Arab Security Cyber WarGames 2020 Forensics Challenges Writeup

Arab Security Cyber WarGames 2020 Forensics Challenges Writeup

Featured image

These challenges were solved by Medoic and Magdi

This is the write up of the for the forensics challenges in the ASC CTF qualification round. There was 3 forensics chellenges.

Fingerprint–> 300 Pts:

At first we get an archive file containg 7 images of fingerprints. all the images are JPG expect 1 PNG image.

1

Checking the metadata and exif data of the jpg images we found that Slices Group Name of 3.jpg containing challenge.jpg

2

Cracking the Rar password:

First thing we had to extract the password hash of the rar file using rar2john

sudo rar2john 3.rar > passwordhash.txt

sudo john passwordhash.txt — wordlist /usr/share/wordlists/rockyou.txt — format=RAR5

ASCWG{F0Ren$ics_I$FUn;)}

Meownetwork —> 300 Pts

We received a rar file containing disk.img

We then mounted the img using FTK imager

Opening the mounted disk we find 5 images of cats

steghide extract -sf 1.jpg

Lets extract all the text files

steghide extract -sf 1.jpg steghide extract -sf 2.jpg steghide extract -sf 3.jpg steghide extract -sf 4.jpg steghide extract -sf 5.jpg

Lets try to bruteforce the password of steghide using stegcracker

stegcracker image.jpg /usr/share/wordlists/rockyou.txt

ASCWG{F10ppy_d1$k!!_th@t’$_s0m3_n0$t@1g!a_stuFF}

The-Impossible-Dream

This challenge is one hell of a ride, we have a missing headers’ file and we need to fix it first to get to the challenge.

We need to edit fix the magic numbers in the header

As shown above the file is missing the RIFF.i hex values and also missing the data.i hex values which are “ 52 49 46 46” and “ 64 61 74 61” respectively.

Fixing the header, we get nothing else. Nothing hidden in the audio itself. So we need to use deepsound.

Extracting the filesystem using “binwalk” utility, we get a directory called _challenge.img.extracted/ viewing the contents of the directory we get 3 files.

the pastebin.txt file has a weird string that can’t be decoded and it’s not a hash, I tried to unrar ‘ju$t_an0th3r_f!l3.rar’ but it needed a password so cracking it with “johntheripper”, we get a password gasparin

extracting the contents of the rar file we get 3 pictures that are basically memes. They serve as a rabbit hole and hold nothing important whatsoever (they actually have text files that can be extracted using “stegosuite”, I know so because I made the challenge).

So it’s a RAR file, looking at its header the magic numbers don’t exist, so adding them will fix it 52 61 72 21

so now we need to get the password. We looked at the other RAR file but it’s a rabbit hole so we are left with the pastebin.txt file

It looks like a hash but it’s not, so we need to take a step back. Reading the description again we find some interesting stuff, “hax0r 5”, “aRC reactor second model”, and last but not least encrypted. So it might be using an encryption technique like RC2 and the key is 5. Going to cyberchef

and using RC2 decrypt

It looks like base64, but it’s actually base32, decoding it using cyberchef we get a base64 string.

Decoding that string, we get a random text.

It’s actually encoded using rot47

@Nottheaccounty2 which will take us to a twitter account, and we find a tweet that’s encoded using rot13.

Decoding it will lead us to a mega drive link

Going to that link will give us a file called hash.txt

Cracking the hash using crackstation will give us the password.

The password is: Password120

Getting back to the RAR file and extracting the flag.txt, we get the flag.

ASCWG{Wh0m3v3r_m@d3_Th!$_ch@113Ng3_h@s_A_L0T_oF_Fr3e_t!mE}