Saturday, 31 August 2013

ASIS CTF 2013 - Forensics 75 - rm-rf

Task:
We have received a usb flash backup. Which file the flag is in?
file

Firstly I opened this dump in FTKImager to look for deleted files. It showed nothing just a lot of files, some pictures and .svn repository files. I used The Sleuth Kit to get deleted files by the command
fls -r -d for-75.img
which showed a lot of junk and a couple of files which seemed quite good options to get a flag.
r/r * 8221:    files/ejabberd/xmlrpc-1.13/src/tcp_serv.erl
r/r * 8232:    files/ejabberd/xmlrpc-1.13/ebin/tcp_serv.beam
However it wasn't solution. I've also tried to find xmlrpc and ejabberd-modules and compare to get a difference, but it seemed too difficult to let a lot of teams solve this task. So I opened dump in hex editor and started to search for a flag by matching "ASIS_". Second match was the flag to this challenge.
It was placed in some PNG image in a text chunk. By the way I think it was also easy to get strings from the memory dump and look for a flag among them.
So the flag was ASIS_b34c5b5b1b78cf9f352099aa35610ced.

No comments:

Post a Comment