Table of Contents
Welcome, in the previous post we examined some of the warmup challenges from the VirSecCon 2020 CTF. Today, we will continue our review of the VirSecCon 2020 CTF by exploring some of the forensic challenges in the event.
Let’s get started!
Challenge: I Lost My Password!
Our first forensic challenge begins by serving us a passwd and shadow file.
We will need to utilize both of these files to crack the password hash of the user requesting our aid.
We download both files to our system and use the unshadow command to generate a new file that John can use to crack the password hash:
unshadow passwd shadow > john.txt
cat john.txt
root:!:0:0:root:/root:/bin/bash
daemon:*:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:*:2:2:bin:/bin:/usr/sbin/nologin
sys:*:3:3:sys:/dev:/usr/sbin/nologin
sync:*:4:65534:sync:/bin:/bin/sync
games:*:5:60:games:/usr/games:/usr/sbin/nologin
man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:*:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
news:*:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:*:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:*:13:13:proxy:/bin:/usr/sbin/nologin
www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:*:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:*:100:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:*:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:*:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:*:103:106::/nonexistent:/usr/sbin/nologin
syslog:*:104:109::/home/syslog:/usr/sbin/nologin
_apt:*:105:65534::/nonexistent:/usr/sbin/nologin
uuidd:*:106:113::/run/uuidd:/usr/sbin/nologin
avahi-autoipd:*:107:115:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/usr/sbin/nologin
usbmux:*:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:*:109:116:RealtimeKit,,,:/proc:/usr/sbin/nologin
dnsmasq:*:110:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
cups-pk-helper:*:111:118:user for cups-pk-helper service,,,:/home/cups-pk-helper:/usr/sbin/nologin
speech-dispatcher:!:112:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
kernoops:*:113:65534:Kernel Oops Tracking Daemon,,,:/:/usr/sbin/nologin
avahi:*:114:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:*:115:121::/var/lib/saned:/usr/sbin/nologin
nm-openvpn:*:116:122:NetworkManager OpenVPN,,,:/var/lib/openvpn/chroot:/usr/sbin/nologin
whoopsie:*:117:123::/nonexistent:/bin/false
colord:*:118:124:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
hplip:*:119:7:HPLIP system user,,,:/var/run/hplip:/bin/false
geoclue:*:120:125::/var/lib/geoclue:/usr/sbin/nologin
pulse:*:121:126:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
gnome-initial-setup:*:122:65534::/run/gnome-initial-setup/:/bin/false
gdm:*:123:128:Gnome Display Manager:/var/lib/gdm3:/bin/false
john:$6$s.e1vJFx9a3RMVUM$etzkgAvXdiyR/5vBWFzC4J.ECadUJkDi6MUiOEJfc1mo3Z7VeWZKv1iWSvW8XQ8zC5bK8kTvWCs7iw5Hy3ve/0:1000:1000:john,,,:/home/john:/bin/bash
systemd-coredump:!!:999:999:systemd Core Dumper:/:/sbin/nologin
lightdm:*:124:130:Light Display Manager:/var/lib/lightdm:/bin/false
_rpc:*:125:65534::/run/rpcbind:/usr/sbin/nologin
statd:*:126:65534::/var/lib/nfs:/usr/sbin/nologin
postgres:*:127:136:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
Now that we have created a new text file containing the output of the unshadow command, we will feed this file to John and use the rockyou.txt wordlist to crack the password hash:
john –wordlist=/usr/share/wordlists/rockyou.txt john.txt
Warning: detected hash type “sha512crypt”, but the string is also recognized as “HMAC-SHA256”
Use the “–format=HMAC-SHA256” option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 12 OpenMP threads
Press ‘q’ or Ctrl-C to abort, almost any other key for status
whiterose (john)
1g 0:00:00:01 DONE (2020-04-03 13:28) 0.7633g/s 7035p/s 7035c/s 7035C/s somebody..sassy123
Use the “–show” option to display all of the cracked passwords reliably
Session completed
Our process completes and we discover that the password for the user ‘john‘ is whiterose.
We insert this into the proper flag format and submit it to collect our points!
LLS{whiterose}
Challenge: Tragic Number
For our next challenge, we are presented with a .zip file named ‘tragic_number.zip‘.
We’ll kick things off by downloading the .zip file to our host and running the file command on it:
file tragic_number.zip
tragic_number.zip: Zip archive data, made by v?[0x31e], extract using at least v2.0, last modified Thu Oct 18 06:10:02 2012, uncompressed size 42, method=deflate
Next, let’s explore what happens when we attempt to unzip the file:
unzip tragic_number.zip
Archive: tragic_number.zip
file #1: bad zipfile offset (local header sig): 0
Unzip fails to extract the archive and reports that there is a bad zipfile offset.
Given this information and the name of the challenge, we can infer that the solution involves the magic number of the .zip file.
What is a magic number?
Well, a magic number is a numeric or string constant that indicates the file type. This number resides in the first 512 bytes of the file. Magic numbers are also referred to as file signatures or magic bytes.
We can examine the magic number of our .zip file by outputting the hex data of the file with the xxd command:
xxd tragic_number.zip
00000000: 4834 434b 1400 0000 0800 3a9d 7f50 2a0a H4CK……:..P*.
00000010: e5b6 2300 0000 2a00 0000 0800 1c00 666c ..#…*…….fl
00000020: 6167 2e74 7874 5554 0900 0340 d583 5e40 ag.txtUT…@..^@
00000030: d583 5e75 780b 0001 04e8 0300 0004 e803 ..^ux………..
00000040: 0000 f3f1 09ae 2e29 4a4c cf4c 8ecf 2bcd …….)JL.L..+.
00000050: 4d4a 2d8a cfcd 2f4a 8dcf c9cc 4e8d cf45 MJ-…/J….N..E
00000060: 12ae e502 0050 4b01 021e 0314 0000 0008 …..PK………
00000070: 003a 9d7f 502a 0ae5 b623 0000 002a 0000 .:..P*…#…*..
00000080: 0008 0018 0000 0000 0001 0000 0080 8100 …………….
00000090: 0000 0066 6c61 672e 7478 7455 5405 0003 …flag.txtUT…
000000a0: 40d5 835e 7578 0b00 0104 e803 0000 04e8 @..^ux……….
000000b0: 0300 0050 4b05 0600 0000 0001 0001 004e …PK……….N
000000c0: 0000 0065 0000 0000 00 …e…..
The first four hex characters of the file do not match the proper magic number for .zip files.
Some quick research reveals the correct magic number for this file type:
Now that we have identified the appropriate magic number for this file type, we will continue by editing the hex data of the file to insert the magic number.
We’ll use the hexeditor command to modify the data:
Now that our correction has been implemented, let’s attempt to unzip the file again:
unzip tragic_number.zip
Archive: tragic_number.zip
inflating: flag.txt
The .zip file contents are extracted successfully and we are granted our flag!
Conclusion
That wraps up our review of the forensic challenges from VirSecCon 2020 CTF.
In the next post, we’ll dive into some of the web challenges from this CTF!
Until next time,
Happy Hacking!