Picoctf2022 Forensics Writeups
4 min readApr 3, 2022
Hello Friends , Lets Have a look at some forensics Challenges #5 from picoctf2022
1.File Types
PicoCTF@pj>> file flag.pdf
flag.pdf: shell archive text
Middle of the file contains uudecode command , that means code is uuencoded
- To decode the file,we just have to use uudecode tool
To install : $yay -S sharutils
btw i use manjaro so yay package manager , same sharutils in apt (debian)
Whole Script to Get the flag :
#yay -S sharutils cpio bzip2 lzip lzop lz4 xz xxd-standalone --noconfirm#!/bin/bash
uudecode flag.pdf
mv flag fromdecode
7z x fromdecode
mv flag flagfrom7z.cpio
cpio -idv < flagfrom7z.cpio
mv flag flagfromcpio.bz
bunzip2 flagfromcpio.bz
mv flagfromcpio flagfromcpio.gz
gunzip flagfromcpio.gz
mv flagfromcpio flagfromgunandbun.lz
lzip -d flagfromgunandbun.lz
mv flagfromgunandbun flagoflziptolz4.lz4
lz4 -d flagoflziptolz4.lz4
mv flagoflziptolz4 flag-fromlz4.lzma
lzma -d flag-fromlz4.lzma
mv flag-fromlz4 flag-from-lzma.lzop
lzop -d flag-from-lzma.lzop
mv flag-from-lzma flag-from-lzop
lzip -d flag-from-lzop
mv flag-from-lzop.out flag-from-lzop.xz
xz -d flag-from-lzop.xz
mv flag-from-lzop final-flag.txt
cat final-flag.txt |xxd -r -p|tee flag.txt
| code might confusing
- after uudecode , do
- unzip or 7z
- Lot of archives.. !
- Do file command , note down the archive type
- install Corresponding tool to decompress
- repeat uh
picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_278f1a18}
2.EavesDrop
[p4ul@j0ker eaves-drop]$ file capture.flag\(1\).pcap capture.flag(1).pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
1. Here I’m Using TCPFLOW tool
You can also do the same thing in wireshark btw
[p4ul@j0ker TEMP]$ ls
capture.flag.pcap[p4ul@j0ker TEMP]$ file capture.flag.pcap
capture.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
[p4ul@j0ker TEMP]$ tcpflow -r capture.flag.pcap
tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2)[p4ul@j0ker TEMP]$ ls
010.000.002.004.09001-010.000.002.015.57876 010.000.002.015.57876-010.000.002.004.09001 capture.flag.pcap
010.000.002.015.43928-035.224.170.084.00080 035.224.170.084.00080-010.000.002.015.43928 report.xml
010.000.002.015.56370-010.000.002.004.09002 035.224.170.084.00080-010.000.002.015.43928c1
- Use the file Command to Know which it is
[p4ul@j0ker TEMP]$ file *
010.000.002.004.09001-010.000.002.015.57876: ASCII text
010.000.002.015.43928-035.224.170.084.00080: ASCII text, with CRLF line terminators
010.000.002.015.56370-010.000.002.004.09002: openssl enc'd data with salted password
010.000.002.015.57876-010.000.002.004.09001: ASCII text
035.224.170.084.00080-010.000.002.015.43928: ASCII text, with CRLF line terminators
035.224.170.084.00080-010.000.002.015.43928c1: data
capture.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
report.xml: XML 1.0 document, ASCII text, with very long lines (667)
Here , We can see there is lot of text file and one openssl enc data file lets decode!
mv 010.000.002.015.56370-010.000.002.004.09002 opensslfile.asc
- one specific file contains some juicy data to retrieve flag
flag : picoCTF{nc_73115_411_91361db5}
3. Packet Primer
1.String command is enough
[p4ul@j0ker packet_primer]$ file network-dump.flag.pcapnetwork-dump.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)[p4ul@j0ker packet_primer]$ strings network-dump.flag.pcap |grep p|head -1|sed "s/ //g"picoCTF{p4ck37_5h4rk_2edd7e58}
2. Same Thing Using Scapy for fun
- Just type scapy to Get Scapy prompt .
(make sure that you have already installed scapy)
>> pkt=rdpcap("network-dump.flag.pcap")
rdpcap() can be used to take the pcap file into a pkt object
>>> pkt[3][Raw]
<Raw load='p i c o C T F { p 4 c k 3 7 _ 5 h 4 r k _ 2 e d d 7 e 5 8 }\n' |>
>>> pkt[3][Raw].load.decode().replace(" ","")'picoCTF{p4ck37_5h4rk_2edd7e58}\n'
4. Enhance
Another easy chall
[p4ul@j0ker enhance]$ file drawing.flag.svgdrawing.flag.svg: SVG Scalable Vector Graphics image[p4ul@j0ker enhance]$ strings drawing.flag.svg |tail
id="tspan3764">F { 3 n h 4 n </tspan><tspan
sodipodi:role="line"
x="107.43014"
y="132.11588"
id="tspan3752">c 3 d _ 6 a e 4 2 b b a }</tspan></text>
</g>
</svg>
- well flag , lets make one liner to get the flag
[p4ul@j0ker enhance]$ cat solve.sh cat drawing.flag.svg|grep id|cut -d ">" -f2|cut -d "<" -f1|grep -v st|tail|tr '\n' ' '|cut -d '"' -f3|sed "s/ //g"|tee flag.txt[p4ul@j0ker enhance]$ cat flag.txt picoCTF{3nh4nc3d_6ae42bba}
flag:picoCTF{3nh4nc3d_6ae42bba}
5.St3g0
[p4ul@j0ker st3go]$ file pico.flag.png
pico.flag.png: PNG image data, 585 x 172, 8-bit/color RGBA, non-interlaced[p4ul@j0ker st3go]$ zsteg pico.flag.png |head -1b1,rgb,lsb,xy .. text: "picoCTF{7h3r3_15_n0_5p00n_4706df81}$t3g0"
Note : The given file is PNG , then why not zsteg ?
flag:picoCTF{7h3r3_15_n0_5p00n_4706df81}$t3g0
“OK “
Thanks for Reading .