디지털포렌식 with CTF - [NETWORK] chapter01_2

[NETWORK] chapter01 

- 파일을 다운로드하고 플래그를 찾아라.

https://github.com/ctfs/write-ups-2015/blob/master/asis-quals-ctf-2015/forensic/zrypt/README.md

https://www.virustotal.com/gui/file/37ec11678ab1ac0daf8a630fdf6fb37ca250b3c4f44c092f1338a14409fb3f79/details

 

pkcrack-1.2.2.tar.gz

다운로드

 

 

 

HTTP Object 확인

위와 같이 특이한 이름의 파일들을 확인해보면 다음과 같다.

 

YupE1RB8    

EX8UPdUb

xnCub4eW

EO4qqhn8

VuwPO9eM

BOQqupmS

E0frzRAi

 

• file type 확인 후 zipinfo 명령어를 통해 압축파일들의 정보를 확인

 

 

확인 결과 YupE1RB8 파일에 'flag.txt'가 확인되어 압축해제를 시도하였더니 password가 걸려있었다.

 

 

또, 다른 압축파일들을 확인 해보니, 해쉬값으로 보이는 파일이 있어 구글검색을 진행하였다.

317fc6d41e3d0f79f3e9c470cda48f52a7168c6f

 

https://github.com/ctfs/write-ups-2015/blob/master/asis-quals-ctf-2015/forensic/zrypt/README.md

SHA-1 : 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f

SHA256 : 37ec11678ab1ac0daf8a630fdf6fb37ca250b3c4f44c092f1338a14409fb3f79

 

 

-> sample 데이터를 찾지 못하엿음

-> Malware 인 것은 확인.

 

 

However, googling the checksum points to a malware sample that is available for download here.

We now have the same file in plaintext and inside the encrypted zip, so we can proceed with the known plaintext attack using the pkcrack tool that implements it.

 

1 2 3 4 5

$ extract xnCub4eW 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f $ ls -l 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f -rw-r—r— 1 root root 2725466 May 11 12:00 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f $ ls -l plaintext -rw-r—r— 1 root root 2725454 May 11 11:59 plaintext

 

The encrypted file should be 12 bytes larger than the plaintext version.

After a few seconds the keys will be printed and pkcrack will attempt to bruteforce the password. We don’t really care about the password, since the keys are sufficient to decrypt the zip file.

 

1 2 3 4

$ pkcrack -c 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f -p plaintext {...} Ta-daaaaa! key0=70a8cda4, key1=547222ce, key2=4c7d562e Probabilistic test succeeded for 35479 bytes.

 

We can decrypt the contents with the zipdecrypt tool shipped with pkcrack.

 

1 2 3

$ zipdecrypt 70a8cda4 547222ce 4c7d562e xnCub4eW xnCub4eW_plain.zip Decrypting 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f (ed5e829f7f1c27cbb62e5458)… OK! Decrypting 2VT&Wb!XJ0dzG7JyvyH-II#J (15b6960191cbc71256147d67)… OK!

 

Now we have a plaintext version (2VT&Wb!XJ0dzG7JyvyH-II#J) of the encrypted file named cohaxOTDL4Iy4sK7DWFU6Mw6 in the next zip file (E0frzRAi). If we continue doing this one by one, we’ll finally be able to decrypt the contents of the last zip, which contains the flag.

 

1 2	$ cat flag.txt ASIS{b72be7f18502dde0c2ca373ee3c2b03e}