ilm0 - first deadline writeup submission

[pub/jan/ctf-seminar.git] / writeups / ilm0 / ctfzone.md

# <u>CTFZone 2019 Quals</u>



## Strange PDF

**category**: forensics, rev

**description**:

You have one PDF file. Now calculate the flag. It's in decimal, by the way.

___

### Recon + solution

We receive a .pdf file. Opening it we find a strange function definition f(x) = 109394007*x + 13
In itself, this is not very helpful!

I tried looking for clues in the file details, then taking it apart with LibreOffice draw, but nothing unusual was revealed.

Analysing the file with the unix tool `strings` did not reveal any hidden information, but it revealed the underlying file structure.

After getting into the details of how .pdf files are built up (see TD) , I took a closer look with `less`:

The xref table:

```
xref
0 26
0000000000 65535 f 
0000020069 00000 n 
0000000019 00000 n 
0000000294 00000 n 
0000000314 00000 n 
0000000511 00000 n 
0000020212 00000 n 
0000000551 00000 n 
0000006741 00000 n 
0000006762 00000 n 
0000006964 00000 n 
0000007312 00000 n 
0000007527 00000 n 
0000012420 00000 n 
0000012442 00000 n 
0000012649 00000 n 
0000012966 00000 n 
0000013155 00000 n 
0000019098 00000 n 
0000019120 00000 n 
0000019317 00000 n 
0000019672 00000 n 
0000019891 00000 n 
0000019944 00000 n 
0000020311 00000 n 
0000020402 00000 n 
```

There is only one section with 26 objects. First I thought that some of these are somehow hidden, I tried copying parts into a new file, but it did not work, later it turned out because of the offsets. As I looked into the exact specifications, it turned out that the offsets for the original file were not correct in the first place and that the file contained a mysterious second comment, apart from the standard pdf-header defining the version and file type.

I tried interpreting the comment in many ways, looked at the hex and binary values, but could not determine the purpose of it. I was stuck here, until I've stumbled upon a writeup, which stated that the file command should've identified the file as a DOS/MBR boot sector. Which is surprising as I have received:

```
$ file document.pdf 
document.pdf: PDF document, version 1.4
```

every time when I tried identifying the data type.

With this new information, the only thing standing in my way was being able to execute the instructions to get x.  

Interpreting the code as x86 assembly:

```nasm
and ax, 0x4450
inc si
sub ax, 0x2e31
xor al, 0xa
and ax, 0xb7e2
mov ah, 2
mov bh, 0
mov dh, 1
mov dl, 1
int 0x10
mov ah, 0xa
mov al, 0x39
mov bh, 0
mov cx, 5
int 0x10
mov ah, 2
mov bh, 0
mov dh, 1
mov dl, 3
int 0x10
mov ah, 0xa
mov al, 0x33
mov bh, 0
mov cx, 1
int 0x10
```

This code returns 99399, substituting it into the original equation:

109394007*99399 + 13 = 10873654901806, so the flag is: ctfzone{10873654901806}

### Technical details

Structure of PDF files:

![pdf.png](ctf_zone\pdf.png)

[https://d3i71xaburhd42.cloudfront.net/b4f47fb71221a0676e2e892af7b98acad2c3c5cd/2-Figure1-1.png]

### Lessons learned

- PDF file structure
- Always go a level deeper!



## Joshua

**category**: forensics

**description**:

This should be an easy one, just remember to rock. (Sorry, the flag on disk begins with CTFZone, please change it to all lowercase, when you submit).

___

### Recon + solution

We get a 20GB raw disk image. The unix tool `file` tells us:

```
$ file joshua.img
joshua.img: DOS/MBR boot sector
```

that it is the image of an MBR disk.

I tried to mount the mentioned image, but it does not go as easy as one would think. 

We have to find the starting sector with the `fdisk` tool:

```
$ fdisk -l joshua.img
Disk joshua.img: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x70b3f931

Device      Boot    Start      End  Sectors  Size Id Type
joshua.img1 *        2048  7999487  7997440  3.8G 82 Linux swap / Solaris
joshua.img2       8001534 39835647 31834114 15.2G  5 Extended
joshua.img3      39835648 41932799  2097152    1G 83 Linux
joshua.img5       8001536 39835647 31834112 15.2G 83 Linux

Partition table entries are not in disk order.
```

Based on these results we can calculate the offset:

```
mount -o ro,loop,offset=$((512 * 8001536)) joshua.img5 /mnt/joshua
```

After mounting the largest partition, we immediately head over to /etc/passwd, to find some more information about who this drive could belong to. (It needed reading around online how to approach such challenges.) We find an interesting entry:

```
joshua:x:1000:1000:joshua:/home/joshua:/bin/bash 
```

there seems to be a user called "joshua", let's check out his home directory!

We find an interesting file .bash_history:

```
sync
sudo cryptsetup close cryptovolume
chsh -s /bin/zsh
echo $(SHELL)
zsh
cat /var/log/auth.log
faillog
chsh -s zsh
sudo apt install zsh
chsh -s /bin/zsh
sudo apt install keepass2
keepass2
sudo luksformat /dev/sda3
sudo cryptsetup close /dev/mapper/
ls /dev/mapper
chsh -s /bin/bash
rm ~/.zshrc
rm ~/.zsh_history 
sudo apt remove zsh
ls -a
cd ~
ls
ls -a
rm -r .oh-my-zsh/
```

We can make some interesting observations:

- joshua has sudo access
- he used the zsh shell and he deleted its history
- he set up an encrypted volume (probably joshua.img3)
- he used the keepass2 password safe

In the Documents folder we find a KeepItSafe.kdbx keepass2 file. But we do not have a key for opening it!

```
$ mount -o ro,loop,offset=$((512 * 39835648)) joshua.img3 /mnt/joshua_crypt
mount: /mnt/joshua_crypt: failed to setup loop device for joshua.img3.
```

I could not mount the encrypted partition, probably the encryption prevents us from loading it.

We also find an interesting file in the home directory ".recently-used":

```
<RecentFiles>
  <RecentItem>
    <URI>file:///home/joshua/Documents/KeepItSafe.key</URI><Mime-Type>application/x-iwork-keynote-sffkey</Mime-Type><Timestamp>1570444296</Timestamp><Groups/>
  </RecentItem>
  <RecentItem>
    <URI>file:///home/joshua/Documents/KeepItSafe.kdbx</URI><Mime-Type>application/x-keepass2</Mime-Type><Timestamp>1570444267</Timestamp><Groups/>           
  </RecentItem>
  <RecentItem>
    <URI>file:///home/joshua/Documents/KeepItSage.kdbx</URI><Mime-Type>application/x-keepass2</Mime-Type><Timestamp>1570444179</Timestamp><Groups/>           
  </RecentItem>
</RecentFiles>
```

He seems to have created an other keepass2 file, maybe deleted it later? But what is even more interesting: He created a key file to the safe, it has to be somewhere around!

We find the key in the trash `/local/share/Trash`! This seems to easy!

Unfortunately, it really is, keepass2 reports that the composite key is invalid! Maybe a password is also needed.

I tried brute-forcing /etc/shadow with hashcat to maybe get a relevant password, but it took too long, maybe with a strong graphics card it would go faster!



### Technical details

Linux file structure:

`/etc/passwd`:

> The password file is human-readable file that contains information about users on the system including their encrypted passwords. Some systems don’t have encrypted passwords in this file if [/etc/shadow](https://kerneltalks.com/user-management/understanding-etc-shadow-file/) file is generated.

[https://kerneltalks.com/user-management/understanding-etc-passwd-file/]

```
joshua:x:1000:1000:joshua:/home/joshua:/bin/bash 
```

In our case the second "x" meant that the password is in an encrypted format in the /etc/shadow file.



`/etc/shadow`

> The /etc/shadow file stores actual password in encrypted format.

[https://www.2daygeek.com/understanding-linux-etc-shadow-file-format/]

```
joshua:$6$6PWRmE20$BAkQBhvRUnnyuGBgIrikxBp8YkOOUO7REg285NqJbFNt7E.19xNTfa2wdT0.NiFxdcw2nMLmT3/hgw1doIB2x/:18176:0:99999:7:::
```

In our case the prefix $6$6 means that the password is hashed with 6 rounds of SHA-512 and 
PWRmE20$BAkQBhvRUnnyuGBgIrikxBp8YkOOUO7REg285NqJbFNt7E.19xNTfa2wdT0.NiFxdcw2nMLmT3/hgw1doIB2x/ is the hashed password of the user "joshua".



### Lessons learned

- Mounting .img files
- Approaching a forensic challenge