kkamagi's story

IT, 정보보안, 포렌식, 일상 공유

DFIR/Challenge

디지털포렌식 with CTF - [NETWORK] chapter01_2

까마기 2020. 1. 19. 13:06
728x90
반응형

[NETWORK] chapter01 

- 파일을 다운로드하고 플래그를 찾아라.

 
 
 
 
HTTP Object 확인
위와 같이 특이한 이름의 파일들을 확인해보면 다음과 같다.
 
YupE1RB8    
EX8UPdUb
xnCub4eW
EO4qqhn8
VuwPO9eM
BOQqupmS
E0frzRAi
 
  • file type 확인 후 zipinfo 명령어를 통해 압축파일들의 정보를 확인
 
 
확인 결과 YupE1RB8 파일에 'flag.txt'가 확인되어 압축해제를 시도하였더니 password가 걸려있었다.
 
 
또, 다른 압축파일들을 확인 해보니, 해쉬값으로 보이는 파일이 있어 구글검색을 진행하였다.
317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
 
SHA-1 : 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
SHA256 : 37ec11678ab1ac0daf8a630fdf6fb37ca250b3c4f44c092f1338a14409fb3f79
 
 
-> sample 데이터를 찾지 못하엿음
-> Malware 인 것은 확인.
 
 
However, googling the checksum points to a malware sample that is available for download here.
We now have the same file in plaintext and inside the encrypted zip, so we can proceed with the known plaintext attack using the pkcrack tool that implements it.
 
1
2
3
4
5
$ extract xnCub4eW 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
$ ls -l 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
-rw-r—r— 1 root root 2725466 May 11 12:00 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
$ ls -l plaintext
-rw-r—r— 1 root root 2725454 May 11 11:59 plaintext
 
The encrypted file should be 12 bytes larger than the plaintext version.
After a few seconds the keys will be printed and pkcrack will attempt to bruteforce the password. We don’t really care about the password, since the keys are sufficient to decrypt the zip file.
 
1
2
3
4
$ pkcrack -c 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f -p plaintext
{...}
Ta-daaaaa! key0=70a8cda4, key1=547222ce, key2=4c7d562e
Probabilistic test succeeded for 35479 bytes.
 
We can decrypt the contents with the zipdecrypt tool shipped with pkcrack.
 
1
2
3
$ zipdecrypt 70a8cda4 547222ce 4c7d562e xnCub4eW xnCub4eW_plain.zip
Decrypting 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f (ed5e829f7f1c27cbb62e5458)… OK!
Decrypting 2VT&Wb!XJ0dzG7JyvyH-II#J (15b6960191cbc71256147d67)… OK!
 
Now we have a plaintext version (2VT&Wb!XJ0dzG7JyvyH-II#J) of the encrypted file named cohaxOTDL4Iy4sK7DWFU6Mw6 in the next zip file (E0frzRAi). If we continue doing this one by one, we’ll finally be able to decrypt the contents of the last zip, which contains the flag.
 
1
2
$ cat flag.txt
ASIS{b72be7f18502dde0c2ca373ee3c2b03e}
 
 
 
 
반응형