» » DEFCON 20 CTF PREQUALS 2012 – FORENSICS 300 WRITEUP

Let’s start with the Forensics 300 writeup.
The description of the challenge was just “Please get my key back!“, and we were provided with a file named for300-47106ef450c4d70ae95212b93f11d05d.
Let’s start examining the file:
1
2
francisco@sherminator:~/Downloads$ file for300-47106ef450c4d70ae95212b93f11d05d
for300-47106ef450c4d70ae95212b93f11d05d: data



Looks like the file utility wasn’t able to recognize the type of the file. So let’s inspect it with an hex editor:







So it’s a firmware. That means that it’s time for binwalk, a tool designed to search into binary images for compressed data, filesystems and more.









1



2



3



4



5



6



7





francisco@sherminator:~/Desktop/binwalk-0.3.9/src$ ./binwalk for300-47106ef450c4d70ae95212b93f11d05d



 



DECIMAL       HEX           DESCRIPTION



-------------------------------------------------------------------------------------------------------



108           0x6C          LZMA compressed data, properties: 0x5D, dictionary size: 33554432 bytes, uncompressed size: 3008436 bytes



983148        0xF006C       PackImg Tag, little endian size: 14690560 bytes; big endian size: 2744320 bytes



983180        0xF008C       Squashfs filesystem, little endian, version 4.0, size: 724610815 bytes, 1470 inodes, blocksize: 0 bytes, created: Sat Mar  6 09:29:04 1993













We have a Squashfs in there, a read-only filesystem that is used on Live CDs and router firmware. We will try to extract that filesystem using firmware-mod-kit:









1





francisco@sherminator:~/firmware-mod-kit-read-only/trunk$ ./extract-ng.sh for300-47106ef450c4d70ae95212b93f11d05d













After a few minutes, firmware-mod-kit tells us that it finished its job, and that the output  is located at the fmk/directory.









1



2





francisco@sherminator:~/Desktop/fmk$ ls



image_parts  logs  rootfs













There we have the filesystem of the firmware, right in the rootfs directory. Let’s see what can we find there:









1



2





francisco@sherminator:~/Desktop/fmk/rootfs$ ls



bin  dev  etc  home  htdocs  lib  mnt  proc  sbin  sys  tmp  usr  var  www













Now let’s go straight to the /home/dlink folder:









1



2



3



4



5





francisco@sherminator:~/Desktop/fmk/rootfs/home/dlink$ ls -la



total 12



drwxrwxr-x 2 root root 4096 2012-05-30 18:24 .



drwxrwxr-x 3 root root 4096 2012-05-30 18:20 ..



-rw-r--r-- 1 root root   45 2012-05-30 18:24 key.txt













And finally:









1



2





francisco@sherminator:~/Desktop/fmk/rootfs/home/dlink$ cat key.txt



ewe know, the sh33p always preferred Linksys













So the key for this challenge was:  ewe know, the sh33p always preferred Linksys











1:08 AM




Unknown
















































 Comments





0 Comments








Facebook Comments by 
      Blogger Widgets








0
comments:
        
















Post a Comment





















        

      







Subscribe to:
Post Comments (Atom)















 


































Writeup CTF © 2013. All Rights Reserved. Powered by Blogger

Top