Picoctf2022 Forensics Writeups

Hello Friends , Lets Have a look at some forensics Challenges #5 from picoctf2022

1.File Types

PicoCTF@pj>> file flag.pdf 
flag.pdf: shell archive text

Middle of the file contains uudecode command , that means code is uuencoded

• To decode the file,we just have to use uudecode tool

To install : $yay -S sharutils

btw i use manjaro so yay package manager , same sharutils in apt (debian)

Whole Script to Get the flag :

#yay -S sharutils cpio bzip2 lzip lzop lz4 xz xxd-standalone --noconfirm
#!/bin/bash
uudecode flag.pdf
mv flag fromdecode
7z x fromdecode
mv flag flagfrom7z.cpio
cpio -idv < flagfrom7z.cpio
mv flag flagfromcpio.bz
bunzip2 flagfromcpio.bz
mv flagfromcpio flagfromcpio.gz
gunzip flagfromcpio.gz
mv flagfromcpio  flagfromgunandbun.lz
lzip -d flagfromgunandbun.lz
mv flagfromgunandbun flagoflziptolz4.lz4
lz4 -d flagoflziptolz4.lz4 
mv flagoflziptolz4 flag-fromlz4.lzma
lzma -d flag-fromlz4.lzma
mv flag-fromlz4 flag-from-lzma.lzop
lzop  -d flag-from-lzma.lzop
mv flag-from-lzma flag-from-lzop
lzip -d flag-from-lzop
mv flag-from-lzop.out flag-from-lzop.xz
xz -d flag-from-lzop.xz
mv flag-from-lzop final-flag.txt
cat final-flag.txt |xxd -r -p|tee flag.txt

| code might confusing

1. after uudecode , do
2. unzip or 7z
3. Lot of archives.. !
4. Do file command , note down the archive type
5. install Corresponding tool to decompress
6. repeat uh

Repeat the steps until its .txt file

picoCTF{f1len@m3_m@n1pul@t10n_f0r_0b2cur17y_278f1a18}

2.EavesDrop

[p4ul@j0ker eaves-drop]$ file capture.flag\(1\).pcap 
capture.flag(1).pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

1. Here I’m Using TCPFLOW tool

You can also do the same thing in wireshark btw

[p4ul@j0ker TEMP]$ ls 
capture.flag.pcap
[p4ul@j0ker TEMP]$ file capture.flag.pcap 
capture.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)

[p4ul@j0ker TEMP]$ tcpflow -r capture.flag.pcap 
tcpflow: TCP PROTOCOL VIOLATION: SYN with data! (length=2)
[p4ul@j0ker TEMP]$ ls
010.000.002.004.09001-010.000.002.015.57876  010.000.002.015.57876-010.000.002.004.09001    capture.flag.pcap
010.000.002.015.43928-035.224.170.084.00080  035.224.170.084.00080-010.000.002.015.43928    report.xml
010.000.002.015.56370-010.000.002.004.09002  035.224.170.084.00080-010.000.002.015.43928c1

• Use the file Command to Know which it is

[p4ul@j0ker TEMP]$ file *
010.000.002.004.09001-010.000.002.015.57876:   ASCII text
010.000.002.015.43928-035.224.170.084.00080:   ASCII text, with CRLF line terminators
010.000.002.015.56370-010.000.002.004.09002:   openssl enc'd data with salted password
010.000.002.015.57876-010.000.002.004.09001:   ASCII text
035.224.170.084.00080-010.000.002.015.43928:   ASCII text, with CRLF line terminators
035.224.170.084.00080-010.000.002.015.43928c1: data
capture.flag.pcap:                             pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
report.xml:                                    XML 1.0 document, ASCII text, with very long lines (667)

Here , We can see there is lot of text file and one openssl enc data file lets decode!

mv 010.000.002.015.56370-010.000.002.004.09002 opensslfile.asc

• one specific file contains some juicy data to retrieve flag

flag : picoCTF{nc_73115_411_91361db5}

3. Packet Primer

flag : picoCTF{p4ck37_5h4rk_2edd7e58}

1.String command is enough

[p4ul@j0ker packet_primer]$ file network-dump.flag.pcap
network-dump.flag.pcap: pcap capture file, microsecond ts (little-endian) - version 2.4 (Ethernet, capture length 262144)
[p4ul@j0ker packet_primer]$ strings network-dump.flag.pcap |grep p|head -1|sed  "s/ //g"
picoCTF{p4ck37_5h4rk_2edd7e58}

2. Same Thing Using Scapy for fun

• Just type scapy to Get Scapy prompt .

(make sure that you have already installed scapy)

>> pkt=rdpcap("network-dump.flag.pcap")

rdpcap() can be used to take the pcap file into a pkt object

Just Take our flag out of it

>>> pkt[3][Raw]
<Raw  load='p i c o C T F { p 4 c k 3 7 _ 5 h 4 r k _ 2 e d d 7 e 5 8 }\n' |>

>>> pkt[3][Raw].load.decode().replace(" ","")
'picoCTF{p4ck37_5h4rk_2edd7e58}\n'

4. Enhance

Another easy chall

[p4ul@j0ker enhance]$ file drawing.flag.svgdrawing.flag.svg: SVG Scalable Vector Graphics image
[p4ul@j0ker enhance]$ strings drawing.flag.svg |tail
     
         id="tspan3764">F { 3 n h 4 n </tspan><tspan
         sodipodi:role="line"
         x="107.43014"
         y="132.11588"
         id="tspan3752">c 3 d _ 6 a e 4 2 b b a }</tspan></text>
  </g>
</svg>

• well flag , lets make one liner to get the flag

[p4ul@j0ker enhance]$ cat solve.sh 
cat drawing.flag.svg|grep id|cut -d ">" -f2|cut -d "<" -f1|grep -v st|tail|tr '\n' ' '|cut -d '"' -f3|sed "s/ //g"|tee flag.txt
[p4ul@j0ker enhance]$ cat flag.txt 
picoCTF{3nh4nc3d_6ae42bba}

Meanwhile , How image looks like ,

flag:picoCTF{3nh4nc3d_6ae42bba}

5.St3g0

[p4ul@j0ker st3go]$ file pico.flag.png 
pico.flag.png: PNG image data, 585 x 172, 8-bit/color RGBA, non-interlaced
[p4ul@j0ker st3go]$ zsteg pico.flag.png |head -1
b1,rgb,lsb,xy       .. text: "picoCTF{7h3r3_15_n0_5p00n_4706df81}$t3g0"

Note : The given file is PNG , then why not zsteg ?

flag:picoCTF{7h3r3_15_n0_5p00n_4706df81}$t3g0

“OK “

Thanks for Reading .