Add personal writeup for SECCON.

[pub/jan/ctf-seminar.git] / writeups / them / seccon19.md

# SECCON 2019 

## The CTF in retrospective

I started playing this CTF after my two colleagues @someone and @astra informed me of the course, so i joined a little late (this is also the reason why i was not in the corresponding mattermost channel at that time). I spent around 12 hours playing this CTF, some more after plus some more for this writeup. Since i usually don't swap challenges a lot when playing CTF, the write-up is rather short in number (1 challenge only) but i attempted to make our train-of-thought very clear to at least provide a good documentation to what we did.

## Challenges

### Unsolved

#### for-repair

I worked at this challenge together with @astra and @someone from mattermost, sitting in a room next to each other.

The challenge was as follows:

```
  This file lost one sector. Please repair it.
  960x540
```

The download link gave us a ~2.7MB file that should be repaired. We started analysing it.

 * `file` did not recognize it as something special, just "data".
 * `binwalk` found some MYSQL compressed data file and some LZMA compressed data, but both seemed rather unlikely at that time.
 * `strings` had some very interesting results: 
  `JUNK LIST INFOISFT Lavf58.28.100 JUNK LIST movi00dc 00dc`
  Especially the String `00dc` was interesting since it had more than 500 occurrences.
  * `hexdump -C <file> | less -n 100` resulted in something that looks like some kind of header and then a repeating patteren revolving around the `00dc` we already have seen.

A google search for some of the keywords such as "JUNK LIST INFOISFT" and "00dc" gave a lot of hints towards an avi video file. This also matches up well with the file name `960x540` which seems to indicate a image/video resolution. 

At this point i attempted multiple video players to just run the file, including `mplayer vlc mpv`, but without success. Either nothing happened at all or unknown errors were reported. Especially interesting at this point is that no tool was able to recognize the file format. 

We searched online for several avi repair tools that could either repair it or atleast give us more information on what is broken exactly, but none really helped.

Since the challenge description says "lost one sector", it became quite likely that the file is missing header information and the repeating pattern noticed probably are frames of a video. This would mean if we would know what file format exactly it is, we might be able to read or recreate missing header information.

An attempt to fix the file was made by prefixing the file with 512 bytes (because 512 is the traditional size of a `sector`) of zeros. It was hoped that this might help various previously listed tools to recognize the file better. We did this using `dd if=/dev/zero of=./zerosector bs=1 count=512 && cat zerosector 960x540.avi > 960x540.mod.avi`.

Since the header probably has important information about the format of file contents, we attempted to convert the video using `ffmpeg -c:v <codec> -i "960x540.mod.avi" -c:v copy "recovery.avi"` with various different codecs we obtained `ffmpeg -codecs`. The idea was, if we specify the correct input codec to read, `ffmpeg` might just have enough information to copy and create a good video file as output. Some codecs produced an output, some just didn't work. Those that delivered output we attempted to play and see if it worked. But it didn't, mostly black and/or noise.

Next, we tried finding a reference video with the same resolution (960x540), so we could compare the file format and/or reuse [parts of] the header if possible. We found such a file [here][reference_video]. A side by side comparison of the hexdumps showed that only the information in the beginning seems missing, due to the position of the string "vprpD" which can be found at the exact same position in reference video line `0x000010f0` matching our file line `0x00000ef0`. Also, the reference file showed the same structure (keywords mentioned above) as our file, validating our believes in a video file.

We now tried to copy over the first 512 bytes (`0x000010f0 - 0x00000ef0 = 0x200 = 512 = traditional sector size`) from our reference video over to ours using `dd if=./reference.avi of=./960x540.mod.avi bs=1 count=512 conv=notrunc`, which allowed a little better results when attempting to play back the video with various media players. VLC now detected a runtime of 0:15 for this video (which is different from the 0:34 of the reference video, otherwise that would indicate that we just copied an encoded length field as well instead of using the one corresponding to our video).

We started spending a lot of time researching what the header actually contains and how we could find and reconstruct the missing information. We had some ideas, mostly revolving around writting our own decoder to extract frames. This is the point were the CTF ended, sadly, because at this point we were only one command aways from the solution :/ The rest below I found out after the end of the CTF.

If we had tried to convert the last file again using ffmpeg we would have had the result. `ffmpeg -c:v cinepak -i "960x540.mod.avi" -c:v copy "recovery.avi"`. (The codec parameter could have been found again using bruteforce trying every possible codec from `ffmpeg -codecs`) The result would have been a 10 second  video that is mostly black and shows three texts for a short while, one of which would have been the flag: `SECCON{FORENSICS_MOVIE_SECCON2019_TKTK}`.

It is also interesting to see that other teams according to their write-ups wrote some decoders using the ffmpeg api from python ([see here][wup1]) or attempted to do it in C ([see here][wup2]) manually, which we might also have attempted if the CTF would not have ended. 

The following script can produce a solution from the original input file using what we discoverd during and after the CTF:
```
#!/bin/bash
  INPUTFILE=./960x540.avi
  REFERENCEFILE=./960x540.reference.avi
  WORKFILE=./960x540.mod.avi
  RESULTFILE=./recovery.avi

  #generate missing sector of zeros
  dd if=/dev/zero of=./zerosector bs=1 count=512

  #prepend missing sector to file
  cat zerosector $INPUTFILE > $WORKFILE

  #overwrite first sector from reference file
  if [ ! -e $REFERENCEFILE ]; then
    wget "https://www.fm91.com.pk/wp-content/uploads/2017/08/960x540-AVI-MPEG-11.avi" -O $REFERENCEFILE
  fi
  dd if=$REFERENCEFILE of=$WORKFILE bs=1 count=512 conv=notrunc

  #convert as means of repair using ffmpeg
  ffmpeg -c:v cinepak -i $WORKFILE -c:v copy $RESULTFILE
```

#### References:

[Reference Video][reference_video]  
[Write Up using Python and ffmpeg API][wup1]  
[GitHub Gist][wup2]  

[reference_video]: https://www.fm91.com.pk/wp-content/uploads/2017/08/960x540-AVI-MPEG-11.avi
[wup1]: https://translate.google.com/translate?hl=en&sl=auto&tl=en&u=http%3A%2F%2Fblog.bonprosoft.com%2F1685
[wup2]: https://gist.github.com/hikalium/7567d487d32af63ec0f4bc68e5a354cb