| tags:Forensics categories:Writeups series:Hack The Vote 2016
Hack The Vote - Lockpicking
we’re given a PNG file:
lockpicking.png
First thing to notice is it’s pretty big at 41M. So let’s take a closer look at it:
$ pngcheck -vt lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png
File: lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png (42964010 bytes)
chunk IHDR at offset 0x0000c, length 13
1692 x 672 image, 24-bit RGB, non-interlaced
chunk IDAT at offset 0x00025, length 65536
zlib: deflated, 32K window, default compression
chunk IDAT at offset 0x10031, length 65536
chunk IDAT at offset 0x2003d, length 65536
chunk IDAT at offset 0x30049, length 65536
chunk IDAT at offset 0x40055, length 65536
chunk IDAT at offset 0x50061, length 65536
chunk IDAT at offset 0x6006d, length 65536
chunk IDAT at offset 0x70079, length 65536
chunk IDAT at offset 0x80085, length 65536
chunk IDAT at offset 0x90091, length 65536
chunk IDAT at offset 0xa009d, length 65536
chunk IDAT at offset 0xb00a9, length 65536
chunk IDAT at offset 0xc00b5, length 65536
chunk IDAT at offset 0xd00c1, length 65536
chunk IDAT at offset 0xe00cd, length 65536
chunk IDAT at offset 0xf00d9, length 65536
chunk IDAT at offset 0x1000e5, length 65536
chunk IDAT at offset 0x1100f1, length 65536
chunk IDAT at offset 0x1200fd, length 65536
chunk IDAT at offset 0x130109, length 65536
chunk IDAT at offset 0x140115, length 24188
chunk IEND at offset 0x145f9d, length 0
additional data after IEND chunk
ERRORS DETECTED in lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png
$ zsteg lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png
[?] 41628805 bytes of extra data after image end (IEND), offset = 0x145fa5
extradata:0 ..
00000000: 38 7a bc af 27 1c 00 04 6a fe f5 c8 c0 8e 6c 02 |8z..'...j.....l.|
00000010: 00 00 00 00 29 00 00 00 00 00 00 00 fa ba 6a 17 |....).........j.|
00000020: b8 ed d8 f3 ae c5 65 fb 41 d6 95 7c bc 81 2e c3 |......e.A..|....|
00000030: c7 92 5c bc 92 db 8b 57 5f 05 00 65 29 e6 ce 8f |..\....W_..e)...|
00000040: 6b b0 32 0d fc aa d6 b1 bb 7b f5 59 4f 7c 20 78 |k.2......{.YO| x|
00000050: de 96 5a fe 71 8b 7b 7d 51 30 cf c3 37 d7 0d 89 |..Z.q.{}Q0..7...|
00000060: 7b 00 a1 16 17 f2 6d 1a 4d 8b ce fd 78 00 90 c1 |{.....m.M...x...|
00000070: d4 1a 49 03 8a 34 66 2e 2c 66 ab e2 b5 9f bc 1c |..I..4f.,f......|
00000080: b1 7f e1 89 21 6f c1 e1 c2 9a a2 69 02 1e 4a a6 |....!o.....i..J.|
00000090: 0d 20 84 87 8d b8 98 18 3e 43 81 40 b2 aa 8d 56 |. ......>C.@...V|
000000a0: db ff 68 5a fb d7 14 e9 0c e8 40 43 f7 69 30 52 |..hZ......@C.i0R|
000000b0: 57 46 1d 5e af 2b e2 ed 97 4e 0f fb e6 f9 84 ee |WF.^.+...N......|
000000c0: 41 58 fe cd c7 c8 0c 0d 27 c5 dc 3d 68 fb 08 f4 |AX......'..=h...|
000000d0: 53 bf fc 1e 0d 6b f8 b5 77 04 29 ef f1 ad 24 68 |S....k..w.)...$h|
000000e0: 1c f9 c7 ce 02 45 d5 57 14 f6 1a 32 55 d2 fe 76 |.....E.W...2U..v|
000000f0: aa 1d 89 83 a5 6d c3 ec 42 0d 72 21 3e 9f dd ee |.....m..B.r!>...|
imagedata .. text: "\n\n\t\r\r\r\r\r"
b1,b,lsb,xy .. text: "SuperS3cur3P4ssw0rdTh4tY0uW1llN3v3rEv3rGu3s5OrBr00tf0rceMuahahahaha"
b1,bgr,lsb,xy .. text: "n{cW~Brb"
b2,g,lsb,xy .. text: "(<|)r\"oW"
b3,bgr,msb,xy .. text: "dlU1H/W^"
b4,r,lsb,xy .. text: "DVv2S%e4%ffQBF"
b4,g,lsb,xy .. text: "/)Th#0G`"
b4,b,lsb,xy .. text: "gge1B5dE"
That’s interesting, there’s trailing data (starting with 8z) and a password: SuperS3cur3P4ssw0rdTh4tY0uW1llN3v3rEv3rGu3s5OrBr00tf0rceMuahahahaha. So let’s try to extract the trailing data:
$ # +1335206 = 0x145fa5 + 1
$ tail -c +1335206 lockpicking.ec95daebcc116c7f27e892d61a1333372e8903a039267e083a857a41deb37070.png > trailing_data
$ file trailing_data
trailing_data: data
Substituting the first byte of the data with a 7 gives us a valid 7zip archive:
$ xxd trailing_data | head -n1
00000000: 377a bcaf 271c 0004 6afe f5c8 c08e 6c02 7z..'...j.....l.
$ file trailing_data
trailing_data: 7-zip archive data, version 0.4
$ 7z x foo.7z
7-Zip [64] 15.09 beta : Copyright (c) 1999-2015 Igor Pavlov : 2015-10-16
p7zip Version 15.09 beta (locale=utf8,Utf16=on,HugeFiles=on,64 bits,8 CPUs x64)
Scanning the drive for archives:
1 file, 41628806 bytes (40 MiB)
Extracting archive: foo.7z
Enter password (will not be echoed): SuperS3cur3P4ssw0rdTh4tY0uW1llN3v3rEv3rGu3s5OrBr00tf0r
WARNINGS:
There are data after the end of archive
--
Path = trailing_data
Type = 7z
WARNINGS:
There are data after the end of archive
Physical Size = 40668937
Tail Size = 959869
Headers Size = 185
Method = LZMA2:24 7zAES
Solid = -
Blocks = 1
Everything is Ok
Archives with Warnings: 1
Warnings: 1
Size: 40758153
Compressed: 41628806
This gives us a rather large MP4-File, S3CR3T:
$ file S3CR3T
S3CR3T: ISO Media, MPEG v4 system, version 1
Also, interesting: “There are data after the end of archive": Let’s check that out:
$ binwalk trailing_data
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 7-zip archive data, version 0.4
40668937 0x26C8F09 PNG image, 970 x 450, 8-bit/color RGB, non-interlaced
40669056 0x26C8F80 Zlib compressed data, best compression
Huh, another png? let’s extract it:
$ tail -c +40668938 trailing_data > foo.png
$ file foo.png
foo.png: PNG image data, 970 x 450, 8-bit/color RGB, non-interlaced
keys.png
However, it seems like that image didn’t have anything further to hide…. So maybe the MP4 File? After some searching, I found this blog Post about using MP4 files as TrueCrypt containers. In this context, the image of keys hints that it is used as a key file for the truecrypt container. Unfortunately, I spent a few minutes trying to set up TrueCrypt and failing, until:
2016-11-06 23:57:28 @plonk nurfed: can you check if it is truecrypt? I can't install it rn
2016-11-06 23:57:43 @plonk I have the feeling the mp4 is some container and the keys image is the key
2016-11-06 23:58:06 &nurfed plonk: do you have a pass.
2016-11-06 23:58:17 @plonk nurfed can't you use a file as a key?
2016-11-06 23:59:39 &nurfed The volume "/home/nurfed/ctf/pwnvote/for/5/S3CR3T" is already mounted.
2016-11-06 23:59:40 &nurfed eh
2016-11-06 23:59:42 &nurfed wtf
2016-11-07 00:00:06 nsr it's over
2016-11-07 00:00:40 @plonk nurfed, can you get me a flag?
2016-11-07 00:00:50 &nurfed plonk: idk where it is mounted
2016-11-07 00:00:57 @plonk it is truecrypt
2016-11-07 00:01:03 @plonk admin confirmed
2016-11-07 00:01:03 TiHebTak game over it seems
2016-11-07 00:01:04 &nurfed idk truecrypt...
2016-11-07 00:01:27 TiHebTak gg guys
2016-11-07 00:01:37 @immerse gg, it was fun to have everyone playing :)
2016-11-07 00:01:39 nsr pretty close to #1 :/
2016-11-07 00:01:46 nsr ccm was missing, due to broken box :<
2016-11-07 00:01:54 @plonk yeah, and really fucking close to solving last forensics
2016-11-07 00:02:06 nsr and also that web
2016-11-07 00:02:13 nsr 1h more time would've been nice :P
2016-11-07 00:02:36 TiHebTak we collaborated better this time, that makes it much more fun
2016-11-07 00:02:58 &nurfed flag{p4dl0ck5_us3_A3S_n0w4d4ys_wh0_kn3w}µ
2016-11-07 00:03:29 nsr welp, damn
2016-11-07 00:03:29 @plonk shit
2016-11-07 00:03:37 TiHebTak aww
2016-11-07 00:03:59 &nurfed it auto mounts to /mnt/ ...
2016-11-07 00:04:07 &nurfed how the shit should I know where it mounts
2016-11-07 00:04:15 &nurfed my usb's dont mount in /mnt ><
2016-11-07 00:04:17 @plonk nurfed: don't worry
2016-11-07 00:04:49 &nurfed plonk: if you said truecrypt a bit earlier
2016-11-07 00:04:52 &nurfed daamn
2016-11-07 00:05:20 &nurfed LOL
2016-11-07 00:05:22 nsr funneh
2016-11-07 00:06:15 @plonk sorry
2016-11-07 00:06:43 &nurfed I submitted the flag
2016-11-07 00:06:56 &nurfed but it didnt give points anymore :P
2016-11-07 00:07:32 @plonk ah well, #2
2016-11-07 00:07:43 nsr with that fflag it would've been #1
2016-11-07 00:07:44 nsr so classic
2016-11-07 00:07:45 nsr :D
2016-11-07 00:07:47 @plonk sorry, I should have communicated more
2016-11-07 00:07:51 @plonk I was setting up tc
2016-11-07 00:07:54 @plonk and didn't work
2016-11-07 00:07:55 &nurfed plonk: damn
2016-11-07 00:08:00 @plonk then panicked and asked you
2016-11-07 00:08:00 &nurfed I have like everything
2016-11-07 00:08:05 @plonk should have asked you first
2016-11-07 00:08:14 @plonk I'm sorry
2016-11-07 00:08:25 &nurfed I panicked because I didnt know where it mounted
2016-11-07 00:08:32 @plonk lol
For me the main takeaway here is that especially when timing is tight, communication is trivial and it’s definitely worth dumping knowldedge for others to see earlier rather than later. But all in all, shits and giggles and cograts to DragonSector!
nurfed & plonk