å‰å›ž ã¯ã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Web Exploitation ã‚’ã‚„ã£ã¦ã¿ã¾ã—ãŸã€‚å…¨6å•ã®ã†ã¡ã€æœ€å¾Œã® 2å•ã¯è§£ã‘ã¾ã›ã‚“ã§ã—ãŸã€‚
今回ã¯ã€å¼•ã続ãã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Forensics ã¨ã„ã†ã‚«ãƒ†ã‚´ãƒªã®å…¨8å•ã‚’ã‚„ã£ã¦ã„ããŸã„ã¨æ€ã„ã¾ã™ã€‚Easy ㌠4å•ã€Medium ㌠4å•ã§ã™ã€‚
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
ã¯ã˜ã‚ã«
「セã‚ュリティã€ã®è¨˜äº‹ä¸€è¦§ã§ã™ã€‚良ã‹ã£ãŸã‚‰å‚考ã«ã—ã¦ãã ã•ã„。
ã‚»ã‚ュリティã®è¨˜äº‹ä¸€è¦§
picoCTF ã®å…¬å¼ã‚µã‚¤ãƒˆã¯ä»¥ä¸‹ã§ã™ã€‚英語ã®ã‚µã‚¤ãƒˆã§ã™ãŒã€ã‚·ãƒ³ãƒ—ルã§åˆ†ã‹ã‚Šã‚„ã™ã„ã®ã§å›°ã‚‰ãšã«é€²ã‚ã‚‹ã“ã¨ãŒã§ãã¾ã™ã€‚
picoctf.com
ãã‚Œã§ã¯ã€ã‚„ã£ã¦ã„ãã¾ã™ã€‚
picoCTF 2024:Forensics
ãƒã‚¤ãƒ³ãƒˆã®ä½Žã„é †ã«ã‚„ã£ã¦ã„ãã¾ã™ã€‚
Scan Surprise(50ãƒã‚¤ãƒ³ãƒˆï¼‰
Easy ã®å•é¡Œã§ã™ã€‚ZIPファイルãŒ1ã¤ï¼ˆchallenge.zip)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚µãƒ¼ãƒï¼ˆã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼‰ã‚’èµ·å‹•ã™ã‚‹ã“ã¨ã‚‚出æ¥ã‚‹ã‚ˆã†ã§ã™ã€‚
Scan Surpriseå•é¡Œ
解å‡ã™ã‚‹ã¨ã€PNGファイル(flag.png)ãŒå¾—られã¾ã™ã€‚é–‹ã„ã¦ã¿ã‚‹ã¨ã€QRコードã®ã‚ˆã†ã§ã™ã€‚ã¨ã‚Šã‚ãˆãšã€ã‚¹ãƒžãƒ›ã§ QRコードをèªã¿å–ã£ã¦ã¿ã¾ã™ã€‚フラグãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚ãã®ã¾ã¾ã‚¹ãƒžãƒ›ã§ãƒã‚°ã‚¤ãƒ³ã—ã¦ãƒ•ãƒ©ã‚°ã‚’æ出ã§ãã¾ã—ãŸã€‚
サーãƒã¯ãªã‚“ã ã£ãŸã‚“ã§ã—ょã†ã‹ï¼ˆç¬‘)。
Verify(50ãƒã‚¤ãƒ³ãƒˆï¼‰
Easy ã®å•é¡Œã§ã™ã€‚ZIPファイルãŒ1ã¤ï¼ˆchallenge.zip)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚µãƒ¼ãƒï¼ˆã‚¤ãƒ³ã‚¹ã‚¿ãƒ³ã‚¹ï¼‰ã‚’èµ·å‹•ã™ã‚‹ã“ã¨ã‚‚出æ¥ã‚‹ã‚ˆã†ã§ã™ã€‚
Verifyå•é¡Œ
解å‡ã™ã‚‹ã¨ã€SHA256 ã®ãƒã‚§ãƒƒã‚¯ã‚µãƒ ãŒæ›¸ã‹ã‚ŒãŸãƒ•ã‚¡ã‚¤ãƒ«ã¨å¾©å·ç”¨ã®ã‚·ã‚§ãƒ«ã‚¹ã‚¯ãƒªãƒ—トã€ãã‚Œã¨ã€301個ã®ãƒ•ã‚¡ã‚¤ãƒ«ãŒã‚ã‚Šã¾ã™ã€‚ã“ã®ä¸ã‹ã‚‰ãƒã‚§ãƒƒã‚¯ã‚µãƒ ãŒä¸€è‡´ã™ã‚‹ã‚‚ã®ã‚’探ã™ã¨ã„ã†ã“ã¨ã®ã‚ˆã†ã§ã™ã€‚
ã¾ãšã¯ã€SHA256 を全ファイルã«å¯¾ã—ã¦è¨ˆç®—ã—ã¾ã™ã€‚テã‚ストファイルã«ä¿å˜ã—ã¦ä¸€è‡´ã™ã‚‹ã‚‚ã®ã‚’探ã—ã¾ã™ã€‚見ã¤ã‹ã‚Šã¾ã—ãŸï¼ˆ451fd69b)。
$ find files/ -type f | xargs sha256sum > sha256.txt
次ã¯ã€ã“ã®ãƒ•ã‚¡ã‚¤ãƒ«ã‚’復å·ã—ã¾ã™ã€‚シェルスクリプトã¯ã€ãƒ‘スãŒå›ºå®šã•ã‚Œã¦ã„ã‚‹ã®ã§ã€ç›´æŽ¥ OpenSSL ã®ã‚³ãƒžãƒ³ãƒ‰ã‚’実行ã—ã¾ã™ã€‚フラグãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
$ openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in 451fd69b -k picoCTF
picoCTF{trust_but_verify_451fd69b}
今回もサーãƒã¯ä½¿ç”¨ã—ã¾ã›ã‚“ã§ã—ãŸã€‚
CanYouSee(100ãƒã‚¤ãƒ³ãƒˆï¼‰
Easy ã®å•é¡Œã§ã™ã€‚ZIPファイルãŒ1ã¤ï¼ˆunknown.zip)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
CanYouSeeå•é¡Œ
解å‡ã™ã‚‹ã¨ã€JPGファイル(ukn_reality.jpg)ãŒå¾—られã¾ã™ã€‚é–‹ã„ã¦ã¿ã¾ã—ãŸãŒã€ãƒ‘ッã¨è¦‹ã¦ã€ãƒ•ãƒ©ã‚°ã‚‰ã—ã„ã‚‚ã®ã¯ã‚ã‚Šã¾ã›ã‚“。
最近入手ã—ãŸã€ã†ã•ã¿ã¿ãƒãƒªã‚±ãƒ¼ãƒ³ã‚’使ã£ã¦ã¿ã¾ã™ã€‚YARAルールã§ã‚¹ã‚ャンã¨ã„ã†ã®ã‚’クリックã—ã¾ã™ã€‚ukn_reality.jpg を対象ã¨ã—ã¦ã‚¹ã‚ャン開始ã—ã¾ã™ã€‚ã™ãã«çµæžœãŒå‡ºã¦ã€picoCTF ã®ãƒ•ãƒ©ã‚°æƒ…å ±ãŒ ã‚ªãƒ•ã‚»ãƒƒãƒˆ 0x162 ã«ã‚ã‚‹ã€ã¨å‡ºã¾ã—ãŸã€‚ã™ã”ã„ã§ã™ã€‚
ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§é–‹ãã¾ã™ã€‚0x162 ã®ä½ç½®ã«ã¯ã€Base64 ã£ã½ã„ ASCIIコードãŒä¸¦ã‚“ã§ã„ã¾ã™ã€‚デコードã™ã‚‹ã¨ã€ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
$ echo -n 'cGljb0NURntNRTc0RDQ3QV9ISUREM05fYTZkZjhkYjh9Cg==' | base64 -d
picoCTF{ME74D47A_HIDD3N_a6df8db8}
Secret of the Polyglot(100ãƒã‚¤ãƒ³ãƒˆï¼‰
Easy ã®å•é¡Œã§ã™ã€‚1ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆflag2of2-final.pdf)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
Secret of the Polyglotå•é¡Œ
本当㫠PDFファイルãªã‚“ã§ã—ょã†ã‹ã€‚確èªã—ã¾ã™ã€‚PNGファイルã§ã—ãŸã€‚
$ file flag2of2-final.pdf
flag2of2-final.pdf: PNG image data, 50 x 50, 8-bit/color RGBA, non-interlaced
æ‹¡å¼µåを変更ã—ã¦é–‹ã„ã¦ã¿ã¾ã™ã€‚picoCTF{f1u3n7_ ãŒæ›¸ã‹ã‚Œã¦ã¾ã—ãŸã€‚残りã®ãƒ•ãƒ©ã‚°ã‚’探ã™å¿…è¦ãŒã‚ã‚Šã¾ã™ã€‚
ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§é–‹ã„ã¦ã¿ã¾ã™ã€‚途ä¸ã‹ã‚‰ ASCIIコードãŒãŸãã•ã‚“書ã‹ã‚Œã¦ã„ã¾ã™ãŒã€ãれらã—ã„ã‚‚ã®ã¯è¦‹ã¤ã‹ã‚Šã¾ã›ã‚“。ã†ã•ã¿ã¿ãƒãƒªã‚±ãƒ¼ãƒ³ã® YARAルールã§ã‚¹ã‚ャンã—ã¾ã™ã€‚
0x69C ã‹ã‚‰æ€ªã—ã„よã†ã§ã™ã€‚「xpacket beginã€ã¨ã„ã†ã‚ˆã†ã«æ›¸ã‹ã‚Œã¦ã„ã¾ã™ã€‚検索ã™ã‚‹ã¨ã€PDF ã®åŸ‹ã‚è¾¼ã¿æƒ…å ±ã¨ã®ã“ã¨ã§ã™ã€‚抽出ã—ã¦ã¿ã¾ã—ãŸãŒã€ä½•ã‹ XMP ã¨ã‹ã„ã†ãƒ•ã‚©ãƒ¼ãƒžãƒƒãƒˆã‚‰ã—ã„ã§ã™ã€‚
ã‚ã‚Œã“れやã£ã¦ã‚‹ã†ã¡ã«ã€Chrome ã«æ”¾ã‚ŠæŠ•ã’ãŸã‚‰ã€æ®‹ã‚Šã®ãƒ•ãƒ©ã‚°ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚å›°ã£ãŸã¨ãã¯ã€Chrome ã«èªã¾ã›ã‚Œã°ã„ã„よã†ã§ã™ï¼ˆç¬‘)。
Mob psycho(200ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚1ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆmobpsycho.apk)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
Mob psychoå•é¡Œ
ç°¡å˜ã«èª¿ã¹ã¦ã¿ã¾ã™ã€‚
$ file Mob\ psycho/mobpsycho.apk
Mob psycho/mobpsycho.apk: Zip archive data, at least v1.0 to extract, compression method=store
apkファイル㯠ZIP ã§åœ§ç¸®ã•ã‚Œã¦ã„ã¾ã™ã€‚ã¾ãšã¯ã€è§£å‡ã—ã¾ã™ã€‚普通㮠apkファイルã®ã‚ˆã†ã§ã™ã€‚
今回もã€ã¾ãšã¯ã€ã†ã•ã¿ã¿ãƒãƒªã‚±ãƒ¼ãƒ³ã® YARAルールã§ã‚¹ã‚ャンã—ã¾ã™ã€‚
解å‡ã—ãŸãƒ•ã‚¡ã‚¤ãƒ«ã® 1ã¤ã‚’指定ã—ã¦ã€ã€Œå¯¾è±¡ãƒ•ã‚¡ã‚¤ãƒ«ã®ã‚るフォルダã”ã¨ã‚¹ã‚ャンã€ã¨ã€Œã‚µãƒ–フォルダもスã‚ャンã€ã«ãƒã‚§ãƒƒã‚¯ã‚’入れã¦ã€ã‚¹ã‚ャン開始をクリックã—ã¾ã™ã€‚
最åˆã«ãƒ’ットã—ãŸã®ã¯ã€classes.dex ã§ã™ã€‚0x6C9CBF ã®ä½ç½®ã®ã‚ˆã†ã§ã™ã€‚strings ã§ã¯æŠ½å‡ºã§ãã¾ã›ã‚“。stringsåˆè‡´æ¡ä»¶ã¯ã€picoCTF_Flag_Text_Padding_Reverse ã¨ã„ã†ã‚‚ã®ã§ã™ã€‚ルールã¯ã€ä»¥ä¸‹ã§ã™ã€‚
$picoCTF_Flag_Text_Padding_Reverse = {7B [1-32] 46 [1-32] 54 [1-32] 43 [1-32] 6F [1-32] 63 [1-32] 69 [1-32] 70} //picoCTF2022
picoCTF{ ã‚’ ASCIIコードã«ã—ã¾ã™ã€‚
$ python -c 'print([f"0x{ord(cc):02X}" for cc in list("picoCTF{")])'
['0x70', '0x69', '0x63', '0x6F', '0x43', '0x54', '0x46', '0x7B']
ã•ã‚‰ã«ã€ã“ã‚Œã‚’é€†é †ã«ã—ã¾ã™ã€‚ã¤ã¾ã‚Šã€picoCTF{ ã‚’é€†é †ã«ã—ã¦ã€ã•ã‚‰ã«ã€1æ–‡å—ãšã¤é–“隔㌠1byteã‹ã‚‰32byte空ã„ã¦ã„ã‚‹ã¨ã„ã†ã“ã¨ã ã¨æ€ã„ã¾ã™ã€‚
$ python -c 'print(list(reversed([f"0x{ord(cc):02X}" for cc in list("picoCTF{")])))'
['0x7B', '0x46', '0x54', '0x43', '0x6F', '0x63', '0x69', '0x70']
ãªã‚‹ã»ã©ã€ã§ã™ãŒã€ã•ã™ãŒã«ã€ä¸€å®šã®é–“éš”ã§ã‚‚ãªã„ã®ã§ã€ãŸã¾ãŸã¾ãªæ°—ã‚‚ã—ã¾ã™ã€‚
次ã«ãƒ’ットã—ãŸã®ãŒã€res/color/flag.txt ã§ã™ã€‚åå‰ã‹ã‚‰ã—ã¦æ€ªã—ã„ã§ã™ï¼ˆç¬‘)。ファイルを開ãã¨ã€7069636f4354467b6178386d433052553676655f4e5838356c346178386d436c5f38356462643231357d ãŒæ›¸ã‹ã‚Œã¦ã¾ã—ãŸã€‚
ã‚ã¨ã¯ã€ASCIIコードã«ç›´ã™ã ã‘ã§ã™ã€‚
$ python -c 'hh="7069636f4354467b6178386d433052553676655f4e5838356c346178386d436c5f38356462643231357d"; print("".join([chr(int(hh[ii] + hh[ii+1], base=16)) for ii in range(0, len(hh),
2)]))'
picoCTF{ax8mC0RU6ve_NX85l4ax8mCl_85dbd215}
apkファイルã®ãƒ‡ã‚³ãƒ³ãƒ‘イル
ã¡ã‚‡ã£ã¨å¯„ã‚Šé“ã—ã¦ã€apkファイルをデコンパイルã—ãŸã‚Šã—ã¦ãŸã®ã§ã€ä»¥ä¸‹ã¯ã€å‚考ã§ã™ã€‚
デコンパイルã—ã¦ã¿ã¾ã™ã€‚dex2jar 㨠JD-GUI を使ã„ã¾ã™ã€‚
以下㮠Releases ã«ã‚ã‚‹ dex2jar ã® v2.4 を使ã„ã¾ã™ã€‚
github.com
解å‡ã—ã¦ã€ä»¥ä¸‹ã‚’実行ã—ã¾ã™ã€‚classes-dex2jar.jar ãŒå¾—られã¾ã—ãŸã€‚
$ ~/Downloads/dex-tools-v2.4/d2j-dex2jar.sh classes.dex
dex2jar classes.dex -> ./classes-dex2jar.jar
以下㮠Releases ã«ã‚ã‚‹ JD-GUI 1.6.6 を使ã„ã¾ã™ã€‚
github.com
解å‡ã™ã‚‹ã¨ã€jd-gui.exe ãŒã‚ã‚‹ã®ã§ãƒ€ãƒ–ルクリックã—ã¦èµ·å‹•ã—ã¾ã™ã€‚
classes-dex2jar.jar ã‚’é–‹ãã¾ã™ã€‚デコンパイルã—ãŸã‚½ãƒ¼ã‚¹ã‚³ãƒ¼ãƒ‰ãŒè¡¨ç¤ºã•ã‚Œã¾ã™ã€‚
ã‚‚ã£ã¨ç°¡å˜ã«ã€apk を直接デコンパイルã—ã¦è¡¨ç¤ºã—ã¦ãれるツールもã‚ã‚Šã¾ã™ã€‚jadx ã¨ã„ã†ãƒ„ールã§ã€ä»¥ä¸‹ã«ãªã‚Šã¾ã™ã€‚
以下㮠Releases ã«ã‚ã‚‹ 1.5.0 を使用ã—ã¦ã¿ã¾ã™ã€‚直接 apk を指定ã§ãã‚‹ã®ã§æ¥½ã§ã™ã。
github.com
デコンパイルã¯å‡ºæ¥ã¾ã—ãŸãŒã€ã•ã™ãŒã«é‡ãŒå¤šã„ã§ã™ã—ã€ãã‚‚ãもリãƒãƒ¼ã‚¹ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ãƒªãƒ³ã‚°ã®ã‚«ãƒ†ã‚´ãƒªã§ã‚‚ãªã„ã§ã™ã。
endianness-v2(300ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚1ã¤ã®ãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆchallengefile)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
endianness-v2å•é¡Œ
軽ã調ã¹ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ãŸã ã®ãƒ‡ãƒ¼ã‚¿ã§ã™ã€‚ã†ã•ã¿ã¿ãƒãƒªã‚±ãƒ¼ãƒ³ã‚‚åŒã˜è§£æžçµæžœã§ã™ã€‚
$ file challengefile
challengefile: data
ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§é–‹ã„ã¦ã¿ã¾ã™ã€‚4KBå¼±ã®ãƒ•ã‚¡ã‚¤ãƒ«ã§ã™ã€‚エンディアンã¨ã„ã†å•é¡Œåãªã®ã§ã€å…ˆé ã‚’ã²ã£ãã‚Šè¿”ã—ã¦ã¿ã¾ã™ã€‚
E0 FF D8 FF → FF D8 FF E0 ã«ãªã‚Šã¾ã™ã€‚Web検索ã—ã¦ã¿ã‚‹ã¨ã€ã“れ㯠JPEG ã®å…ˆé ã¨ä¸€è‡´ã™ã‚‹ã‚‰ã—ã„ã§ã™ã€‚ã¾ãŸã€æœ«å°¾ã‚‚ FF D9 ã§çµ‚ã‚るらã—ãã€ãれも満ãŸã—ã¦ã„ã¾ã™ã€‚
ã§ã¯ã€ã‚¨ãƒ³ãƒ‡ã‚£ã‚¢ãƒ³ã‚’変æ›ã™ã‚‹ Pythonスクリプトを実装ã—ã¾ã™ã€‚4byte ã®ã‚¨ãƒ³ãƒ‡ã‚£ã‚¢ãƒ³å¤‰æ›ã§ã™ã€‚
import struct
def fread_bin( fpath ):
with open(fpath, 'rb') as ff:
data = ff.read()
return data
def fwrite_bin( fpath, data ):
with open(fpath, 'wb') as ff:
ff.write( data )
def endian( fpath, fpath_out ):
data = fread_bin( fpath )
if len(data) % 4 != 0:
data += b'0' * (4 - len(data) % 4)
assert len(data) % 4 == 0, "fatal"
bret = b''
ii = 0
while ii + 4 <= len(data):
tmp = struct.unpack( '<I', data[ii:ii+4] )
bret += struct.pack( '>I', tmp[0] )
ii += 4
fwrite_bin( fpath_out, bret )
endian( "../picoCTF/picoCTF2024_Forensics/challengefile", "../picoCTF/picoCTF2024_Forensics/challengefile.jpg" )
実行ã™ã‚‹ã¨ã€JPGファイルãŒå‡ºåŠ›ã•ã‚Œã¾ã™ã€‚
$ python tmp.py
JPGファイルを開ãã¨ãƒ•ãƒ©ã‚°ï¼ˆpicoCTF{cert!f1Ed_iNd!4n_s0rrY_3nDian_76e05f49})ãŒè¡¨ç¤ºã•ã‚Œã¾ã—ãŸã€‚
Blast from the past(300ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚1ã¤ã®ç”»åƒãƒ•ã‚¡ã‚¤ãƒ«ï¼ˆoriginal.jpg)ダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚ã¾ãŸã€ã‚µãƒ¼ãƒã‚‚èµ·å‹•ã§ãã¾ã™ã€‚
Blast from the pastå•é¡Œ
ç”»åƒãƒ•ã‚¡ã‚¤ãƒ«ã‚’é–‹ã„ã¦ã¿ã‚‹ã¨ã€é¡ã«å…¥ã£ãŸçµµãŒå†™ã£ã¦ã‚‹ã ã‘ã§ã™ã€‚
ファイルã®ã‚¿ã‚¤ãƒ スタンプを変更ã—ã¦ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã™ã‚Œã°ã„ã„ã®ã§ã—ょã†ã‹ã€‚ã¨ã‚Šã‚ãˆãšã€å¤‰æ›´ã—ã¦ãªã„ファイルをサーãƒã«ã‚¢ãƒƒãƒ—ãƒãƒ¼ãƒ‰ã—ã¦ã¿ã¾ã™ã€‚
$ nc -w 2 mimas.picoctf.net 59346 < original.jpg
$ nc mimas.picoctf.net 58619
MD5 of your picture:
06783ef2aa4460a3d267002a28ff12c6 test.out
Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 2023:11:20 15:46:23
Oops! That tag isn't right. Please try again.
Web検索ã§èª¿ã¹ã¦ã¿ã‚‹ã¨ã€touchコマンドãŒä½¿ãˆã‚‹ã¨ã„ã†æƒ…å ±ãŒå‡ºã¦ãã¾ã™ã€‚ã‚„ã£ã¦ã¿ã¾ã™ã€‚
$ touch -d "1970/1/1 00:00:00" original.jpg
$ stat original.jpg
File: original.jpg
Size: 2851929 Blocks: 5576 IO Block: 4096 regular file
Device: 0,38 Inode: 189674 Links: 1
Access: (0744/-rwxr--r--) Uid: ( 1000/ user) Gid: ( 1000/ user)
Access: 2024-10-17 21:27:38.861306577 +0900
Modify: 1970-01-01 00:00:00.000000000 +0900
Change: 2024-10-17 21:27:37.757972765 +0900
Birth: 2024-10-17 21:06:18.146412278 +0900
$ nc -w 2 mimas.picoctf.net 59346 < original.jpg
$ nc mimas.picoctf.net 58619
MD5 of your picture:
06783ef2aa4460a3d267002a28ff12c6 test.out
Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 2023:11:20 15:46:23
Oops! That tag isn't right. Please try again.
+0900 ã¨ãªã£ã¦ã„ã‚‹ã®ã§ã€-9時間ã§è¨å®šã—ã¦ã¿ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ãƒ€ãƒ¡ã§ã™ã€‚出力ã•ã‚ŒãŸå†…容を見るã¨ã€2023:11:20 15:46:23 ãŒè¦‹ã¤ã‹ã£ãŸã¨è¨€ã£ã¦ã„ã¾ã™ã€‚
$ touch -d "1969/12/31 15:00:00" original.jpg
$ stat original.jpg
File: original.jpg
Size: 2851929 Blocks: 5576 IO Block: 4096 regular file
Device: 0,38 Inode: 189674 Links: 1
Access: (0744/-rwxr--r--) Uid: ( 1000/ user) Gid: ( 1000/ user)
Access: 2024-10-17 21:30:00.788033547 +0900
Modify: 1969-12-31 15:00:00.000000000 +0900
Change: 2024-10-17 21:29:59.721366434 +0900
Birth: 2024-10-17 21:06:18.146412278 +0900
$ nc -w 2 mimas.picoctf.net 59346 < original.jpg
$ nc mimas.picoctf.net 58619
MD5 of your picture:
06783ef2aa4460a3d267002a28ff12c6 test.out
Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 2023:11:20 15:46:23
Oops! That tag isn't right. Please try again.
exiftool ã§è¦‹ã¦ã¿ã¾ã™ã€‚ã„ãã¤ã‹ 2023:11:20 15:46:23 ãŒã‚ã‚Šã¾ã™ã。
$ exiftool original.jpg
ExifTool Version Number : 12.57
File Name : original.jpg
Directory : .
File Size : 2.9 MB
File Modification Date/Time : 1969:12:31 15:00:00+09:00
File Access Date/Time : 2024:10:17 21:30:00+09:00
File Inode Change Date/Time : 2024:10:17 21:29:59+09:00
File Permissions : -rwxr--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Image Description :
Make : samsung
Camera Model Name : SM-A326U
Orientation : Rotate 90 CW
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : MediaTek Camera Application
Modify Date : 2023:11:20 15:46:23
Y Cb Cr Positioning : Co-sited
Exposure Time : 1/24
F Number : 1.8
Exposure Program : Program AE
ISO : 500
Sensitivity Type : Unknown
Recommended Exposure Index : 0
Exif Version : 0220
Date/Time Original : 2023:11:20 15:46:23
Create Date : 2023:11:20 15:46:23
Components Configuration : Y, Cb, Cr, -
Shutter Speed Value : 1/24
Aperture Value : 1.9
Brightness Value : 3
Exposure Compensation : 0
Max Aperture Value : 1.8
Metering Mode : Center-weighted average
Light Source : Other
Flash : On, Fired
Focal Length : 4.6 mm
Sub Sec Time : 703
Sub Sec Time Original : 703
Sub Sec Time Digitized : 703
Flashpix Version : 0100
Color Space : sRGB
Exif Image Width : 4000
Exif Image Height : 3000
Interoperability Index : R98 - DCF basic file (sRGB)
Interoperability Version : 0100
Exposure Mode : Auto
White Balance : Auto
Digital Zoom Ratio : 1
Focal Length In 35mm Format : 25 mm
Scene Capture Type : Standard
Compression : JPEG (old-style)
Thumbnail Offset : 1408
Thumbnail Length : 64000
Image Width : 4000
Image Height : 3000
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Time Stamp : 2023:11:21 05:46:21.420+09:00
MCC Data : United States / Guam
Aperture : 1.8
Image Size : 4000x3000
Megapixels : 12.0
Scale Factor To 35 mm Equivalent: 5.4
Shutter Speed : 1/24
Create Date : 2023:11:20 15:46:23.703
Date/Time Original : 2023:11:20 15:46:23.703
Modify Date : 2023:11:20 15:46:23.703
Thumbnail Image : (Binary data 64000 bytes, use -b option to extract)
Circle Of Confusion : 0.006 mm
Field Of View : 71.5 deg
Focal Length : 4.6 mm (35 mm equivalent: 25.0 mm)
Hyperfocal Distance : 2.13 m
Light Value : 4.0
exiftool ã«ã¯ã€æ’®å½±æ™‚刻を変更ã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã‚‹æ©Ÿèƒ½ãŒã‚るよã†ã§ã™ã€‚ã‚„ã£ã¦ã¿ã¾ã™ã€‚
ã†ãƒ¼ã‚“ã€mså˜ä½ã§ãšã‚Œã¦ã—ã¾ã£ãŸæ„Ÿã˜ã§ã—ょã†ã‹ã€‚
$ exiftool -AllDates='1970:01:01 00:00:00' -overwrite_original original.jpg
1 image files updated
$ exiftool original.jpg
ExifTool Version Number : 12.57
File Name : original.jpg
Directory : .
File Size : 2.9 MB
File Modification Date/Time : 2024:10:17 21:37:11+09:00
File Access Date/Time : 2024:10:17 21:37:12+09:00
File Inode Change Date/Time : 2024:10:17 21:37:11+09:00
File Permissions : -rwxr--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Exif Byte Order : Little-endian (Intel, II)
Image Description :
Make : samsung
Camera Model Name : SM-A326U
Orientation : Rotate 90 CW
X Resolution : 72
Y Resolution : 72
Resolution Unit : inches
Software : MediaTek Camera Application
Modify Date : 1970:01:01 00:00:00
Y Cb Cr Positioning : Co-sited
Exposure Time : 1/24
F Number : 1.8
Exposure Program : Program AE
ISO : 500
Sensitivity Type : Unknown
Recommended Exposure Index : 0
Exif Version : 0220
Date/Time Original : 1970:01:01 00:00:00
Create Date : 1970:01:01 00:00:00
Components Configuration : Y, Cb, Cr, -
Shutter Speed Value : 1/24
Aperture Value : 1.9
Brightness Value : 3
Exposure Compensation : 0
Max Aperture Value : 1.8
Metering Mode : Center-weighted average
Light Source : Other
Flash : On, Fired
Focal Length : 4.6 mm
Sub Sec Time : 703
Sub Sec Time Original : 703
Sub Sec Time Digitized : 703
Flashpix Version : 0100
Color Space : sRGB
Exif Image Width : 4000
Exif Image Height : 3000
Interoperability Index : R98 - DCF basic file (sRGB)
Interoperability Version : 0100
Exposure Mode : Auto
White Balance : Auto
Digital Zoom Ratio : 1
Focal Length In 35mm Format : 25 mm
Scene Capture Type : Standard
Compression : JPEG (old-style)
Thumbnail Offset : 1124
Thumbnail Length : 64000
Image Width : 4000
Image Height : 3000
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Time Stamp : 2023:11:21 05:46:21.420+09:00
MCC Data : United States / Guam
Aperture : 1.8
Image Size : 4000x3000
Megapixels : 12.0
Scale Factor To 35 mm Equivalent: 5.4
Shutter Speed : 1/24
Create Date : 1970:01:01 00:00:00.703
Date/Time Original : 1970:01:01 00:00:00.703
Modify Date : 1970:01:01 00:00:00.703
Thumbnail Image : (Binary data 64000 bytes, use -b option to extract)
Circle Of Confusion : 0.006 mm
Field Of View : 71.5 deg
Focal Length : 4.6 mm (35 mm equivalent: 25.0 mm)
Hyperfocal Distance : 2.13 m
Light Value : 4.0
$ nc -w 2 mimas.picoctf.net 59346 < original.jpg
$ nc mimas.picoctf.net 58619
MD5 of your picture:
e7537a20fd614f08232eaa16d4f6587a test.out
Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 2/7
Looking at ExifIFD: DateTimeOriginal
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 3/7
Looking at ExifIFD: CreateDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 4/7
Looking at Composite: SubSecCreateDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.703
Oops! That tag isn't right. Please try again.
ã„ã‚ã„ã‚ã‚„ã‚Šã¾ã—ãŸãŒã€æœ€å¾Œã® 1個ãŒå¤‰æ›´ã§ãã¾ã›ã‚“。
$ nc mimas.picoctf.net 49568
MD5 of your picture:
dfeec95e00a63491611fa7f106a0ebfe test.out
Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 2/7
Looking at ExifIFD: DateTimeOriginal
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 3/7
Looking at ExifIFD: CreateDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 4/7
Looking at Composite: SubSecCreateDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!
Checking tag 5/7
Looking at Composite: SubSecDateTimeOriginal
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!
Checking tag 6/7
Looking at Composite: SubSecModifyDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!
Checking tag 7/7
Timezones do not have to match, as long as it's the equivalent time.
Looking at Samsung: TimeStamp
Looking for '1970:01:01 00:00:00.001+00:00'
Found: 2023:11:20 20:46:21.420+00:00
Oops! That tag isn't right. Please try again.
Exif を書ãæ›ãˆã‚‹ GUIツールを使ã£ã¦ã¿ã¾ã—ãŸã€‚1ã¤ã¯ã€JExifToolGUI V2.0.2 ã§ã€jarファイルã ã£ãŸã®ã§ã€ParrotOS ã§ã€$ java -jar jExifToolGUI.jar & ã§èµ·å‹•ã§ãã¾ã—ãŸã€‚ã—ã‹ã—ã€TimeStamp を書ãæ›ãˆã‚‹ã“ã¨ã¯å‡ºæ¥ã¾ã›ã‚“ã§ã—ãŸã€‚ã‚‚ã†1ã¤ã¯ã€ExifToolGUI_X64.exe ã§ã€ã“れ㯠Windowsアプリã§ã™ã€‚exiftool.exe ã¨ã„ㆠCUIプãƒã‚°ãƒ©ãƒ ã®ãƒ©ãƒƒãƒ‘ーらã—ã„ã§ã™ã€‚exiftool.exe ã‚’åŒã˜ãƒ‡ã‚£ãƒ¬ã‚¯ãƒˆãƒªã«ç½®ã„ã¦ã€ExifToolGUI_X64.exe をダブルクリックã§èµ·å‹•ã§ãã¾ã™ã€‚ã“ã¡ã‚‰ã®æ–¹ã‚‚çµæžœçš„ã«ã¯ TimeStamp を書ãæ›ãˆã‚‹ã“ã¨ã¯å‡ºæ¥ã¾ã›ã‚“ã§ã—ãŸãŒã€ä½¿ã„ã‚„ã™ã„ツールã§ã—ãŸã€‚
ギブアップã§ã™ã€‚writeupを見るã¨ã€ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§æ›¸ãæ›ãˆã‚‹ã‚ˆã†ã§ã™ã€‚
オフセット 0x2B8228 ã‹ã‚‰å§‹ã¾ã£ã¦ã„ã‚‹ Image_UTC_Data1700513181420 を変更ã™ã‚‹ã¨ã®ã“ã¨ã§ã™ã€‚変更ã§ããªã‹ã£ãŸæ™‚刻ã¯ã€2023:11:20 20:46:21.420+00:00 ã§ã™ã€‚下ä½ã® 3æ–‡å—ãŒãƒŸãƒªç§’を表ã—ã¦ã„るよã†ã§ã™ã€‚エãƒãƒƒã‚¯æ™‚é–“ã«ç›´ã—ã¦ã¿ã¾ã™ã€‚一致ã—ã¾ã—ãŸã€‚
$ python -c 'import datetime; print(datetime.datetime.fromtimestamp(1700513181))'
2023-11-21 05:46:21
ã‚ã¨ã¯ã€Looking for '1970:01:01 00:00:00.001+00:00' ã«åˆã‚ã›ã‚Œã°ã„ã„ã®ã§ã€ã‚¨ãƒãƒƒã‚¯æ™‚間㯠0 ã«ãªã‚Šã€å°æ•°ç‚¹ãŒ 001 ã§ã™ã€‚ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§ç·¨é›†ã—ã¾ã™ã€‚
ã§ã¯ã€å®Ÿè¡Œã—ã¦ã¿ã¾ã™ã€‚
$ nc -w 2 mimas.picoctf.net 61487 < ../picoCTF/picoCTF2024_Forensics/original.jpg
$ nc mimas.picoctf.net 49568
MD5 of your picture:
a664348eec39335cab61850c7f530b94 test.out
Checking tag 1/7
Looking at IFD0: ModifyDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 2/7
Looking at ExifIFD: DateTimeOriginal
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 3/7
Looking at ExifIFD: CreateDate
Looking for '1970:01:01 00:00:00'
Found: 1970:01:01 00:00:00
Great job, you got that one!
Checking tag 4/7
Looking at Composite: SubSecCreateDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!
Checking tag 5/7
Looking at Composite: SubSecDateTimeOriginal
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!
Checking tag 6/7
Looking at Composite: SubSecModifyDate
Looking for '1970:01:01 00:00:00.001'
Found: 1970:01:01 00:00:00.001
Great job, you got that one!
Checking tag 7/7
Timezones do not have to match, as long as it's the equivalent time.
Looking at Samsung: TimeStamp
Looking for '1970:01:01 00:00:00.001+00:00'
Found: 1970:01:01 00:00:00.001+00:00
Great job, you got that one!
You did it!
picoCTF{71m3_7r4v311ng_p1c7ur3_3e336564}
ã‚‚ã†ã¡ã‚‡ã£ã¨ç²˜ã‚ŠãŒè¶³ã‚Šã¾ã›ã‚“ã§ã—ãŸã€‚
Dear Diary(400ãƒã‚¤ãƒ³ãƒˆï¼‰
Medium ã®å•é¡Œã§ã™ã€‚1ã¤ã®ãƒ‡ã‚£ã‚¹ã‚¯ã‚¤ãƒ¡ãƒ¼ã‚¸ï¼Ÿï¼ˆdisk.flag.img.gz)をダウンãƒãƒ¼ãƒ‰ã§ãã¾ã™ã€‚
Dear Diaryå•é¡Œ
軽ã調ã¹ã¾ã™ã€‚本当㫠gzip ã¿ãŸã„ãªã®ã§è§£å‡ã—ã¾ã™ã€‚本当ã«ãƒ‡ã‚£ã‚¹ã‚¯ã‚¤ãƒ¡ãƒ¼ã‚¸ã®ã‚ˆã†ã§ã™ã€‚
$ file disk.flag.img.gz
disk.flag.img.gz: gzip compressed data, was "disk.flag.img", last modified: Sat Feb 17 22:59:04 2024, from Unix, original size modulo 2^32 1073741824
$ gzip -d disk.flag.img.gz
$ file disk.flag.img
disk.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0x26,94,56), startsector 2048, 614400 sectors; partition 2 : ID=0x82, start-CHS (0x26,94,57), end-CHS (0x47,1,58), startsector 616448, 524288 sectors; partition 3 : ID=0x83, start-CHS (0x47,1,59), end-CHS (0x82,138,8), startsector 1140736, 956416 sectors
ã¾ãšã¯ã€ãƒžã‚¦ãƒ³ãƒˆã—ã¦ã¿ã¾ã™ã€‚
$ sudo mount disk.flag.img mnt/
mount: /home/user/svn/experiment/picoCTF/picoCTF2024_Forensics/mnt: wrong fs type, bad option, bad superblock on /dev/loop0, missing codepage or helper program, or other error.
dmesg(1) may have more information after failed mount system call.
ã†ãƒ¼ã‚“ã€ãƒ€ãƒ¡ã§ã™ã。以å‰ã€Windows用ã®ãƒ‡ã‚£ã‚¹ã‚¯ã‚¤ãƒ¡ãƒ¼ã‚¸ã®ãƒ„ールã®ã€ŒFTK Imagerã€ã¨ã€ŒAutospyã€ã® 2ã¤ã‚’使ã„ã¾ã—ãŸã€‚ã›ã£ã‹ããªã‚“ã§ä½¿ã£ã¦ã¿ã¾ã™ã€‚
「FTK Imagerã€ã®æ–¹ã¯ã€File → Add Evidence Item... → Image File 㧠disk.flag.img を指定ã™ã‚‹ã¨ä¸ã‚’見るã“ã¨ãŒã§ãã¾ã—ãŸã€‚エクスプãƒãƒ¼ãƒ©ãƒ¼é¢¨ã«è¦‹ã‚Œã¾ã™ã€‚
é©å½“ã«è¦‹ã¦ã¿ã‚‹ã¨ã€Alpine ã¨ã„ㆠOS ã§ã€ãƒ¦ãƒ¼ã‚¶ã¯ root ã®ã¿ã§ã€root ã®ãƒ›ãƒ¼ãƒ ディレクトリを見ã¾ã—ãŸãŒã€ãれらã—ã„ã‚‚ã®ã¯ã‚ã‚Šã¾ã›ã‚“。3番目ã®ãƒ‘ーティションã®ãƒ«ãƒ¼ãƒˆãƒ•ã‚¡ã‚¤ãƒ«ã‚·ã‚¹ãƒ†ãƒ ã¨æ€ã‚れるドライブを全ã¦ã‚¨ã‚¯ã‚¹ãƒãƒ¼ãƒˆã—ã¦ã€ã†ã•ã¿ã¿ãƒãƒªã‚±ãƒ¼ãƒ³ã® YARAルールスã‚ャンã§å…¨æŽ¢ç´¢ã—ã¦ã¿ã¾ã—ãŸã€‚ãŸãã•ã‚“ヒットã—ã¾ã—ãŸãŒã€ãƒ•ãƒ©ã‚°ã¯è¦‹å½“ãŸã‚Šã¾ã›ã‚“ã§ã—ãŸã€‚
「Autospyã€ã®æ–¹ã¯ã€ã ã„ã¶æ™‚é–“ãŒã‹ã‹ã‚Šã¾ã—ãŸãŒã€ãƒ€ãƒ¡ã§ã—ãŸã€‚
今回ã®ã‚¤ãƒ¡ãƒ¼ã‚¸ã¯ã€Linux ãªã®ã§ã€ã¡ã‚ƒã‚“ã¨èª¿ã¹ã‚Œã°ãƒžã‚¦ãƒ³ãƒˆã§ãã‚‹ã¨æ€ã„ã¾ã™ã€‚
fdiskコマンドã§è¦‹ã¦ã¿ã¾ã™ã€‚3番目㮠disk.flag.img3 ã¨ã„ã†ã®ãŒ ext4 ã®ãƒ•ã‚©ãƒ¼ãƒžãƒƒãƒˆã ã£ãŸã®ã§ã€ã“れをマウントã—ãŸã„ã§ã™ã€‚
ã¡ã‚‡ã£ã¨èª¿ã¹ã¦ã¿ã‚‹ã¨ã€ã‚ªãƒ•ã‚»ãƒƒãƒˆï¼ˆbyteå˜ä½ï¼‰ãŒåˆ†ã‹ã‚Œã°ãƒžã‚¦ãƒ³ãƒˆã§ãるよã†ã§ã™ã€‚Startセクタã«512byteã‚’ã‹ã‘ã‚‹ã ã‘ã§ã™ã€‚1140736 * 512 = 584056832
$ fdisk -l disk.flag.img
Disk disk.flag.img: 1 GiB, 1073741824 bytes, 2097152 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x6062d30a
Device Boot Start End Sectors Size Id Type
disk.flag.img1 * 2048 616447 614400 300M 83 Linux
disk.flag.img2 616448 1140735 524288 256M 82 Linux swap / Solaris
disk.flag.img3 1140736 2097151 956416 467M 83 Linux
ã‚„ã£ã¦ã¿ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ã•ã£ãよりマシã§ã™ãŒã€ã‚¹ãƒ¼ãƒ‘ーブãƒãƒƒã‚¯ãŒèªã‚ãªã„ã¨ã„ã†ã‚¨ãƒ©ãƒ¼ã®ã‚ˆã†ã§ã™ã€‚
$ sudo mount -t ext4 -o loop,offset=584056832 disk.flag.img mnt/
mount: /home/user/svn/experiment/picoCTF/picoCTF2024_Forensics/mnt: can't read superblock on /dev/loop0.
dmesg(1) may have more information after failed mount system call.
$ dumpe2fs -h disk.flag.img
dumpe2fs 1.47.1-rc2 (01-May-2024)
dumpe2fs: Bad magic number in super-block while trying to open disk.flag.img
Couldn't find valid filesystem superblock.
disk.flag.img contains `DOS/MBR boot sector;
partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0x26,94,56), startsector 2048, 614400 sectors;
partition 2 : ID=0x82, start-CHS (0x26,94,57), end-CHS (0x47,1,58), startsector 616448, 524288 sectors;
partition 3 : ID=0x83, start-CHS (0x47,1,59), end-CHS (0x82,138,8), startsector 1140736, 956416 sectors' data
最åˆã®ãƒ‘ーティションをマウントã—ã¦ã¿ã¾ã™ã€‚組ã¿è¾¼ã¿ã¨ã‹ã«ã‚ˆãã‚るブートパーティションã§ã—ょã†ã‹ã€‚マウントã§ãã¾ã—ãŸã€‚
$ sudo mount -t ext4 -o loop,offset=1048576 disk.flag.img mnt/
ãŠãらãã€ã‚¹ãƒ¼ãƒ‘ーブãƒãƒƒã‚¯ã‚’ä¿®æ£ã™ã‚‹ãƒ‰ãƒ©ã‚¤ãƒ–ãŒé‡è¦ã ã¨æ€ã†ã®ã§ã€ãƒ€ãƒ¡ã ã¨æ€ã„ã¾ã™ãŒã€è»½ã探ã—ã¦ã¿ã¾ã™ã€‚ã‚„ã¯ã‚Šã€ä½•ã‚‚ãªã•ãã†ã§ã™ã€‚ã¤ã„ã§ã«ã€ã“ã¡ã‚‰ã‚‚ YARAルールスã‚ャンã—ã¾ã—ãŸãŒã€ãƒ€ãƒ¡ã§ã—ãŸã€‚
./System.map-virt:ffffffff8199f380 t __pfx_pirq_pico_get
./System.map-virt:ffffffff8199f390 t pirq_pico_get
./System.map-virt:ffffffff8199f3c0 t __pfx_pirq_pico_set
./System.map-virt:ffffffff8199f3d0 t pirq_pico_set
./System.map-virt:ffffffff82a24cc0 t __pfx_pico_router_probe
./System.map-virt:ffffffff82a24cd0 t pico_router_probe
3番目ã®ãƒ‘ーティションã®ã‚¹ãƒ¼ãƒ‘ーブãƒãƒƒã‚¯ãŒå£Šã‚Œã¦ã„るよã†ãªã®ã§ã€ä¿®å¾©ã™ã‚‹ã“ã¨ãŒæ±‚ã‚られã¦ã„ã‚‹æ°—ãŒã—ã¾ã™ã€‚ãã®ã‚ãŸã‚Šã§ãƒ•ãƒ©ã‚°ãŒè¦‹ã¤ã‹ã‚‹æ°—ãŒã—ã¾ã™ã€‚
$ fsck.ext4 disk.flag.img
e2fsck 1.47.1-rc2 (01-May-2024)
ext2fs_open2: Bad magic number in super-block
fsck.ext4: Superblock invalid, trying backup blocks...
fsck.ext4: Bad magic number in super-block while trying to open disk.flag.img
The superblock could not be read or does not describe a valid ext2/ext3/ext4
filesystem. If the device is valid and it really contains an ext2/ext3/ext4
filesystem (and not swap or ufs or something else), then the superblock
is corrupt, and you might try running e2fsck with an alternate superblock:
e2fsck -b 8193 <device>
or
e2fsck -b 32768 <device>
disk.flag.img contains `DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0x26,94,56), startsector 2048, 614400 sectors; partition 2 : ID=0x82, start-CHS (0x26,94,57), end-CHS (0x47,1,58), startsector 616448, 524288 sectors; partition 3 : ID=0x83, start-CHS (0x47,1,59), end-CHS (0x82,138,8), startsector 1140736, 956416 sectors' data
$ mkfs.ext4 -n disk.flag.img
mke2fs 1.47.1-rc2 (01-May-2024)
disk.flag.img contains `DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0x26,94,56), startsector 2048, 614400 sectors; partition 2 : ID=0x82, start-CHS (0x26,94,57), end-CHS (0x47,1,58), startsector 616448, 524288 sectors; partition 3 : ID=0x83, start-CHS (0x47,1,59), end-CHS (0x82,138,8), startsector 1140736, 956416 sectors' data
Proceed anyway? (y,N) y
Creating filesystem with 262144 4k blocks and 65536 inodes
Filesystem UUID: 29390527-0466-4886-b948-2ca3d3f01714
Superblock backups stored on blocks:
32768, 98304, 163840, 229376
$ e2fsck -b 32768 disk.flag.img
e2fsck 1.47.1-rc2 (01-May-2024)
e2fsck: Attempt to read block from filesystem resulted in short read while trying to open disk.flag.img
Could this be a zero-length partition?
disk.flag.img を直接ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§è¦‹ã¾ã™ã€‚
å…ˆé ã® MBR を見ã¾ã™ã€‚0x1BE ã®ä½ç½®ã‹ã‚‰ãƒ‘ーティションテーブルãŒå§‹ã¾ã‚Šã¾ã™ã€‚16byteãšã¤ã§ã™ã€‚3ã¤ã«å€¤ãŒå…¥ã£ã¦ã„ã¾ã™ã€‚5byte目㫠ID ãŒå…¥ã£ã¦ã„ã¾ã™ã€‚1番目ã¨3番目㯠0x83 ãªã®ã§ã€EXT2/3/4 ã§ã™ã€‚2番目㯠0x82 ãªã®ã§ã‚¹ãƒ¯ãƒƒãƒ—é ˜åŸŸã§ã™ã€‚
ã¾ãšã€æ£å¸¸ãª 1番目ã®ãƒ‘ーティションを見ã¾ã™ã€‚2048セクタã‹ã‚‰å§‹ã¾ã£ã¦ã‚‹ã®ã§ã€2048セクタ×512byteï¼0x100000 を見ã¾ã™ã€‚スーパーブãƒãƒƒã‚¯ã¯ã€1024byte オフセットã®ä½ç½®ï¼ˆä»Šå›žãªã‚‰ 0x100400)ã‹ã‚‰å§‹ã¾ã£ã¦ã‚‹ãã†ã§ã™ã€‚
スーパーブãƒãƒƒã‚¯ã® 0x38 ã®ä½ç½®ï¼ˆä»Šå›žãªã‚‰ 0x100438)ã«ãƒžã‚¸ãƒƒã‚¯ãƒŠãƒ³ãƒãƒ¼ãŒã‚ã‚Šã¾ã™ã€‚EXT2/3/4 ãªã‚‰ 0xEF53 ã«ãªã£ã¦ã„ã¾ã™ã€‚確ã‹ã«ãªã£ã¦ã¾ã™ã€‚3番目ã®ãƒ‘ーティションã¯ã“ã“ãŒå£Šã‚Œã¦ã„ã‚‹ã¨ã„ã†ã“ã¨ã§ã—ãŸã€‚
3番目ã®ãƒ‘ーティションもåŒæ™‚ã«è¦‹ã¦ã„ãã¾ã™ã€‚パーティションã®é–‹å§‹ä½ç½®ã¯ã€1140736セクタ×512byteï¼0x22D00000 ã§ã™ã€‚1024byteオフセットã®ã‚»ã‚¯ã‚¿ã‚’見ã¦ã¿ã¾ã™ã€‚ã†ãƒ¼ã‚“ã€ãƒžã‚¸ãƒƒã‚¯ãƒŠãƒ³ãƒãƒ¼ï¼ˆ0x22d00438)ã¯æ™®é€šã« 0xEF53 ãŒå…¥ã£ã¦ã„ã¾ã—ãŸã€‚å•é¡Œã®å ´æ‰€ãŒåˆ†ã‹ã‚Šã¾ã›ã‚“。
ã„ã‚ã„ã‚調ã¹ã¦ã„ãŸã¨ã“ã‚ã€è¤‡æ•°ãƒ‘ーティションをå«ã‚€å ´åˆã®åˆ¥ã®ãƒžã‚¦ãƒ³ãƒˆæ–¹æ³•ãŒã‚ã‚Šã¾ã—ãŸã€‚ã„ã‚ã„ã‚ã‚„ã£ãŸã‚‰ãƒžã‚¦ãƒ³ãƒˆã§ãã¾ã—ãŸã€‚
losetupコマンドã¯ã€ãƒ«ãƒ¼ãƒ—ãƒãƒƒã‚¯ãƒ‡ãƒã‚¤ã‚¹ã‚’使用ã—ã¦ãƒ‡ã‚£ã‚¹ã‚¯ã‚¤ãƒ¡ãƒ¼ã‚¸ã‚’デãƒã‚¤ã‚¹ã¨ã—ã¦æ‰±ãˆã‚‹ã‚ˆã†ã«ãªã‚Šã¾ã™ã€‚ã“ã‚Œã«ã‚ˆã‚Šã€/dev ã«å‰²ã‚Šå½“ãŸã‚Šã¾ã—ãŸã€‚
mkfs.ext4 ã® -n オプションを使ã†ã“ã¨ã§ã€ã‚¹ãƒ¼ãƒ‘ーブãƒãƒƒã‚¯ã®ä»£æ›¿ãƒ–ãƒãƒƒã‚¯ã®ä½ç½®ã‚’知るã“ã¨ãŒå‡ºæ¥ã¾ã™ã€‚
e2fsckコマンドã§ã‚¹ãƒ¼ãƒ‘ーブãƒãƒƒã‚¯ã®ä¿®å¾©ã‚’試ã¿ã‚‹ã‚³ãƒžãƒ³ãƒ‰ã§ã™ã€‚ã“ã‚Œã«ã‚ˆã‚Šã€ãƒãƒƒã‚¯ã‚¢ãƒƒãƒ—ã•ã‚Œã¦ã„ãŸã‚¹ãƒ¼ãƒ‘ーブãƒãƒƒã‚¯ã§ä¿®å¾©ãŒå‡ºæ¥ã¦ã€ãƒžã‚¦ãƒ³ãƒˆã™ã‚‹ã“ã¨ãŒå‡ºæ¥ã¾ã—ãŸã€‚
$ sudo losetup -P --show -f disk.flag.img
$ lsblk
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
loop0 7:0 0 1G 0 loop
tqloop0p1 259:0 0 300M 0 part
tqloop0p2 259:1 0 256M 0 part
mqloop0p3 259:2 0 467M 0 part
sda 8:0 0 64G 0 disk
tqsda1 8:1 0 50M 0 part /boot/efi
mqsda2 8:2 0 63.9G 0 part /home
/
$ sudo mount -t ext4 /dev/loop0p3 mnt2/
mount: /home/user/svn/experiment/picoCTF/picoCTF2024_Forensics/mnt2: can't read superblock on /dev/loop0p3.
dmesg(1) may have more information after failed mount system call.
$ sudo mkfs.ext4 -n /dev/loop0p3
mke2fs 1.47.1-rc2 (01-May-2024)
/dev/loop0p3 contains a ext4 file system
last mounted on / on Sun Feb 18 04:03:14 2024
Proceed anyway? (y,N) y
Creating filesystem with 478208 1k blocks and 119416 inodes
Filesystem UUID: 3b9ea8b2-67c2-4368-a6e8-f9fefbdf5b63
Superblock backups stored on blocks:
8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409
$ sudo mount -t ext4 /dev/loop0p3 mnt2/
mount: /home/user/svn/experiment/picoCTF/picoCTF2024_Forensics/mnt2: can't read superblock on /dev/loop0p3.
dmesg(1) may have more information after failed mount system call.
$ sudo e2fsck -b 8193 /dev/loop0p3
e2fsck 1.47.1-rc2 (01-May-2024)
Superblock needs_recovery flag is clear, but journal has data.
Recovery flag not set in backup superblock, so running journal anyway.
/dev/loop0p3: recovering journal
JBD2: Invalid checksum recovering data block 15602 in log
JBD2: Invalid checksum recovering data block 15602 in log
JBD2: Invalid checksum recovering data block 15602 in log
Journal checksum error found in /dev/loop0p3
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Block bitmap differences: +(73729--73989) +(204801--205061) +(221185--221445) +(401409--401669)
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix ('a' enables 'yes' to all) <y>? yes
Free blocks count wrong for group
Fix ('a' enables 'yes' to all) <y>? yes
Free blocks count wrong for group
Fix ('a' enables 'yes' to all) <y>? yes
Free blocks count wrong for group
Fix ('a' enables 'yes' to all) <y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong for group
Fix<y>? yes
Free blocks count wrong (437564, counted=378717).
Fix<y>? yes
Free inodes count wrong for group
Fix<y>? yes
Directories count wrong for group
Fix<y>? yes
Free inodes count wrong for group
Fix<y>? yes
Directories count wrong for group
Fix<y>? yes
Free inodes count wrong for group
Fix<y>? yes
Directories count wrong for group
Fix<y>? yes
Free inodes count wrong (119404, counted=116975).
Fix<y>? yes
Padding at end of inode bitmap is not set. Fix<y>? yes
/dev/loop0p3: ***** FILE SYSTEM WAS MODIFIED *****
/dev/loop0p3: 2441/119416 files (0.8% non-contiguous), 99491/478208 blocks
$ sudo mount -t ext4 /dev/loop0p3 mnt2/
マウントã¾ã§å‡ºæ¥ãŸã®ã§ã€ã„ã‚ã„ã‚探ã—ã¦è¦‹ã¾ã—ãŸãŒã€è¦‹ã¤ã‘られã¾ã›ã‚“ã§ã—ãŸã€‚ギブアップã§ã™ã€‚
writeupを見ã¾ã™ã€‚ジャーナルファイルã®è¿‘ãã«ãƒ•ãƒ©ã‚°ãŒã‚ã‚‹ãã†ã§ã™ã€‚ãƒã‚¤ãƒŠãƒªã‚¨ãƒ‡ã‚£ã‚¿ã§ã€ã€Œinnocuous-file.txtã€ã‚’検索ã—ã¦ã€ä¸Šã‹ã‚‰é †ç•ªã«è¦‹ã¦ã„ãã¨ã€picã€oCTã€F{1ã€_53ã€3_nã€4m3ã€5_8ã€0d2ã€4b3ã€0} ãŒè¦‹ã¤ã‹ã£ãŸã€‚
繋ã’ã‚‹ã¨ã€picoCTF{1_533_n4m35_80d24b30} ã«ãªã‚Šã¾ã—ãŸã€‚
ã“れ㧠Medium ãªã®ã¯ã‚·ãƒ§ãƒƒã‚¯ã§ã™ã€‚
ã“ã‚Œã§ã€Forensics ã¯çµ‚了ã§ã™ã€‚
ãŠã‚ã‚Šã«
今回ã¯ã€picoCTF ã® picoCTF 2024 ã®ã†ã¡ã€Forensics ã¨ã„ã†ã‚«ãƒ†ã‚´ãƒªã®å…¨8å•ã‚’ã‚„ã‚Šã¾ã—ãŸã€‚最後㮠2å•ã¯è§£ã‘ã¾ã›ã‚“ã§ã—ãŸãŒã€è‹¦æ‰‹ãªã„ã‚ã‚“ãªçŸ¥è¦‹ãŒå¾—られãŸã¨æ€ã„ã¾ã™ã€‚
最後ã«ãªã‚Šã¾ã—ãŸãŒã€ã‚¨ãƒ³ã‚¸ãƒ‹ã‚¢ã‚°ãƒ«ãƒ¼ãƒ—ã®ãƒ©ãƒ³ã‚ングã«å‚åŠ ä¸ã§ã™ã€‚
気楽ã«ãƒãƒãƒƒã¨ã‚ˆã‚ã—ããŠé¡˜ã„ã„ãŸã—ã¾ã™ðŸ™‡
今回ã¯ä»¥ä¸Šã§ã™ï¼
最後ã¾ã§ãŠèªã¿ã„ãŸã ãã€ã‚ã‚ŠãŒã¨ã†ã”ã–ã„ã¾ã—ãŸã€‚
