Here is the "write-up" I did for a PICO CTF problem I quasi-completed last year. I do CTFs to determine how much I actually understand about various IT and cybersecurity concepts, this is why you'll see alot of "red" content where I'm thinking through things, asking myself questions and sharing my steps toward a resolution to the problem.
Because I'm a professional questioner and an empath with a Curiosity IQ that's in the stratosphere, I had to eventually ask for help to complete this CTF...so I could move on to the next one.
For each CTF I take structured notes where I document:
1. Any initial questions or observations I have about the problem before I begin seeking the resolution;
2. Sites, videos, and documents I used to research terms and ideas that I do not understand;
3. What I actually did, or did not do;
4. How I felt about what I was doing, and
5. Things I discovered on my way to discovering a resolution and finding the flag.
Again, the things I said and thought are in RED and commands and links are in BLUE. Enjoy, and leave a comment or two if the spirit moves you.
PICO CTF Challange
Pitter, Patter, Platters (Forensics)
Forensics challenges can include file format analysis, steganography, memory dump analysis, or network packet capture analysis. Any challenge to examine and process a hidden piece of information out of static data files (as opposed to executable programs or remote servers) could be considered a Forensics challenge
TOOLS I CAN USE FOR THIS CHALLANGE :- Autopsy, split, pdfinfo, pdfimages, pdfcrack, pdfdetach, Keepass, Magic Numbers, hexed.it, foremost, binwalk, Repair image online tool, photorec, TestDisk, pngcheck, pngcsum, Registry Dumper, Dnscat2, pefile, Wireshark, Network Miner, PCAPNG, tcpflow, PcapXray, qpdf, Audacity, sonic visualiser, ffmpeg strings, file, grep, scalpel, bgrep, hexdump, xxd, base64, xplico framework, zsteg, gimp, Memory dump - volatility, ethscan, and many more.
INITIAL QUESTIONS/OBSERVATIONS
1. What is dd.sda1?
WHAT I RESEARCHED
1. API gateway pattern: Reduces the number of requests/roundtrips. For example, the API gateway enables clients to retrieve data from multiple services with a single round-trip. Fewer requests also means less overhead and improves the user experience. An API gateway is essential for mobile applications.
2. dd.sda1 (KeepItTechie just made a video about this; "Disk Destroyer | How to use the DD Command in Linux" Disk Destroyer | How to use the DD Command in Linux. DD is "data duplicator"; creates virtual file systems and back-up iso's; super user is the only one who can use DD command; "if" is the file writing from and "of" is the file writing to
WHAT I DID TO UNDERSTAND THIS CTF, DISCOVER A RESOLUTION & FIND THE FLAG
2. Inspected the link. Saw "api/challenges/87" under console.
3. "man dd" in linux while watching YouTube video again
4. Downloaded "suspicious.dd.sda1" into kali downloads; cat (sda1); got a bunch of gobbeldy-gook
5. Created "Pico patter" file (nano) in downloads; I don't see it...where the heck did it go?!!
6. Back to video; ran "lsblk" to see all disks and partitions in Kali
7.Should I move the .sda1 to the dev directory? Tried it but did not work
8. Ran "file" command to see what kind of file it is hoping I can get more clarity about what to do next
9. I guess it's a UUID? Is that a type of file? I don't know what UUID means so I looked up the definition.
UUID is a unique identifier used in partitions to uniquely identify partitions in Linux operating systems. UUID is a property of the disk partition itself. ... The UUID of a partition is required mainly for mounting the partitions correctly in a computer system where hundreds of hard drives are installed.
needs journal recovery" just means that it hasn't been unmounted cleanly.
A partition is a logical division on a hard disk drive (HDD). New partitions can also be created after the operating system has been installed by using available free space (i.e., space that has not yet been partitioned) or by erasing existing partitions to create free space
UUID stands for Universally Unique IDentifiers. They are 128-bit identifiers standardized by RFC 4122 (though their use predates the RFC and they are sometimes referred to as GUIDs). No central registry is required to generate a UUID. An example: de7f5de9-bb0b-44ac-a018-e4651868d2ed.
Uhhhhh. the definition is fairly clear but I'm still not sure what to do next. I see that UUID has something to do with API.
19. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!Before file systems on devices can be used they MUST be mounted…but when not mounted they can still be written to!!!!!!!!!!
20. Looked at permissions of file:
Moved suspicious.dd.sda1 to etc/fsta
AUTOPOSY DIRECTIONS
- Went to GUI to cut and paste file location
- Adjusted autopsy for fs type (raw)
THINGS I NOW KNOW (THAT I DID NOT KNOW BEFORE THIS CTF)
- Made directories as part of a strategy to find the resolution (mkdir)
- Moved files as well (mv)
- Used dd command to copy contents from one directory to another dd if=…
- I have to be "root" to use the dd command, so I used "sudo su" to become root
- UUID has to be mounted before it can be used in a file system
- Used CTRL+ (spacebar, n, t) to navigate in Nano
METHOD
- Read definition of "forensic" challenge and listed tools
- Read challenge and researched what I did not know in the description (what is "dd" and UUID)
- Inspected the challenge link and looked for familiar things (saw API so looked that up again)
- Remembered a YouTube video with DD command so looked at part of that which led me to suspect I had to do something to this link with the DD command
- Tried to download it on my computer but couldn't so went to Kali and downloaded there; Kali put it in the Downloads folder
- Found websites, documents and videos about the mount, file, lsblk, fdisk, gdisk commands and tried all of them
- Felt I made progress when I opened the file in Nano and saw a the "suspicious-file.txt" along with other words like "lost+found", etc.
- Was unsure what to do after that so searched for the answer online.
- Found writeup that used Autopsy but did not know how they knew to use Autopsy so started to search again on my own
- Used law enforcement document and found interesting and useful commands (and used them) but I still was not able to see and understand what was in the dd file
- used autopsy but still did not see what's in the file
- I think if I understood more about disk partitions (purpose, how they are made and used) I'd know enough to understand how to open it
I hated to do it, but I asked for help to find the flag.
RESOLUTION/FLAG
1. Sudo autopsy
2. Ctrl-Shift-Click url: http://localhost:9999/autopsy (Keep this process running and use to exit)
14. Click ok
16. Click Analyze
17. Click File Analysis
18. Click 12 under Meta (next to UID and GID)
20. Click 2049 (Direct Blocks)
22. Return to the Linux Terminal > Input "rev" command and all content in number 23 below
23. Input }.8.3.4.6.0.c.a.e._.3.<._.|.L.m._.1.1.1.t.5._.3.b.{.F.T.C.o.c.i.p
24. Answer: p.i.c.o.C.T.F.{.b.3._.5.t.1.1.1._.m.L.|._.<.3._.e.a.c.0.6.4.3.8.} (Remove the dots)
25. picoCTF{b3_5t111_mL|_
Comments
Post a Comment