Trend Micro CTF 2016- Forensic 100

August 3, 2016August 3, 20162 Comments

Hi guys! today i will show you how to solved Forensic 100 – TMCTF.

Download file from here and open by wireshark.

you can see it to be encryption by WEP was included as the component of the original privacy IEEE 802.11.

The attacker was wiretapping and find ways cracking them.

First, we will look for an crack password file pcap.

Use aircrack-ng tool is popular, i try that.

The next step, we will decrypt the file from password we just got.

Use Airdecap-ng to decrypt victim.pcap

So we can got file victim-dec.pcap

Then, we must find the ip of the sender and the receiver to filter the essential information. In pcap file information has a lot of garbage, so pcap file made will heavier and more complex.

Try filter some port don’t be encrypt and focus to ip 192.168.11.3 and ip 192.168.11.2.

Follow it, we will see what we need

Short conversation, and decode base64 to get file location2.zip.

We will find words “Right Niece Dreams” and hint from admin is “Et tu Brute, Then FALL C,A,E,S,A,R” ,so password is “miDNight” and get secret location.

And use gps-coodinates.net to get location we need.

TMCTF{Stade de France} :))

WhiteHat Contest 11 – Re 1

June 28, 2016June 28, 2016Leave a comment

Hi guys ! I will show you writeup Re1 in WhiteHat Contest 11

You can download in here

We have file ELF64. Load it into IDA Pro64bit and view source we can get Main function

Then, program is compare with 1 string have first character is “{“, have long 42 bits, next 10 characters is “53fc275d81”, last previous is “4938ae4efd” and last characters is “}”. After, program call Confusekey funtion

In Confusekey function, it is responsible for changing the order of the blocks. First string have 42 bits, skip first and last character then we have 40 characters, divide into 4 blocks, each block have 10 characters. We recived :

Block 1 = Block 3

Block 2 = Block 4

Block 3 = Block 1

Block 4 = Block 2

Then, we have new string is ‘{‘+Block3+Block4+Block1+Block2+’}’

Return main function we will get first string of Confusekey to compare with string {daf29f59034938ae4efd53fc275d81053ed5be8c}.

So we infer search string is {53fc275d81053ed5be8cdaf29f59034938ae4efd}

Flag = {53fc275d81053ed5be8cdaf29f59034938ae4efd}

WhiteHat Contest 11 – For 200 WYGINWYS (what you get is not what you see)

June 25, 2016June 25, 2016Leave a comment

Hi Guys! Today i will show you got forensic 200 – What you get is not what you see 😀

You can download file at here.

Try extract and use autopsy to open it

Then extract file encrypt.pyc and decompiler by Easy Python Decompiler to got file encrypt.py and read it

Next step, we have to find file need decrypt.

Try extract file “file” (if you use “mount” in linux you only got file “file”) and use code to decrypt it and get flag

WhiteHat Contest 11 – For100 Extract Me

June 25, 2016June 25, 20161 Comment

Hi guys! today i will show you how to solved Forensic 100 – Extract Me.

Download file from here and open by wireshark.

And find open follow tcp.stream eq 36, we can see transfering process file.

Next tcp.stream eq 37, we can see header PK… that is zip file (How to know header of file look at here) and see flag.png . Let’s dump file and try open it.

Of course, It not easy 😀 . You must have password to open it. Try find in SSL and got suspect certificate made by Bkav

So you can do the same writeup to know how to decrypt SSL

with factordb and rsatool to create file private.key

Decrypt file pcapng

Let’s extract flag.png 😀

WhiteHat 2015 Global Challenge – Phong Nha Ke Bang – Forensic 200

October 28, 2015October 29, 2015Leave a comment

Download file here

The organizers of the contest give us a pcap file. We open it and see many TCP protocol, this is data of audio that the organizers want us to hear.

So, we open Conversation of pcap file and select TCP tab , it only TCP transmissions .Then I dump it by follow Stream -> Save As file. The raw data have size 801 kb.