[CSAW 2016] Kill Writeup

Standard

Description:

Is kill can fix? Sign the autopsy file?
kill.pcapng

This challenge was the first in the Forensics category and was very very simple. We are given with what seems like a corrupted pcapng file, I wasn’t able to open it in Wireshark nor Tcpdump. I ran strings on it with a hope to find the flag:

[Megabeets] /tmp/CSAW/kill# strings kill.pcapng | grep -i flag
=flag{roses_r_blue_violets_r_r3d_mayb3_harambae_is_not_kill}

And to my great surprise I got it, the flag was written plain-text in the file.

[ASIS CTF] Sky Blue Writeup

Standard

Description
Why is the sky blue?

 

We are given a PCAP file containing some Bluetooth traffic. The flag has probably been transmitted between the devices. Let’s see what files has been sent.

[Megabeets]$: binwalk -e blue.pcap

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
40535         0x9E57          PNG image, 1400 x 74, 8-bit colormap, non-interlaced

Binwalk found a PNG image but couldn’t export it. I opened Wireshark and searched for the string “PNG” in the packet bytes. I found the 7 packets containing the PNG and exported their packet bytes (i.e Only the DATA, without the header bytes of each packet: 02 0C 20 FC 03 F8 03 47 00 63 EF E6 07). I then concatenated the output files using HxD,

hxd

and deleted the extra data preceding the PNG file header.

hxd2

We now have the PNG file which is the flag:

out4

[TWCTF-2016: Web] Rescue Data 1: deadnas Writeup

Standard

Challenge description:

Today, our 3-disk NAS has failed. Please recover flag.
deadnas.7z


We are given an archive containing 3 files:

D:\Megabeets\deadnas> dir 
Directory of D:\Megabeets\deadnas
        .
        ..
524,288 disk0
     12 disk1
524,288 disk2

3 Disk NAS and one has failed? This challenge is obviously about RAID 5. I was asked to find a way to recover the failed disk and there is no simpler way than just XOR disk0 with disk2 and recreate the original disk1. If you are right now in your “WTF?!” mode you better go read about RAID 5 until you understand how it works.

I used simple software called XorFiles.

XorFiles

I then used OSForensics to rebuild the RAID:

OSForensics

Mounted the output file:

OSForensics2

And accessed the new drive. The flag and a cute cat was waiting for me there.

GlobalPage_Flag

* I know you tried using mdadm and ReclaiMe. Poor you.

XOR Files With Python

Standard

This is a simple script, written in Python, that perform a logical exclusion, XOR, on two files and saves the result in the destination file. It is one of the most simple and effective tool in my forensics-toolbox. I used this tool several times for example to recover data from a broken RAID 5 or deobfuscate an obfuscated binary or image. The usage is very simple and intuitive.
You can find the full code and examples in the repository.

Have fun!

#######################
# Powershell XOR 2 Files
# xor.py
# Jul 2016
# Website: http://www.Megabeets.net
# Use: ./xor.py file1 file2 outputFile
# Example: ./xor.py C:\a.txt C:\b.txt C:\result.txt
#######################

import sys

# Read two files as byte arrays
file1_b = bytearray(open(sys.argv[1], 'rb').read())
file2_b = bytearray(open(sys.argv[2], 'rb').read())

# Set the length to be the smaller one
size = len(file1_b) if len(file1_b) < len(file2_b) else len(file2_b)
xord_byte_array = bytearray(size)

# XOR between the files
for i in range(size):
	xord_byte_array[i] = file1_b[i] ^ file2_b[i]

# Write the XORd bytes to the output file	
open(sys.argv[3], 'wb').write(xord_byte_array)

print "[*] %s XOR %s\n[*] Saved to \033[1;33m%s\033[1;m."%(sys.argv[1], sys.argv[2], sys.argv[3])

 

Click here for the Powershell Version.

XOR Files With Powershell

Standard

Today I’m sharing with you one of the most simple and effective tool in my forensics-toolbox. A simple script, written in Powershell, that perform a logical exclusion, XOR, on two files and saves the result in the destination file. I used this tool several times for example  to  recover data from a broken RAID 5 or deobfuscate an obfuscated binary or image. The usage is very simple and intuitive.
You can find the full code and examples in the repository.

Have fun!

<#
.DESCRIPTION
    Powershell XOR 2 Files

.EXAMPLE
    ./xor.ps1 C:\a.txt C:\b.txt C:\result.txt

.NOTES
    Author:  Itay Cohen
    Website: http://www.Megabeets.net
    Date:    Jul 2016    

.SYNOPSIS
    .
#>


param (
    [Parameter(Mandatory=$true)]
    [string] $file1, #First File
    [Parameter(Mandatory=$true)]
    [string] $file2, #Second file
    [Parameter(Mandatory=$true)]
    [string] $out #Output File
) #end param

 
# Read two files as byte arrays
$file1_b = [System.IO.File]::ReadAllBytes("$file1") 
$file2_b = [System.IO.File]::ReadAllBytes("$file2")
 
# Set the length to be the smaller one
$len = if ($file1_b.Count -lt $file2_b.Count) {$file1_b.Count} else { $file2_b.Count}
$xord_byte_array = New-Object Byte[] $len

# XOR between the files
for($i=0; $i -lt $len ; $i++)
{
    $xord_byte_array[$i] = $file1_b[$i] -bxor $file2_b[$i]
}
 
# Write the XORd bytes to the output file
[System.IO.File]::WriteAllBytes("$out", $xord_byte_array)

write-host "[*] $file1 XOR $file2`n[*] Saved to " -nonewline;
Write-host "$out" -foregroundcolor yellow -nonewline; Write-host ".";

 

Click here for the Python version.