b93f11d05d
After a few minutes, firmware-mod-kit tells us that it finished its job, and that the output is located at the fmk/ directory.
francisco@sherminator:~/Desktop/fmk$ ls image_parts logs rootfs
There we have the filesystem of the firmware, right in the rootfs directory. Let’s see what can we find there:
francisco@sherminator:~/Desktop/fmk/rootfs$ ls bin dev etc home htdocs lib mnt proc sbin sys tmp usr var www
Now let’s go straight to the /home/dlink folder:
francisco@sherminator:~/Desktop/fmk/rootfs/home/dlink$ ls -la total 12 drwxrwxr-x 2 root root 4096 2012-05-30 18:24 . drwxrwxr-x 3 root root 4096 2012-05-30 18:20 .. -rw-r--r-- 1 root root 45 2012-05-30 18:24 key.txt
And finally:
francisco@sherminator:~/Desktop/fmk/rootfs/home/dlink$ cat key.txt ewe know, the sh33p always preferred Linksys
So the key for this challenge was: ewe know, the sh33p always preferred Linksys
sysexit 
nice,simple and clean write up !
thanks for sharing.
Thank you yappare! I’m glad you liked it!
F100: blkls -s f100
F200: use the deleted 2467 file (retrieved with autopsy):
stegdetect -s 2 2467trash.jpg
2467trash.jpg : outguess(old)(*)
outguess -r -e -k “ddtek” 2467trash.jpg key
Initalize encoding/decoding tables
Reading 2467trash.jpg….
Extracting usable bits: 1793659 bits
Decode: 12 data after ECC: 4
Steg retrieve: seed: 297, len: 55614
Decode: 55614 data after ECC: 29013
file key
key: Zip archive data, at least v2.0 to extract
unzip key
Archive: key
inflating: 98753.pdf
key in PDF!
Thank you Aaron for the writeups on the other forensics challenges!
When I try stegdetect on the recovered 2467 file I get:
error: Not a JPEG file: starts with 0x00 0x00
damn, I spent a few hours playing around with sleuth and autopsy for F100 and the key was under my nose 😦
May I ask HOW you knew it was firmware as I struggled on this challenge?
Is it because of the first bytes, as JPEG’s have ff d8 ff e0, or for other reasons?
And good write up 🙂
I realized that it was firmware based on two strings that you can see on the screenshot of the hex-editor:
* “dev=/dev/mtdblock/2 type=firmware”
* “signature=wrgnd08_dlob_dir815”. If you google for “dir815” you’ll see that it’s a Dlink router.