Skip to main content

IceCTF 2018 – Hard Shells [Forensics]

Forensics – 2. Hard Shells
Author: 5k33tz

Worth: $200
Description: After a recent hack, a laptop was seized and subsequently analyzed. The victim of the hack? An innocent mexican restaurant. During the investigation they found this suspicous file. Can you find any evidence that the owner of this laptop is the culprit?
The challenge starts off with a file download called “hardshells”. Running the file command on the system shows it’s likely a Zip archive, at least based on the file signature header:
Renaming the file with a zip extension and attemping to unzip the archive prompts the for a password:
Next I attempt to bruteforce the archive using the FCrackZip utility. I try the low-hanging fruit and try lowercase characters [a-z], which finds a password candidate of “tacos”:
-b: Select brute force mode. This tries all possible combinations of the letters you specify.
-c: Select the characters to use in brute-force cracking. Must be one of:
        a      include all lowercase characters [a-z]
       A      include all uppercase characters [A-Z]
       1       include the digits [0-9]
       !        include [!:$%&/()=?{[]}+*~#]
       :        the following characters upto the end of the specification string are included in the character set. This way you can include any character except binary null (at least under unix).
-l: Use an initial password of length min, and check all passwords up to passowrds of length max (including).You can omit the max parameter.-u: Try to decompress the first file by  calling unzip with the guessed password. This weeds out false positives when not enough files have been given.
Next, changing into the newly opened directory, we’re presented with a new file called “d”, which appears to take on the format of a Minix filesystem:
In most (if not all cases) Minix filesystems can be mounted directly in Linux. In my case I just ran the command “mount d /mnt/minix/”, then I can interact with any files in “/mnt/minix”.
Inside the filesystem is a data file called dat:
Using strings and grep don’t produce anything useful, so I opened up the file in a hex editor. The next portions can be referenced at the following index of known File Signatures by Gary Kessler, at
The file header:
The file trailer:
Searching for the hex in the footer on Gary Kessler’s site matches the standard footer of a PNG file:
49 45 4E 44 AE 42 60 82 (IEND®B`‚...)
But comparing the standard file header for a PNG compared to our file, you will see one subtle difference.
89 50 4E 47 0D 0A 1A 0A
Our File:
89 50 55 47 0D 0A 1A 0A
Opening the file back up in a hex editor and changing the 55 to a 4E, will properly render a valid PNG image:

Within the image is the flag we’ve been seeking:

Flag = IceCTF{look_away_i_am_hacking}


Popular posts from this blog

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet. Author: 5k33tz MD5: 43d2a3df73fdcb10b9429a480d96ddcf This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works. Running file against the sample: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0 We can see it's a Word Doc, but probably the

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha Author: valrkey Worth: $250 Description:  Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me! As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats: What is the # word in the following line: ...? Is # a prime number? What is the greatest common divisor of # and #? For each of these question formats, I wrote a PowerShell function to determine the answer. Word in Line This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any