where yeti's do the hacking

Defcon 20 CTF Prequals 2012 – Forensics 200 Writeup

The description for for200 was “Recover the key” and we were provided a file named for200-40828eebc3b2806197a33d3762903b2a.

First we ran file on the challenge to gain initial information:

user@host:~/$ file "for200-40828eebc3b2806197a33d3762903b2a"
x86 boot sector, code offset 0x3c, OEM-ID "BSD  4.4", sectors/cluster 2, root entries 512, sectors 31878 (volumes <=32 MB) , Media descriptor 0xf8, sectors/FAT 62, heads 16, hidden sectors 63, serial number 0x83ae1af3, label: "UNTITLED   ", FAT (16 bit)

The output indicated we were dealing with a FAT16 image, so we mounted the file as a partition with Autopsy:

Using the “File Analysis” feature, the following files were found on the FAT16 image:

MD5 Values for files in "for200-40828eebc3b2806197a33d3762903b2a"
d41d8cd98f00b204e9800998ecf8427e - UNTITLED (Volume Label Entry)
5ecad39c470178e1b0ef93e534b60fda - ._.Trashes
4f98e085bdf85099cd2835615f29b589 - 53564
a3944ee8c4f5b536981daf39a4b1d424 - ._53564
b90ffda20d98d862a6cdb135bbd5a19d - 70597
a3944ee8c4f5b536981daf39a4b1d424 - ._70597
2def6e61c6ec61c4505e95986a0fe9f2 - 21638
a3944ee8c4f5b536981daf39a4b1d424 - ._21638

Additionally, numerous deleted files were also discovered and extracted:

C:/_1728                            2012-05-25 19:48:18 (EDT)
C:/.Trashes/501/_8938               2012-05-25 19:50:24 (EDT)
C:/.Trashes/501/._28938             2012-05-25 19:57:50 (EDT)
C:/.Trashes/501/_2467               2012-05-25 19:51:14 (EDT)
C:/.Trashes/501/_8808               2012-05-25 19:53:44 (EDT)
C:/.Trashes/501/._68808             2012-05-25 19:57:02 (EDT)
C:/.Trashes/501/._6LtGC4NKwYf       2012-05-25 19:57:48 (EDT)
C:/.Trashes/501/._15OagwAVd9u4Bz    2012-05-25 19:57:46 (EDT)
C:/._21728                          2012-05-25 19:57:46 (EDT)
C:/_8149                            2012-05-25 19:49:56 (EDT)
C:/._28149                          2012-05-25 19:57:48 (EDT)
C:/_8808                            2012-05-25 19:53:44 (EDT)
C:/._68808                          2012-05-25 19:57:02 (EDT)
C:/_8938                            2012-05-25 19:50:24 (EDT)
C:/._28938                          2012-05-25 19:57:50 (EDT)
C:/_2467                            2012-05-25 19:51:14 (EDT)
C:/._52467                          2012-05-25 19:57:46 (EDT)

Now that we had files to analyze, we ran file against them and discovered most were to be “data”. Suspecting the files we’re likely dorked by DDTek, we took a peek with a hex editor and confirmed that most files were JPEG’s with nulled out headers.

With that in mind, we corrected the headers and ran StegDetect against all of the images with the sensitivity set to 1.95.

user@host:~/$ stegdetect -s 1.95 *
21638 : negative
53564 : negative
70597 : negative
vol1-C.._1728 : negative
vol1-C.._2467 : outguess(old)(*)
vol1-C.._8149 : negative
vol1-C.._8808 : negative
vol1-C.._8938 : negative
vol1-C...Trashes.501._2467 : outguess(old)(*)
vol1-C...Trashes.501._8808 : negative
vol1-C...Trashes.501._8938 : negative

This revealed “vol1-C.._2467” and “vol1-C…Trashes.501._2467” we’re likely stegged with Outguess. Since the only result we could get out of StegBreak was a segfault, we wrapped Outguess in a loop and bruted the key with our CTF dictionary. Almost immediately we received results using the word “ddtek”.

user@host:~/$ outguess -e -k "ddtek" -r vol1-C.._2467 key
Initalize encoding/decoding tables
Reading vol1-C.._2467....
Extracting usable bits:   1793659 bits
Decode: 12 data after ECC: 4
Steg retrieve: seed: 297, len: 55614
Decode: 55614 data after ECC: 29013

The result of this was a Zip archive. Inside the archive was a file called “98753.pdf”. Within the PDF was a scanned piece of paper which revealed the key “10289bace856ecec07721be5d70efe9d”.