Hello Folks , its been a while. Well this time i played CrewCTF 2022 with my crew TamilCTF. We secured rank 36 out of 758. It was an amazing experience , i learned lots of new things in Digital Forensics.
The given file is a ewf disk image , i found a cool article about mounting this disk image in linux.
$ mkdir rawimage
$ sudo ewfmount Image.E01 ./rawimage/
$ mkdir mountpoint
$ sudo mount ./rawimage/ewf1 ./mountpoint -o ro,loop,show_sys_files,streams_interace=windows
$ sudo cd mountpoint
$ sudo ls -laChallenge description point out that suspect deleted the file. The disk image $RECYCLE.BIN folder. I went there and found two PDF files $ID5UESN.pdf and $RD5UESN.pdf. First file is safe doesn’t contain any suspicious things. Second was suspicious , i renamed the pdf to sus2.pdf , when i did strings on it saw some memory adresses.
I opened it in peepdf and boom it shows the CVE.
CVE-2008-2992 , its release date : 11/4/2008.
crew{CVE-2008-2992_Date:11.4.08}
This is my favourite in this CTF. I followed this awesome article to solve this challenge. It involves extracting Javascript , shellcode and debugging shellcode to malicious activities.
We saw Javascript in sus2.pdf , it has to be the script to execute payload. Let’s extract the JS.
$ echo "extract js > mal.js" > script.txt
$ peepdf.py -l -f -s script.txt sus2.pdfmal.js have shellcode , copy the the value of first variable and save it to shellcode.txt and run the python script , python2 shell2bin.py shell.txt
#!/usr/bin/python2
import os, sys
import re
if os.path.isfile(sys.argv[1]):
sc = open(sys.argv[1]).read()
else:
sc = sys.argv[1]
# translate to binary
bin_sc = re.sub('%u(..)(..)',lambda x: chr(int(x.group(2),16))+chr(int(x.group(1),16)), sc)
# save to disk
try:
FILE = open("shellcode.bin", "wb")
FILE.write(bin_sc)
FILE.close()
except Exception, e:
print 'Cannot save binary to disk: %s' % eGot the shellcode.bin file.
Now we need to IP Address by running this shellcode , libemu is an awesome library to emulate shellcodes.
Unfortunately it failed to build in my system. I searched for other tools and found out SCDBG , its a cool shellcode debugger.
$ git clone https://github.com/dzzie/SCDBG
$ cd SCDBG; autoreconf -v -i; ./configure; make; cd tools/sctest
copy shellcode.bin to current folder and
$ ./scdbg -f shellcode.bin
Find the sha1sum of IP Address 192.168.1.30
crew{265180387f1642217973f8cfda2ca6cc92d48e60}
On extracting zip we get ScreenShot.ad1 file. I tried volatility , sleuthkit and foremost for file carving, but didn’t got any results. At this point i have no idea what the file is.
Later i googled and got this cool article about .ad1 files. AD1 (AccessData Logial Image) files are propreitary image format generated by FTK Imager. Nice , this article also covers the tools which can be used to extract this file. I am using windows so i installed Forensic7z 7zip plugin and extracted the AD1 image.
Then i searched for all PNG files exist in the extracted folder.
find . -type f -name *}.png
Found a interesting location ScreenShot\Users\0xSh3rl0ck\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\TempState.
ScreenSketch is a screenshot utility , so this must be the place also all png files had {} name pattern. I opened each images.
File {19422F1B-6C19-4190-9674-0D1C5AEC5451}.png had a base64 string inside it , so this is the file we lookin for.
crew{{19422F1B-6C19-4190-9674-0D1C5AEC5451}}
For this challenge i searched for all .lnk files , find . -type f -name *.lnk.
ScreenShot\Users\0xSh3rl0ck\AppData\Roaming\Microsoft\Windows\Recent location had shortcuts connected to ScreenSketch program.
I did md5 on all files and tried each result.
for f in $(ls); do md5sum $f;done
ms-screensketcheditisTemporary=true&source=screenclip&sharedAccessToken=7776FC76-E7CE-4D04-855F-D9CF8A821270&secondarySharedAccessToken=06E0D4CA-235D-4ACB-910B-006280BEA450&viewId=-525411.lnk
This is the shortcut associated to our previous image.
crew{fd483445cf5e5b0e2b061f4b1defa841}
Decode the base64 Y3Jld3tUcjRjazFuZ19zY3IzM25zaDB0c193MXRoX0xOS19mMWwzc30= in the png image we found earlier.
crew{Tr4ck1ng_scr33nsh0ts_w1th_LNK_f1l3s}