#
Digital Forensics
#
Hello Amazing CTF Players
Lets have a look at some Begginer Friendly forensic challenges
#
CTF Name : KnightCTF 2022
#
Category : Digital-Forensics
#
1.Compromised FTP
Given:
file ftp.log
ftp.log: ASCII text
They asked for the correct login username and ip address
strings ftp.log|grep OK
Mon Jan 3 15:24:13 2022 [pid 5399] [ftpuser] OK LOGIN: Client "::ffff:192.168.1.7"
Flag:
KCTF{ftpuser_192.168.1.7}
#
2. Lost Flag
Given:
file Lost\ Flag.png
Lost Flag .png: PNG image data, 1200 x 600, 8-bit/color RGBA, non-interlaced
You can use stegoveritas , aperisolve.fr or stegsolve
Here im using stegsolve
File -> Open -> image.png
Flag:
KCTF{Y0U_F0uNd_M3}
#
3. Lets Walk Together
From the challenge name you can conclude that its exactly about binwalk !
└─$ binwalk -e interesting_waves.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 1024 x 768, 8-bit/color RGBA, non-interlaced
69968 0x11150 Zip archive data, at least v1.0 to extract, name: Flag/
70031 0x1118F Zip archive data, encrypted at least v1.0 to extract, compressed size: 37, uncompressed size: 25, name: Flag/flag.txt
70313 0x112A9 End of Zip archive, footer length: 22
get into the extracted file directory and do fcrackzip
cd _interesting_waves.png.extracted
┌──(kali㉿kali)
└─$ ls
11150.zip 63 63.zlib
Zip file is passwod protected
┌──(kali㉿kali)
└─$ fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u 11150.zip
PASSWORD FOUND!!!!: pw == letmein!
┌──(kali㉿kali)
└─$ unzip 11150.zip 1 ⚙
Archive: 11150.zip
[11150.zip] Flag/flag.txt password: [letmein!]
extracting: Flag/flag.txt
Thats all
Flag:
KCTF{BiNw4lk_is_h3lpfUl}
#
4.Unknow File
Just Correct the first 4 magic bytes of the given file
89 50 4E 47
┌──(kali㉿kali)
└─$ xxd unknown\ file|head
00000000: 0010 5665 0d0a 1a0a 0000 000d 4948 4452 ..Ve........IHDR
00000010: 0000 04b0 0000 0258 0806 0000 0072 e61f .......X.....r..
00000020: 1a00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0009 7048 5973 0000 0ec4 0000 0ec4 0195 ..pHYs..........
(after)
┌──(kali㉿kali)
└─$ xxd unknown\ file|head
00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
00000010: 0000 04b0 0000 0258 0806 0000 0072 e61f .......X.....r..
00000020: 1a00 0000 0173 5247 4200 aece 1ce9 0000 .....sRGB.......
00000030: 0009 7048 5973 0000 0ec4 0000 0ec4 0195 ..pHYs..........
Flag:
KCTF{Imag3_H3ad3r_M4nipul4t10n}
Reference about magic bytes manipulation :