[2018_Sharif_CTF] Client01(75)

Updated:

Exercise

Attached file is the homepage of the client01. He knows the flag.

[그림] exercise

Solution

첨부된, Client01의 홈페이지 내에서 Flag를 찾는 문제. 주어진 파일의 압축을 풀면 아래와 같은 디렉토리 구조를 확인할 수 있다. ls -al로 살펴볼 경우, 숨김 파일로 처리된 항목이 다수 존재하는 것을 확인.

 jsh05042@Macs-MacBook-Pro  ~/Desktop/CTF/2018_Sharif_CTF/Forensic/75_Client01
 tree ./client01
./client01
├── Desktop
├── Documents
├── Downloads
├── Music
├── Pictures
├── Public
├── Templates
└── Videos

jsh05042@Macs-MacBook-Pro  ~/Desktop/CTF/2018_Sharif_CTF/Forensic/75_Client01
ls -alr ./client01
total 104
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Videos
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Templates
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Public
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Pictures
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Music
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Downloads
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Documents
drwxr-xr-x@  2 jsh05042  staff     68  1 21 16:33 Desktop
-rw-------@  1 jsh05042  staff   7046  1 21 16:44 .xsession-errors.old
-rw-------@  1 jsh05042  staff   7072  1 24 14:13 .xsession-errors
drwxr-xr-x@  6 jsh05042  staff    204  2 15 19:12 .thunderbird
-rw-r--r--@  1 jsh05042  staff    675  1 21 16:20 .profile
drwxr-xr-x@  5 jsh05042  staff    170  2 15 19:12 .mozilla
drwxr-xr-x@  4 jsh05042  staff    136  2 15 19:12 .local
drwxr-xr-x@  4 jsh05042  staff    136  2 15 19:12 .gnupg
drwx------@  2 jsh05042  staff     68  1 21 16:33 .gconf
-rw-r--r--@  1 jsh05042  staff     55  1 21 16:33 .dmrc
drwxr-xr-x@ 12 jsh05042  staff    408  2 15 19:12 .config
drwxr-xr-x@  6 jsh05042  staff    204  2 15 19:12 .cinnamon
drwxr-xr-x@  7 jsh05042  staff    238  2 15 19:11 .cache
-rw-r--r--@  1 jsh05042  staff   3526  1 21 16:20 .bashrc
-rw-r--r--@  1 jsh05042  staff    220  1 21 16:20 .bash_logout
-rw-------@  1 jsh05042  staff     51  1 24 14:09 .Xauthority
-rw-------@  1 jsh05042  staff    632  1 24 14:09 .ICEauthority
-rw-r--r--@  1 jsh05042  staff  10244  2 15 19:12 .DS_Store
drwxr-xr-x   6 jsh05042  staff    204  2 15 19:11 ..
drwxr-xr-x@ 27 jsh05042  staff    918  2 15 19:11 .

grep 을 이용해, flag 관련 문자열을 탐색한 결과 일부 파일 내에서 해당 문자열이 존재하는 것을 확인해 볼 수 있었다.

jsh05042@Macs-MacBook-Pro  ~/Desktop/CTF/2018_Sharif_CTF/Forensic/75_Client01
 grep -r "flag" ./client01
Binary file ./client01/.mozilla/firefox/c3a958fk.default/places.sqlite matches
Binary file ./client01/.mozilla/firefox/c3a958fk.default/secmod.db matches
./client01/.thunderbird/5bd7jhog.default/blocklist-addons.json:        "why": "Certain versions of this add-on contains an executable that is flagged by multiple tools as malware. Newer versions no longer use it.",
Binary file ./client01/.thunderbird/5bd7jhog.default/calendar-data/local.sqlite matches
Binary file ./client01/.thunderbird/5bd7jhog.default/global-messages-db.sqlite matches
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/All Mail.msf:  (86=date)(87=size)(88=flags)(89=priority)(8A=label)(8B=statusOfset)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/All Mail.msf:<(93=flag)>[3:^9A(^95^93)]
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/All Mail.msf:    ={"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Drafts.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Drafts.msf:    ={"threadCol":{"visible":true},"attachmentCol":{"visible":true},"flaggedCo\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Important.msf:  (87=size)(88=flags)(89=priority)(8A=label)(8B=statusOfset)(8C=numLines)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Important.msf:    ={"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Sent Mail.msf:  (88=flags)(89=priority)(8A=label)(8B=statusOfset)(8C=numLines)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Sent Mail.msf:    ={"threadCol":{"visible":true},"attachmentCol":{"visible":true},"flaggedCo\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Spam.msf:  (88=flags)(89=priority)(8A=label)(8B=statusOfset)(8C=numLines)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Spam.msf:    ={"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Starred.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Trash:Subject: flag
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Trash.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Trash.msf:  (AA=flag)(AB
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/[Gmail].sbd/Trash.msf:    ={"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/Archives.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/Drafts.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/INBOX:Subject: flag
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/INBOX.msf:  (88=flags)(89=priority)(8A=label)(8B=statusOfset)(8C=numLines)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/INBOX.msf:    ={"threadCol":{"visible":true,"ordinal":"1"},"flaggedCol":{"visible":true,\
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/Sent.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com/Templates.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/ImapMail/imap.gmail.com.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
Binary file ./client01/.thunderbird/5bd7jhog.default/kinto.sqlite matches
./client01/.thunderbird/5bd7jhog.default/Mail/Local Folders/Trash.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/Mail/Local Folders/Unsent Messages.msf:  (84=references)(85=recipients)(86=date)(87=size)(88=flags)(89=priority)
./client01/.thunderbird/5bd7jhog.default/panacea.dat:  (81=ns:msg:db:table:kind:folders)(82=key)(83=flags)(84=totalMsgs)
Binary file ./client01/.thunderbird/5bd7jhog.default/places.sqlite matches
Binary file ./client01/.thunderbird/5bd7jhog.default/secmod.db matches
./client01/.xsession-errors:    'su', (bus_name, flags)))
./client01/.xsession-errors.old:    'su', (bus_name, flags)))

.thunderbird 파일 내에서 e-mail과 관련된 항목에서 해당 flag 문자열이 식별되는 것을 확인할 수 있었다. thunderbird 파일을 살펴본다. inbox 항목 내에서 flag 라는 제목으로 수신된 email을 확인할 수 있으며, link 를 하나 식별할 수 있다.

[그림] inbox mail

해당 링크 http://www.filehosting.org/file/details/720884/file로 접속하면, 아래와 같이 download link를 redirect 할 mail을 입력할 수 있다.

[그림] file download1

본인의 mail 주소를 넣고, inbox 함을 확인한 결과 file download를 수행할 수 있는 link를 받을 수 있었으며, 해당 파일을 정상적으로 download 할 수 있었다.

[그림] file download2

download 받은 파일에 대해 확인해보면, data stream으로 식별되나 hex 값을 통해 signature가 손상된 PNG 파일임을 알 수 있다.

[그림] file information

올바른 signature 값으로 offset을 수정한 뒤, 해당 이미지를 열어보면 Flag을 식별할 수 있었다. (조금 잘려서 보이지만 식별하는데에는 이상이 없다.)

[그림] signature fix

[그림] flag

SharifCTF{43215f0c5e005d4e557ddfe3f2e57df0}

Leave a comment