Forensics Writeup


Table of Contents

  1. Glory of the Garden - Points: 50
  2. unzip - Points: 50
  3. So Meta - Points: 150
  4. What Lies Within - Points: 150
  5. extensions - Points: 150
  6. shark on wire 1 - Points: 150
  7. WhitePages - Points: 250
  8. c0rrupt - Points: 250
  9. like1000 - Points: 250
  10. m00nwalk - Points: 250
Glory of the Garden - Points: 50
This garden contains more than it seems. You can also find the file in /problems/glory-of-the-garden_6_0d6d3ea97757b84c7a51a38daa7dca8d on the shell server.

Hint: What is a hex editor? 


$ wget https://2019shell1.picoctf.com/static/064eaf1591900ad250736459aa2448a0/garden.jpg
$ cat garden.jpg

picoCTF{more_than_m33ts_the_3y3f20F5be9}

unzip - Points: 50
Can you unzip this file and get the flag?

Hint: put the flag in the format picoCTF{XXXXX} 


$ wget https://2019shell1.picoctf.com/static/37762a7e5774d7d6c1bc79e8e1758ef9/flag.zip
$ unzip file.zip
$ eog file.png

picoCTF{unz1pp1ng_1s_3a5y}

So Meta - Points: 150
Find the flag in this picture. You can also find the file in /problems/so-meta_5_7c198bd3e228862d97a40316b8a103e4.

Hint: What does meta mean in the context of files? Ever hear of metadata? 


$ wget https://2019shell1.picoctf.com/static/973cd0e3beea255e6a0b5316aa6287ce/pico_img.png
$ strings image.png

picoCTF{s0_m3ta_ffd09c0f}

What Lies Within - Points: 150
Theres something in the building (image file). Can you retrieve the flag?

Hint: There is data encoded somewhere, there might be an online decoder 


$ wget https://2019shell1.picoctf.com/static/aec3861fc4d5bce4d39dc0db196426de/buildings.png

# after installing rubygems package
$ gem install zsteg
# add the executable to envinronment PATH
$ PATH="`ruby -e 'puts Gem.user_dir'`/bin:$PATH"

$ zsteg building.png

picoCTF{h1d1ng_1n_th3_b1t5}

extensions - Points: 150
This is a really weird text file TXT? Can you find the flag?

Hint: How do operating systems know what kind of file it is? (It's not just the ending!)

Hint: Make sure to submit the flag as picoCTF{XXXXX} 


$ wget https://2019shell1.picoctf.com/static/45886ed4b6d5d1dc74c4944fcf4b4041/flag.txt
$ mv flag.txt flag.png
$ eog flag.png

picoCTF{now_you_know_about_extensions}

shark on wire 1 - Points: 150
We found this packet capture. Recover the flag. You can also find the file in /problems/shark-on-wire-1_0_13d709ec13952807e477ba1b5404e620.

Hint: Try using a tool like Wireshark

Hint: What are streams? 


$ wget https://2019shell1.picoctf.com/static/ae9ca8cff43ed638ed5d137f9ece7455/capture.pcap
$ wireshark capture.pcap
# right click and then follow udp stream

picoCTF{StaT31355_636f6e6e}

WhitePages - Points: 250
I stopped using YellowPages and moved onto WhitePages... but the page they gave me is all blank!

Hint: 


$ wget https://2019shell1.picoctf.com/static/d7068f4c75d7b4a3e342cc57d528c5ce/whitepages.txt
$ xxd whitepages.txt
          

from pwn import *

with open('./whitepages.txt', 'rb') as f:
  data = f.read()

data  = data.replace('e28083'.decode('hex'), '0').replace('20'.decode('hex'), '1')

print unbits(data)

picoCTF{not_all_spaces_are_created_equal_178d720252af1af29369e154eca23a95}

c0rrupt - Points: 250
We found this file. Recover the flag. You can also find the file in /problems/c0rrupt_0_1fcad1344c25a122a00721e4af86de13.

Hint: Try fixing the file header 


$ wget https://2019shell1.picoctf.com/static/3435d990f1d20fe3563cbb897b4c96db/mystery
$ ghex mystery
The header is similar as PNG header -> 89 50 4E 47 0D 0A 1A 0A. Substitute the value in. 

$ pngcheck mystery
OUTPUT -> mystery: invalid chunk name "C"DR" (43 22 44 52) 

$ ghex mystery
Look for that bytes in the hex editor, they are in the IHDR Image Header which specify that chunk type must contains the value 49 48 44 52 (IHDR, that is the equivalent respectively of 73 72 68 82) 

$ pngcheck mystery
OUTPUT -> mystery CRC error in chunk pHYs (computed 38d82c82, expected 495224f0) 

$ ghex mystery
Look for the expected bytes in the hex editor and substitute them with the computed one 

$ pngcheck mystery
OUTPUT -> mystery invalid chunk length (too large) 

$ ghex mystery
The bytes AB 44 45 54 must contains the IDAT chunk, substitute with 49 44 41 54. The other problem is the chunk’s length: AA AA FF A5, is too big. Since it's not possible to identify CRCs in order to find the end of the chunk, we must look for the next IDAT chunk because IDAT chunk must be consecutive. The next IDAT chunk is at offset 10008 while the first IDAT it's at offset 00057. Do the math, the difference is FFB1. We must subtract 4 bytes for the length field of the second IDAT, subtract 4 bytes for the CRC of the first IDAT, and subtract 4 bytes again for the chunktype of the first IDAT, 12 bytes in total. The math give us FF A5. We can replace now the value AA AA FF A5 with 00 00 FF A5. 

$ pngcheck mystery
OUTPUT -> OK: mystery (1642x1095, 24-bit RGB, non-interlaced, 96.3%) 

$ eog mystery

picoCTF{c0rrupt10n_1847995}

like1000 - Points: 250
This .tar file got tarred alot. Also available at /problems/like1000_0_369bbdba2af17750ddf10cc415672f1c.

Hint: Try and script this, it'll save you alot of time 


$ wget https://2019shell1.picoctf.com/static/8694f84879d3b7c0dcf775930f4665fc/1000.tar
          

#!/bin/bash

for i in $(seq 1000 -1 1)
do
  tar xvf "$i.tar"
done

picoCTF{l0t5_0f_TAR5}

m00nwalk - Points: 250
Decode this message from the moon. You can also find the file in /problems/m00nwalk_0_05441e9344c829ba5a648e8b28ef1564.

Hint: How did pictures from the moon landing get sent back to Earth?

Hint: What is the CMU mascot?, that might help select a RX option 


$ wget https://2019shell1.picoctf.com/static/fe892e7bef69b386ce5638053c0d312c/message.wav
# http://users.belgacom.net/hamradio/rxsstv.htm

picoCTF{beep_boop_im_in_space}