728x90
반응형
728x90
반응형
728x90
반응형

cat.pcapng 파일이 주어진다.

usb cap이다.

 

 

DESCRIPTOR  Response DEVICE 패킷을 확인해보면, wacom 펜 타블렛임을 확인할 수 있다.

 

tshark를 이용해서 데이터를 추출한다.

 

tshark -r ./Cat.pcapng -Y 'usb.capdata && usb.data_len == 9' -T fields -e usb.capdata > usbPcapData

 

데이터는 이러한 구조를 가지고 있다고 한다.

Example:
02:f0:50:1d:72:1a:00:00:12
Bytes:
02:f0: -- Header
50:1d: -- X
72:1a: -- Y
00:00: -- Pressure
12 -- Suffix

 

x, y 좌표값에 대한 데이터를 추출하여 좌표평면에 표시하면 된다.

z=0 필압이 없는 경우를 제외하기 위해 z값도 추출

awk -F: '{x=$3$4;y=$5$6}{z=$7}$1=="02"{print x,y,z}' usbPcapData > xydata

 

wacom_decode.py

1
2
3
4
5
6
7
8
9
10
11
#!/usr/bin/python
from pwn import *
 
for line in open('xydata').readlines():
  coord = line.strip().split(' ')
  x = int(coord[0],16)
  y = int(coord[1],16)
 
  if z > 0:
    print u16(struct.pack(">H",x)),u16(struct.pack(">H",y))
 
cs

z가 0인 경우를 제외하며, xy값을 10진수로 표현

python wacom_decode.py > out.txt
gnuplot
plot "out.txt"

 

 

png로 export이후 

convert -flop flag.png flag-f.png

이미지 좌우반전

728x90
반응형

'WAR GAME > [DigitalForensic] with CTF' 카테고리의 다른 글

D-CTF [DefCoN#21 #1]  (0) 2021.07.06
D-CTF [Find Key(WhiteHat)]  (0) 2021.07.04
D - CTF [계속 주시해라!] 풀이  (0) 2020.10.14
D - CTF [Find Key(moon)] 풀이  (0) 2020.10.14
D - CTF [Find Key(butterfly)] 풀이  (0) 2020.10.14
728x90
반응형

Forensics

What App is on Fire?

 

Open chall.E01 with FTK Imager

In Recycle.Bin, i found meaningful data in two txt files.

and

But there is a flag.txt (not flaag.txt) in Desktop/ and it has fake flag.

Likewise, there is only zero size flag.bmp in Documents/my content/ .

So, I used NTFS log tracker to find location where flaag.txt and credentials.txt were moved.

$RVL2F46.txt was flaag.txt

and it's fake flag :) hehe.

 

Next!

credentials.txt was zipped and renamed to $R002W8L.txt (moved to Recycle.BIN).

credentilas.zip was deleted.

 

and $R002W8L.txt is zero size in given E01 file.

 

flag.bmp is meaningless.

haha :)

 

 

IE history modified log between credentials.txt logs.

 

IE history :

hmmmmmm..............

--------

[add something after ctf ends.]

왜 저 credentials.zip .txt 를 붙잡고 있었지.. 문제 제목에서도 whatsapp 써먹는거 알 수 있는데..

 

at first, Investigate chats from WhatsApp messages DB.


--------

Next! i checked firefox history.

I think flag is in there.

 

But it need id and pw.

 

id and pw were stored in logins.json and they were encrypted.

To decrypt them, 

create new profile

move logins.json and key4.db to new profile folder

 

start firefox

 

yeah!

 

?????????????

 

 

oh, another login page is at ./ and i use same account to login.

then i got half of flag.

 

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

RTLxHA CTF 21 write up  (0) 2021.08.01
Securebug.se CTF Loki 2021 write up  (0) 2021.07.19
LINE CTF 2021 write up  (0) 2021.03.21
Codefest CTF 2021 Write up  (0) 2021.03.20
UTCTF 2021 write up  (0) 2021.03.15
728x90
반응형

babycrypto1

 

 

영어로 쓸려 했는데 뭔가 쉽게 안써진다..

 

test command cipher text가 주어지고,

동일한 aes key를 사용하는, vi를 입력해서 cipher text를 만들 수 있는 거가 있다.

 

50행에서 토큰은 그대로 사용되기 때문에 앞쪽 블록은 그대로 사용하고 command만 들어가있는 마지막 블록만 생각하면 된다.

마지막 블록을 변화시키면 cipher text의 마지막 블록에만 변화가 생기는데, 이를 이용하여 "show" 가 들어간 암호화된 블록을 만들어 바꿔치면 된다.

 

마지막 블록을 만들 때  plain text와 xor 하는 것을 vi로 보면, vi는 cipher text N-1번째 블록값이 된다.

plain text 를 "show"로, vi를 cipher text 마지막 블록을 넣어 cipher text 한 블록을 만들어서

처음 주어진 test command cipher text의 마지막 블록과 바꾸어서 넣어주면

복호화 과정에서 앞 블록은 그대로이기 때문에 token은 그대로 복호화가 되고 마지막 블록은 show로 복호화가 이루어 진다.


babycrypto2

 

 

1과 다른 점은 COMMAND가 맨 처음 블록으로 이동하였고, encryption 과정이 없다는 것이다.

어차피 cipher text의 앞 블록이 바뀌면 그 다음 블록에도 영향을 주기 때문에 블록 바꿔치기는 안된다.

 

 

다만 decryption 과정을 보면, 맨 앞블록은 block cipher decryption 이후에 IV와 xor을 수행한다.

그리고 복호화에 사용할 IV값은 우리가 넣어줄 수 있다. 이 IV 값을 바꿔주어 맨 앞 plaintext가 우리가 원하는 값이 되도록 하면 된다. ciphertext는 그대로 사용할 것이기 때문에, block cipher decryption의 결과값은 고정이다.

원래의 복호화 과정을 생각한다면, IV에는 처음 제공되는 IV값이 들어가며, block cipher decryption의 결과값은 IV xor plaintext(test)이며, 우리가 원하는 plaintext로 만들어주는 IV값은 IV xor plaintext(test) xor plaintext(show) 가 된다.

다만 plaintext(show)를 만들 때 앞의 PREFIX값과 뒤에 token 3byte를 생각해야 한다.

 

그렇게 해서 IV값을 만들어서 IV + data 복호화 돌려주면 된다.

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

Securebug.se CTF Loki 2021 write up  (0) 2021.07.19
Securinets CTF Quals 2021 write up  (0) 2021.03.22
Codefest CTF 2021 Write up  (0) 2021.03.20
UTCTF 2021 write up  (0) 2021.03.15
vishwaCTF 2021 Write up  (0) 2021.03.15
728x90
반응형

Forensics

스테가노

Anime is love

There is a zip file at end of jpg file (jpg file footer signature).

Fix the header signature.

it is encrypted. So, find password using ARCHRP with rockyou.txt which is dictionary file for dictionary attack.

 

flag.txt

it is pdf file

and it's locked.

good.


Telephone

github.com/ribt/dtmf-decoder

 

ribt/dtmf-decoder

Extract phone numbers from an audio recording of the dial tones. - ribt/dtmf-decoder

github.com

convert m4a to wav to use dtmf-decoder

 

hmm...


b1n4rY

bin to hex

make a file "a.data"

open with GIMP

scan it!

 


Web

Sanity Check 2

at ./

base64 -> ascii -> caesar cipher


C is hard

bof

ez

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

Securinets CTF Quals 2021 write up  (0) 2021.03.22
LINE CTF 2021 write up  (0) 2021.03.21
UTCTF 2021 write up  (0) 2021.03.15
vishwaCTF 2021 Write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
728x90
반응형

Forensics

SHIFT

anyconv.com/ko/png-to-raw-byeonhwangi/

 

PNG RAW 변환: 온라인에서 PNG를 RAW로 변환하십시오

⭐ AnyConv는 5 성급 PNG RAW 변환기입니다 ⭐ 온라인에서 png를 raw로 몇 초 안에 변환하십시오 ✅ 소프트웨어 설치가 필요하지 않습니다 ✅ 무료로 ✅ 완전히 안전합니다. PNG를 RAW로 쉽게 변경할 수

anyconv.com

png to bmp

 

rename .bmp to .data

 

open with GIMP

 

width 5261

 


Doubly Deleted Data


Sandwiched

You can see that there are several pdf files, and you can see that there is a jpg file in between.

 

However, jpg's footer signature can be found far away.

There are parts of the jpg file between the pdf files.

 

The extracted jpg file had a flag.

 


OSINT Part 1

 

search name in twitter

728x90

OSINT Part 2

 

google image search

 


Small P Problems

Diffie–Hellman

github.com/DrMMZ/Attack-Diffie-Hellman/blob/master/AttackDH.py

 

DrMMZ/Attack-Diffie-Hellman

Implementation of cryptanalysis of Diffie-Hellman public key protocol in Python - DrMMZ/Attack-Diffie-Hellman

github.com


Beginner

Various Vernacular

quipqiup.com/

 

quipqiup - cryptoquip and cryptogram solver

 

quipqiup.com

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

LINE CTF 2021 write up  (0) 2021.03.21
Codefest CTF 2021 Write up  (0) 2021.03.20
vishwaCTF 2021 Write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
728x90
반응형
728x90
반응형

'CTF Write Up' 카테고리의 다른 글

Codefest CTF 2021 Write up  (0) 2021.03.20
UTCTF 2021 write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
728x90
반응형
728x90
반응형

'CTF Write Up' 카테고리의 다른 글

UTCTF 2021 write up  (0) 2021.03.15
vishwaCTF 2021 Write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
BSidesSF CTF 2021 write up  (0) 2021.03.09
728x90
반응형
728x90
반응형

'CTF Write Up' 카테고리의 다른 글

vishwaCTF 2021 Write up  (0) 2021.03.15
NahamCon CTF 2021 write up  (0) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
BSidesSF CTF 2021 write up  (0) 2021.03.09
TRUST CTF 2021 write up  (0) 2021.02.28
728x90
반응형

Forensic

Clang


oBfsC4t10n

open it!

 

download it!

rename .xlsm to .xls

open and recover it!

go to this location

this is vbscript

hmm

728x90

web

BonechewerCon

just input {{config}}


crypto

Broken RSA

 

e is very big

https://github.com/pablocelayes/rsa-wiener-attack.git

 

pablocelayes/rsa-wiener-attack

A Python implementation of the Wiener attack on RSA public-key encryption scheme. - pablocelayes/rsa-wiener-attack

github.com

RSAwienerHacker.py

 

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

NahamCon CTF 2021 write up  (0) 2021.03.15
dvCTF 2021 Write up  (2) 2021.03.15
BSidesSF CTF 2021 write up  (0) 2021.03.09
TRUST CTF 2021 write up  (0) 2021.02.28
Tenable CTF 2021 write up  (0) 2021.02.23
728x90
반응형

layers.txt

bin2ascii

oct2ascii

hex2ascii

base64decode

base85decode


Chimera

Open chimera.bin.img using FTK Imager.

 

I found key.docx.

extract it and rename key.docx to key.zip

 

hmm __main__.py ?

zip password key...

but i couldn't find any zip file.

 

so, i opened chimera.bin.img with HxD.exe. Then i searched "flag".

 

flag.png in flag.zip

good

it is in pdf file stream, but i couldn't find any pdf file. so i just carved it.

it says the file is corrupted, but i can get 61% unziped flag.png

 

 

it is half of flag, but we can read flag :)

728x90

Glitch in the matrix

 

DQT : en.wikibooks.org/wiki/JPEG_-_Idea_and_Practice/The_header_part#The_Quantization_table_segment_DQT

 

JPEG - Idea and Practice/The header part

The markers[edit] The header part of a JPEG file is divided into segments, and each segment starts with a marker, identifying the segment. Usually a JPEG file contains 7 different markers. A marker is a pair of bytes, the first is 255 and the second is dif

en.wikibooks.org

 

The DQT area is intentionally covered with 0xFF.

To recover DQT area, I copied and pasted the DQT area of other normal jpg files downloaded from the google.

After many attempts, I could read a flag.

 

we_need_bits_lots_of_bits


Net Matroyshka

 

8.pcap

 

7.pcap

 

 

6.pcap

 

copy&paste rsync data and sum data

 

5.pcap

 

follow > udp stream

 

make 4.zip

no footer signature in 5.pcap.

i think i extracted 5.zip wrong because 5.zip said zip file is corrupted.

 

i couldn't extract 5.zip correctly..

 


Tapesplice

BZh91AY&SY is bz2 header signature

 


denouement.png

use zsteg


Résumé

just copy and paste


Charge Tracker

 

dex2jar sourceforge.net/projects/dex2jar/

 

dex2jar

Download dex2jar for free. Tools to work with android .dex and java .class files. Mirrors: * https://bitbucket.org/pxb1988/dex2jar * https://github.com/pxb1988/dex2jar dex2jar contains following compment * dex-reader is designed to read the Dalvik Executab

sourceforge.net

 

open .jar using jd-gui java-decompiler.github.io/

 

Java Decompiler

The “Java Decompiler project” aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions. JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reco

java-decompiler.github.io

 

part1 is here.

done.


Hashcrack 101

www.tunnelsup.com/hash-analyzer/

 

Hash Analyzer - TunnelsUP

Hash type: Bit length: Base: Example Hash Inputs 5f4dcc3b5aa765d61d8327deb882cf99MD5 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8SHA1 5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8SHA256 $2a$10$N9qo8uLOickgx2ZMRZoMyeIjZAgcfl7p92ldGxad68LJZdL1

www.tunnelsup.com

1~4 : DES (Unix)

5~9 : md5crypt, MD5 (Unix)

10~13 : sha512crypt $6$, SHA512 (Unix)

 

use hashcat

hashcat.net/wiki/doku.php?id=example_hashes

 

example_hashes [hashcat wiki]

Example hashes If you get a “line length exception” error in hashcat, it is often because the hash mode that you have requested does not match the hash. To verify, you can test your commands against example hashes. Unless otherwise noted, the password

hashcat.net

combination bruteforce attack

dictonary attack

 

728x90
반응형

'CTF Write Up' 카테고리의 다른 글

dvCTF 2021 Write up  (2) 2021.03.15
BCA CTF 2021 Write up  (0) 2021.03.14
TRUST CTF 2021 write up  (0) 2021.02.28
Tenable CTF 2021 write up  (0) 2021.02.23
Union CTF 2021 Write up  (0) 2021.02.22

+ Recent posts