Forensics – 3. Lost in the Forest
Authors: 5ynax and valrkey
Worth: $50
Worth: $50
Description
To start the challenge, you are able to download a zipped archive called fs.zip.
You can unzip the archive and list out the contents to see the full directory includes all the directories you would expect to see on a Linux or Unix style machine.
Checking the home directory, you will see there is only one user profile, hkr.
Navigating to the hkr directory and listing contents, we see the normal user profile contents, as well as a randomly named file.
Using the file command, we check on the file type and then cat the contents once we realize that it ASCII text.
The contents of the hzpxbsklqvboyou file are encoded in some way, looks like some variation of base64 at this point. The strings are repeated, so we suspect string manipulation and obfuscation at this point. Let's take a gander around the rest of the user directories and see if we can find anything else interesting.
There is a clue in the Desktop directory that turns out to be a red herring:
After this find, there wasn't too much else interesting in any of the other directories. So I went back to the user directory and decided to see what shenanigans the user was up to in their previous sessions.
Scrolling through the bash history, we see that the user did a wget for a file with a random looking name. Let's grab that and then keep looking for other stuff in bash history.
We also see that there was a tool that was used to move a secret into the randomly named file we found from our initial search into the user directory. At this point, I was interested in the file that we pulled down from the wget. So I did a quick search through the bash history for that file name to see what else was done with this file.
Confirmed. This file was renamed to tool.py and used to convert the secret file into the randomly named file we are interested in. Let's cat the contents to see what it looks like inside.
OK, now we have the script that encodes the initial message (where we are very confident the flag is hidden). Now we need to undo what this script did in the first place.
The first two lines of the encode function are opening the file, and reading the first line, and stripping off all white space characters. The heavy lifting for the obfuscation happens in the large return statement. Let's it break down:
Encoding High Level Flow
- Loop through all characters in the string s and add a position defined integer to the character code (offset the text by a key).
- Base64 encode the string
- Reverse the string
- Repeat the string 5 times
Encoding Specifics
- ''.join([chr(ord(s[x])+([5,-1,3,-3,2,15,-6,3,9,1,-3,-5,3,-15] * 3)[x]) for x in range(len(s))])
- ord(c) gets the integer code for character c
- [...] * 3 produces an array that consists of three times the elements in the original array
- chr(i) gets the character for integer code i
- ''.join([...]) combines a character array into a string
- base64.b64encode('...'.encode('utf-8')).decode('utf-8')
- s.encode('utf-8') interprets a utf-8 encoded string s as bytes
- base64.b64encode(b) performs base64 encoding on bytes b
- b.decode('utf-8') interprets bytes b as a utf-8 encoded string
- s[::-1] reverses a string's characters
- s*5 repeats a string 5 times
Examples
Decode Flow
Perform the encoding operations in reverse:
- Reduce the string size by an order of 5
- Reverse the string
- Base64 decode the string
- Subtract the key from each character
Decode Script
Here is my script to reverse the encoding on the encrypted text:
Running the decode function across the discovered file:
Flag = IceCTF{good_ol_history_lesson}
Comments
Post a Comment