Forensic Challenge. Get the passwords pal!

challenge
forensics

(pico) #1

Here is your weekend challenge. Let’s try something different this week

#The Challenge
A group of Black Hats, known as the Cr4king GuYs are doing very bad things in the Internet, so your team have decided to stop them. Your colleagues have hacked into one of their computers and they’ve found a hidden partition that may contain interesting information.

So, they dumped the partition into a file and gave it to you, the in-house forensic analyst, to figure out if there is something interesting in there.

#Your Goal
Retrieve the passwords in the disk image to finally obliterate those skids.

To probe you solved the challenge, post the passwords you found in the comments. Use the spoiler tag so your solution is not seen by other people trying to solve the challenge. Be free to provide a brief write-up explaining how did you solve the challenge

This is a very basic challenge so there is only two hints.

Hint1: This is a forensic challenge not a cryptographic one

Hint2:

The straightforward to crypt a file with gpg is something like this:
$ gpg -c thefile
$ rm thefile

In case you are not familiar with mount, once you get the partition image (check previous challenges for that)

$ mkdir tmp
$ sudo mount the_image ./tmp
$ cd tmp

Good luck and Hack Fun

#The Challenging Disk image

H4sICOudyVcAA2Rpc2tfZHVtcC5pbWcA7dxfaFZlGADw120YfEtNKClvfJOyDPxqNvoj/dlfx0DX
cMs0S/r27Wx+be3bvvNNZ4hNuioSUrvsRqULLUMo6EITvYiKGOVlYNFFWjkIoQiRap2VkV1H7aLf
j3Pe5/A+z/tweM+5fqcfevW5oYE0P1Cohpq6eaEm1HwULs8LMTSFP02GlUt3XzjV9Vjsal7fHjNr
m3sbVmdx4bJTW3a9tfx0tX7juwtPXBembtg6fWn111NLpm6Z/rV3WymN2TVSrsZC7CuXq4W+4ST2
l9KhfIzdw0khTWJpJE0qf8sPDJdHR3fGwkj/gtxoJUnT7HFnHEp2xmo5VitZZrBQGon5fD4uyAX+
icePXp6ZyeLMorl+E+aG7///dj4NSSiGSjYuCm9XQz5Uw0R2z5rJnG9v3dDeG2Pvpt4Y+lfsXd65
vDOE2Vgbns9qWgavFs5k/1DzzDX+mJ53bf/mv/rns2WDYTT0/N5/d0NHd0cMYe3V/rOxLhyaw30B
AAAAAAAAAAAAAAAAAAAAAIB/U++2JLZWGodKI4OxY3xzmltXSquxPBBHC2m6o1zpT2ePXSsUi7MH
sZXHKzFNipWkmoXK9lI2mcutLwzvKFSS2NayJjasvrcx17qiNfZk6aSSromD9/TnepLieFbQOlwe
71+TrZzIrVqVc3QbAMyZVxbU1dbWNBSuPLLn8zOPPvPxvkLbU5cPr7yx6ez+zWe+7Nty5Jebum6/
/4emi69tv+tknJ8eX3fz3c1TjS0vd341/+knu4/e+u2zB398s6lz3+KxVbuuHKk/8F3tG58ca3/g
YmXD4bFN3xw9Vrzv4ZMbf3rw/T0riy90vP799Z+dDufO1i/5eePkxPHOpSf2VDvbzu1fNvnibd1f
jB28NP3eS3d+eOHQO113fHDg071H+p7YuniudwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP57vwHBiBAK
AJABAA==

(Hardware Bias!) #2

How do you even put an entire partition into a single file? (except dd)

-Phoenix750


(pico) #3

It is not a real partition. It is very small and is almost empty so it can be compressed a lot.

If somebody is interested I can write a couple of lines on how to generate the file… in case nobody mentions this in the comments.


(pico) #5

@sergeantsploit be careful, that partition table looks like your hard drive.

I think you know too much for this challenge. As I said it is very easy to solve, you do not need to do anything very sophisticated.

I will add another hint that I hope will make things easier


(Sergeant Sploit) #6

I checked with an explorer on windows. It stated the number of files is 1. And that is what it is giving me.

I have tried the mount command: I am having alot of errors. I have tried various commands.


(pico) #7

It was a word of warning, just in case. I do not want anybody to destroy their own data.

Are you using windows to solve the challenge?. It should be possible to mount the file on windows but I cannot give much support on that. Otherwise, please post/PM the errors to get an idea of what may be the problem. In the old days it was a bit more tricky to mount a file but nowadays the mount command should just work.

And yes. There is only one file in the partition


(Sergeant Sploit) #8

Don’t mind me. Just having a bad day from sunset.

I tried with linux and the mount command was just trying to make my life miserable. So i switched to windows. I can send the errors if you want


(Hardware Bias!) #9

Telling us how to generate the file would be a huge help to me. It would enable me to explore the method used so I can understand the gibberish better. And I’d assume that in the scenario you described I would know how said file was generated :wink:

Then again, forensics aren’t my art.

-Phoenix750


(Sergeant Sploit) #10

SOLVED:

I guess I wasted alot of time not following instructions. Ok, so looking at the hash string just gives it away.

H4sICOudyVcAA2Rpc2tfZHVtcC5pbWcA7dxfaFZlGADw120YfEtNKClvfJOyDPxqNvoj/dlfx0DXcMs0S/r27Wx+be3bvvNNZ4hNuioSUrvsRqULLUMo6EITvYiKGOVlYNFFWjkIoQiRap2VkV1H7aLfj3Pe5/A+z/tweM+5fqcfevW5oYE0P1Cohpq6eaEm1HwULs8LMTSFP02GlUt3XzjV9Vjsal7fHjNrm3sbVmdx4bJTW3a9tfx0tX7juwtPXBembtg6fWn111NLpm6Z/rV3WymN2TVSrsZC7CuXq4W+4ST2l9KhfIzdw0khTWJpJE0qf8sPDJdHR3fGwkj/gtxoJUnT7HFnHEp2xmo5VitZZrBQGon5fD4uyAX+
icePXp6ZyeLMorl+E+aG7///dj4NSSiGSjYuCm9XQz5Uw0R2z5rJnG9v3dDeG2Pvpt4Y+lfsXd65
vDOE2Vgbns9qWgavFs5k/1DzzDX+mJ53bf/mv/rns2WDYTT0/N5/d0NHd0cMYe3V/rOxLhyaw30B
AAAAAAAAAAAAAAAAAAAAAIB/U++2JLZWGodKI4OxY3xzmltXSquxPBBHC2m6o1zpT2ePXSsUi7MH
sZXHKzFNipWkmoXK9lI2mcutLwzvKFSS2NayJjasvrcx17qiNfZk6aSSromD9/TnepLieFbQOlwe
71+TrZzIrVqVc3QbAMyZVxbU1dbWNBSuPLLn8zOPPvPxvkLbU5cPr7yx6ez+zWe+7Nty5Jebum6/
/4emi69tv+tknJ8eX3fz3c1TjS0vd341/+knu4/e+u2zB398s6lz3+KxVbuuHKk/8F3tG58c/gYmXD4bFN3xw9Vrzv4ZMbf3rw/T0riy90vP799Z+dDufO1i/5eePkxPHOpSf2VDvbzu1fNvnibd1f
jB28NP3eS3d+eOHQO113fHDg071H+p7YuniudwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP57vwHBiBAKAJABAA==

This is a base64 encoded string. So we python

#!/usr/bin/env python
from base64 import b64decode

encrypted = ‘’‘H4sICOudyVcAA2Rpc2tfZHVtcC5pbWcA7dxfaFZlGADw120YfEtNKClvfJOyDPxqNvoj/dlfx0DX
cMs0S/r27Wx+be3bvvNNZ4hNuioSUrvsRqULLUMo6EITvYiKGOVlYNFFWjkIoQiRap2VkV1H7aLf
j3Pe5/A+z/tweM+5fqcfevW5oYE0P1Cohpq6eaEm1HwULs8LMTSFP02GlUt3XzjV9Vjsal7fHjNr
m3sbVmdx4bJTW3a9tfx0tX7juwtPXBembtg6fWn111NLpm6Z/rV3WymN2TVSrsZC7CuXq4W+4ST2
l9KhfIzdw0khTWJpJE0qf8sPDJdHR3fGwkj/gtxoJUnT7HFnHEp2xmo5VitZZrBQGon5fD4uyAX+
icePXp6ZyeLMorl+E+aG7///dj4NSSiGSjYuCm9XQz5Uw0R2z5rJnG9v3dDeG2Pvpt4Y+lfsXd65
vDOE2Vgbns9qWgavFs5k/1DzzDX+mJ53bf/mv/rns2WDYTT0/N5/d0NHd0cMYe3V/rOxLhyaw30B
AAAAAAAAAAAAAAAAAAAAAIB/U++2JLZWGodKI4OxY3xzmltXSquxPBBHC2m6o1zpT2ePXSsUi7MH
sZXHKzFNipWkmoXK9lI2mcutLwzvKFSS2NayJjasvrcx17qiNfZk6aSSromD9/TnepLieFbQOlwe
71+TrZzIrVqVc3QbAMyZVxbU1dbWNBSuPLLn8zOPPvPxvkLbU5cPr7yx6ez+zWe+7Nty5Jebum6/
/4emi69tv+tknJ8eX3fz3c1TjS0vd341/+knu4/e+u2zB398s6lz3+KxVbuuHKk/8F3tG58ca3/g
YmXD4bFN3xw9Vrzv4ZMbf3rw/T0riy90vP799Z+dDufO1i/5eePkxPHOpSf2VDvbzu1fNvnibd1f
jB28NP3eS3d+eOHQO113fHDg071H+p7YuniudwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP57vwHBiBAK
AJABAA==’’’

fopen = open(‘target’, ‘wb’)
fopen.write(b64decode(encrypted))
fopen.close()

You can give any filename. From here, there are many ways ( I really mean many ). I didn’t use this approach but it works.

cat target

We can also hexedit using the hexedit utility

hexedit target

In my case, I download Salamander and opened the target file. It allows viewing of hex data and also loads images. I found:

First Credentials

Secret Service: Malware DB Pass: 1234

Second Credentials

Secret Service: C&C Servers Pass: g0d

Third Credentials

Secret Service: Secure Cloud Pass: sex

The hacker thought it was safe using a very strong key with GPG, but he didn’t properly deleted the original file that remains there. Salamander helps us with deleted file but since its no much of a deal, we can just hexedit and cat

Thats it. Peace


(pico) #11

@sergeantsploit Well done :trophy: and great write up!

Alternative way to get the passwords:

In this simple case you can just run strings in the image to get the passwords

@Phoenix750
This is how the image was generated:

$ dd if=/dev/zero of=disk_dump.img bs=1K count=100
$ mkfs.vfat disk_dump.img
$ mkdir disk
$ sudo mount disk_dump.img ./disk
$ cd disk
$ sudo -- generate the text file secret.txt with cat, vim,... --
$ sudo gpg -c secret.txt
$ sudo rm secret.txt
$ cd ..
$ sudo umount ./disk
$ cat disk_dump.img | gzip | base64

(oaktree) #12

I’m using base64 -d to decode the image, but running strings only reveals “disk_dump.img”…


(pico) #13

Try running file against your file


(Command-Line Ninja) #14

Woah this is really decent! I have learned soo much in this. Thank you Pico and @sergeantsploit :wink:


(Command-Line Ninja) #15

Continuing this:

Can anybody find the hidden image and what search engine I found it from in this?

http://termbin.com/78ku


(RooT HaXor) #16

File date: 7:57 PM 9/3/2016
string : disk_dump.img
i dont get password explain


(pico) #17

check @sergeantsploit comment above for the details


(Hardware Bias!) #18

Too bad I don’t understand forensics well enough (yet) to complete this challenge. Kudos to @sergeantsploit for finding such a straightforward solution and writing a detailed explanation though!

-Phoenix750


#19

I have a number of passwords but they don’t seem to work when entered in the little prompt that pops up. Am I finished, or should I have a pass for this little prompt? EDIT: Ok, read Sergeantsploit’s answer above and think I got it, thanks for the challenge @0x00pf !

Here’s roughly what I did:

cat b64 | base64 -d | gunzip > disk_dump.img (already saw the original name from base64 -d and file)

mount disk_dump.img /mnt

cd’d into the disk and saw the secret.txt.gpg…
doing cat secret.txt.gpg | gpg brings up the pass prompt

strings disk_dump.img gives:
mkmkfs.fat
NO NAME FAT12
This is not a bootable disk. Please insert a bootable floppy and
press any key to try again …
ECRET TXT
"I"I
SECRET~1GPG
"I0I
The Cr4king GuYs
List of passwords to access our secret services
Malware DB: 1234
C&C Servers: g0d
Secure Cloud: sex

Not sure if that’s it, none of those passwords work in the prompt.