IceCTF - 65 - R.I.P Transmission - Forensics

Informations

Version

By Version Comment
noraj 1.0 Creation

CTF

Description

[This][this] seems to be recieving some sort of transmission. Our experts have been working around the clock trying and figure out what the hell it means with no hope of getting to the bottom of it. You're our only hope. [this]:https://play.icec.tf/problem-static/rip_2067f9686b4d07eea2cac19b9c6588b2abac16500135901ce8781e4ccc262446

Solution

  1. Check file type:
1
2
file rip
rip: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, for GNU/Linux 2.6.32, BuildID[sha1]=9fd51896db8e1b47260951e8f6ca7d6023ce9ae6, not stripped
  1. Execute it: http://asciinema.org/a/276ngyyh05z80luxnqbyy95mq

  2. That's defintly not what we're looking for but only a lapse in concentration.

  3. Check what is hidden in this binary:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
binwalk rip
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux)
993400 0xF2878 Unix path: /usr/lib/locale/locale-archive
1014524 0xF7AFC Unix path: /proc/sys/vm/overcommit_memory
1024257 0xFA101 Unix path: /proc/sys/kernel/rtsig-max
1025342 0xFA53E Unix path: /sysdeps/unix/sysv/linux/getcwd.c
1027000 0xFABB8 Unix path: /proc/sys/kernel/osrelease
1093862 0x10B0E6 Unix path: /nptl/sysdeps/unix/sysv/linux/i386/../fork.c
1097017 0x10BD39 ELF, 32-bit LSB no file type, (SYSV)
1100142 0x10C96E Unix path: /sysdeps/unix/sysv/linux/dl-origin.c
1323949 0x1433AD Zip archive data, encrypted at least v2.0 to extract, compressed size: 112199, uncompressed size: 112190, name: rip.jpg
1436306 0x15EA92 End of Zip archive
  1. We can see there is a zip with encrypted data (protected by password). Firstly we can extract this zip from the binary:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
foremost -t zip -i rip -T -v
Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus
Audit File
Foremost started at Sat Aug 20 23:01:53 2016
Invocation: foremost -t zip -i rip -T -v
Output directory: /root/CTF/IceCTF/2016/65-RIP_Transmission-Forensics/output_Sat_Aug_20_23_01_53_2016
Configuration file: /etc/foremost.conf
Processing: rip
|------------------------------------------------------------------
File: rip
Start: Sat Aug 20 23:01:53 2016
Length: 1 MB (1698648 bytes)
Num Name (bs=512) Size File Offset Comment
foundat=rip.jpgUT
0: 00002585.zip 109 KB 1323949
*|
Finish: Sat Aug 20 23:01:53 2016
1 FILES EXTRACTED
zip:= 1
------------------------------------------------------------------
Foremost finished at Sat Aug 20 23:01:53 2016
  1. Secondly we can bruteforce the password with patator, I first tried with 500-worst-passwords dict and then I was successful with john dict:
1
2
3
4
5
6
7
patator unzip_pass zipfile=output_Sat_Aug_20_23_01_53_2016/zip/00002585.zip password=FILE0 0=john.txt -x ignore:code!=0
23:22:46 patator INFO - Starting Patator v0.7-beta (https://github.com/lanjelot/patator) at 2016-08-20 23:22 CEST
23:22:46 patator INFO -
23:22:46 patator INFO - code size time | candidate | num | mesg
23:22:46 patator INFO - -----------------------------------------------------------------------------
23:22:49 patator INFO - 0 142 0.020 | bunny | 966 | No errors detected in compressed data of /root/CTF/IceCTF/2016/65-RIP_Transmission-Forensics/output_Sat_Aug_20_23_01_53_2016/zip/00002585.zip.
23:22:56 patator INFO - Hits/Done/Skip/Fail/Size: 1/3107/0/0/3107, Avg: 321 r/s, Time: 0h 0m 9s
  1. Now we have just to unzip output_Sat_Aug_20_23_01_53_2016/zip/00002585.zip with bunny as password.
  2. And display output_Sat_Aug_20_23_01_53_2016/zip/rip.jpg to get the flag: IceCTF{1_Lik3_7o_r1P_4nD_diP_411_7He_ziP5}
Share