Challenge 5 Write-Up – SMP CTF 2010 Hacker Olympics…

July 14, 2010 at 9:26 pm (Capture The Flag, SMP CTF)

Hey,

This was an awesome challenge and my very first crack at forensics. The challenge was simply this:

We are sure we left, a flag in here somewhere... Right redsand?

Can you help find it? The file: download

Looking at the challenge page web source, I instantly found the key:

!--Challenge Key: 74bf0f65--

Then we downloaded the file which was simple called ‘forensic-image’:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file forensic1-image
forensic1-image: rzip compressed data - version 2.1 (15185973 bytes)

So looking at the output of file we know that it is an rzip compressed data file. I had never heard of rzip until I saw this, so time to hit google. I found the following site on google here. I then proceeded to check my distributions package database for the utility ‘rzip’ low and behold the following turned up:

rzip - compression program for large files

I installed it and proceeded to decompress the image file:

[zoidberg@/dev/null:~/SMP/CH4 ] $ mv forensic1-image forensic1-image.rz
[zoidberg@/dev/null:~/SMP/CH4 ] $ rzip -d forensic1-image.rz
[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 14832
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image

[zoidberg@/dev/null:~/SMP/CH4 ] $ file forensic1-image
forensic1-image: LHarc 1.x/ARX archive data [lh0]

[zoidberg@/dev/null:~/SMP/CH4 ] $

Rzip allowed me to extract the file. I then checked what the result was, again with the file utility. Which told me that it was an LHarc archive file. Then I proceeded to extract the data:

[zoidberg@/dev/null:~/SMP/CH4 ] $ lha e forensic1-image
FS.tar - Melted : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 29664
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

After I extracted the data, I was then left with POSIX tar archive:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS.tar
FS.tar: POSIX tar archive (GNU)

[zoidberg@/dev/null:~/SMP/CH4 ] $ tar xvf FS.tar
FS

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: bzip2 compressed data, block size = 900k

[zoidberg@/dev/null:~/SMP/CH4 ] $ bunzip2 FS.bz2

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 44476
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 15163583 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

I extracted the tar archive, which then gave me a bzip2 archive, I extracted that, and guess what ? Yes, you guessed it, yet another archive:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: gzip compressed data, was "FS", from Unix, last modified: Wed Jun 30 02:42:18 2010, max compression

[zoidberg@/dev/null:~/SMP/CH4 ] $ mv FS FS.gz

[zoidberg@/dev/null:~/SMP/CH4 ] $ gunzip FS.gz

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93688
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: Linux rev 1.0 ext2 filesystem data, UUID=c8a4643d-d89b-43db-bae8-6192db41dcc1 (large files)

This time it was gzip compressed data file, extracted that and was left with an ext2 file partition… ooohh now we’re getting a little bit more interesting. So I proceeded to mount the ext2 file partition and take a look what was there:

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93688
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

[zoidberg@/dev/null:~/SMP/CH4 ] $ mkdir mnt

[zoidberg@/dev/null:~/SMP/CH4 ] $ sudo mount -t ext2 -o loop FS mnt/

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93692
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar
drwxr-xr-x 3 root root 4096 2010-06-30 02:50 mnt

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls mnt/
total 15392
-rw-r--r-- 1 root root 15723366 2010-06-30 02:50 forensic_image
drwx------ 2 root root 16384 2010-06-30 02:42 lost+found

After I mounted the filesystem I was left with yet another forensic_image file, there was nothing in the lost+found directory. So lets investigate this forensic_image:

[zoidberg@/dev/null:/mnt ] $ file forensic_image
forensic_image: data

[zoidberg@/dev/null:~/SMP/CH4/mnt ] $ hexdump -C forensic_image |head
00000000 00 e9 55 43 4c ff 01 1a 00 00 00 01 2d 07 00 04 |..UCL.......-...| <--- UCL!!
00000010 00 00 00 04 00 00 00 04 00 00 6a 6f 65 2f 00 00 |..........joe/..|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 |..............00|
00000080 30 30 37 35 35 00 30 30 30 31 37 35 33 00 30 30 |00755.0001753.00|
00000090 30 31 37 35 35 00 30 30 30 30 30 30 30 30 30 30 |01755.0000000000|
000000a0 30 00 31 31 34 31 32 35 31 35 32 30 30 00 30 30 |0.11412515200.00|
000000b0 37 37 34 36 00 20 35 00 00 00 00 00 00 00 00 00 |7746. 5.........|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

OK so, it seemed like a data file, checking it with hexdump utility gives us a little hint as to what type of file this is. UCL is a compression library, more information and the tools to enable you to decompress these files are available from here. So lets see whats inside it:

[root@/dev/null:~/SMP/CH4 ] $ ./uclpack -d forensic_image uclunpacked-image

UCL data compression library (v1.03, Jul 20 2004).
Copyright (C) 1996-2004 Markus Franz Xaver Johannes Oberhumer
http://www.oberhumer.com/opensource/ucl/

uclpack: block-size is 262144 bytes
uclpack: decompressed 15723366 into 31989760 bytes

[root@/dev/null:~/SMP/CH4 ] $ ls
total 124940
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 4415 2010-07-13 13:18 forensic-writeup
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar
drwxr-xr-x 3 root root 4096 2010-06-30 02:50 mnt
-rw-r--r-- 1 root root 31989760 2010-07-13 13:26 uclunpacked-image

[root@/dev/null:~/SMP/CH4 ] $ file uclunpacked-image
uclunpacked-image: POSIX tar archive (GNU)

Ok so, back to another tar archive, lets extract it and see what we have:

[zoidberg@/dev/null:~/FORENSICS ] $ sudo tar xvf uclunpacked-image.tar
joe/
joe/.dbus/
joe/.dbus/session-bus/
joe/.dbus/session-bus/9588dbce1fca58830d10168a4aba6077-2
joe/.dbus/session-bus/9588dbce1fca58830d10168a4aba6077-1
joe/Public/
joe/.bashrc
joe/examples.desktop
joe/.fontconfig/
joe/.fontconfig/10b13308be32295bb2869d1e42a8fb41-x86.cache-2
joe/Downloads/
joe/Downloads/hackerFiles/
joe/Downloads/hackerFiles/ntfs-hidden-data-analysis.pdf
joe/.nautilus/
joe/.xine/
joe/.xine/catalog.cache
joe/.ssh/
joe/.config/
joe/.config/gnome-disk-utility/
joe/.config/gnome-disk-utility/ata-smart-ignore/
joe/.config/compiz/
joe/.config/compiz/compizconfig/
joe/.config/compiz/compizconfig/config
joe/.config/user-dirs.locale
joe/.config/gnome-session/
joe/.config/gnome-session/saved-session/
joe/.config/user-dirs.dirs
joe/.config/gtk-2.0/
joe/.config/gtk-2.0/gtkfilechooser.ini
joe/network_sniff.pcap
joe/.pulse/
joe/.pulse/9588dbce1fca58830d10168a4aba6077-runtime
joe/.pulse/9588dbce1fca58830d10168a4aba6077-stream-volumes.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-device-volumes.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-card-database.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-default-source
joe/.pulse/9588dbce1fca58830d10168a4aba6077-default-sink
joe/.compiz/
joe/.compiz/session/
joe/.compiz/session/1025d49d578b178380127463786965591400000185720025
joe/.compiz/session/10273bd0f849d10abc127465244339743600000011830025
joe/.bash_history
joe/.profile
joe/.gvfs/
joe/.gnupg/
joe/.gnupg/random_seed
joe/.gnupg/pubring.gpg
joe/.gnupg/secring.gpg
joe/.gnupg/pubring.gpg~
joe/.gnupg/trustdb.gpg
joe/.gnupg/gpg.conf
joe/.ICEauthority
joe/JoeHackerPrivate.gpg
joe/.gegl-0.0/
joe/.gegl-0.0/plug-ins/
joe/.gegl-0.0/plug-ins/Makefile
joe/.gegl-0.0/swap/
joe/Music/
joe/.gconf/
joe/.gconf/desktop/
joe/.gconf/desktop/%gconf.xml
joe/.gconf/desktop/gnome/
joe/.gconf/desktop/gnome/peripherals/
joe/.gconf/desktop/gnome/peripherals/keyboard/
joe/.gconf/desktop/gnome/peripherals/keyboard/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/keyboard/kbd/
joe/.gconf/desktop/gnome/peripherals/keyboard/kbd/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/touchpad/
joe/.gconf/desktop/gnome/peripherals/touchpad/%gconf.xml
joe/.gconf/desktop/gnome/accessibility/
joe/.gconf/desktop/gnome/accessibility/keyboard/
joe/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml
joe/.gconf/desktop/gnome/accessibility/%gconf.xml
joe/.gconf/desktop/gnome/applications/
joe/.gconf/desktop/gnome/applications/%gconf.xml
joe/.gconf/desktop/gnome/applications/window_manager/
joe/.gconf/desktop/gnome/applications/window_manager/%gconf.xml
joe/.gconf/desktop/gnome/%gconf.xml
joe/.gconf/apps/
joe/.gconf/apps/gnome-terminal/
joe/.gconf/apps/gnome-terminal/%gconf.xml
joe/.gconf/apps/gnome-terminal/profiles/
joe/.gconf/apps/gnome-terminal/profiles/Default/
joe/.gconf/apps/gnome-terminal/profiles/Default/%gconf.xml
joe/.gconf/apps/gnome-terminal/profiles/%gconf.xml
joe/.gconf/apps/gedit-2/
joe/.gconf/apps/gedit-2/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/
joe/.gconf/apps/gedit-2/preferences/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/ui/
joe/.gconf/apps/gedit-2/preferences/ui/statusbar/
joe/.gconf/apps/gedit-2/preferences/ui/statusbar/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/ui/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/
joe/.gconf/apps/gedit-2/plugins/filebrowser/
joe/.gconf/apps/gedit-2/plugins/filebrowser/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/filebrowser/on_load/
joe/.gconf/apps/gedit-2/plugins/filebrowser/on_load/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/%gconf.xml
joe/.gconf/apps/compiz/
joe/.gconf/apps/compiz/general/
joe/.gconf/apps/compiz/general/allscreens/
joe/.gconf/apps/compiz/general/allscreens/%gconf.xml
joe/.gconf/apps/compiz/general/allscreens/options/
joe/.gconf/apps/compiz/general/allscreens/options/%gconf.xml
joe/.gconf/apps/compiz/general/%gconf.xml
joe/.gconf/apps/compiz/%gconf.xml
joe/.gconf/apps/nautilus/
joe/.gconf/apps/nautilus/desktop-metadata/
joe/.gconf/apps/nautilus/desktop-metadata/%gconf.xml
joe/.gconf/apps/nautilus/desktop-metadata/directory/
joe/.gconf/apps/nautilus/desktop-metadata/directory/%gconf.xml
joe/.gconf/apps/nautilus/%gconf.xml
joe/.gconf/apps/nautilus/preferences/
joe/.gconf/apps/nautilus/preferences/%gconf.xml
joe/.gconf/apps/panel/
joe/.gconf/apps/panel/general/
joe/.gconf/apps/panel/general/%gconf.xml
joe/.gconf/apps/panel/objects/
joe/.gconf/apps/panel/objects/menu_bar_screen0/
joe/.gconf/apps/panel/objects/menu_bar_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/browser_launcher_screen0/
joe/.gconf/apps/panel/objects/browser_launcher_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/yelp_launcher_screen1/
joe/.gconf/apps/panel/objects/yelp_launcher_screen1/%gconf.xml
joe/.gconf/apps/panel/objects/%gconf.xml
joe/.gconf/apps/panel/objects/menu_bar_screen1/
joe/.gconf/apps/panel/objects/menu_bar_screen1/%gconf.xml
joe/.gconf/apps/panel/objects/yelp_launcher_screen0/
joe/.gconf/apps/panel/objects/yelp_launcher_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/browser_launcher_screen1/
joe/.gconf/apps/panel/objects/browser_launcher_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/background/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/background/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen1/
joe/.gconf/apps/panel/toplevels/top_panel_screen1/background/
joe/.gconf/apps/panel/toplevels/top_panel_screen1/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen0/
joe/.gconf/apps/panel/toplevels/top_panel_screen0/background/
joe/.gconf/apps/panel/toplevels/top_panel_screen0/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen0/%gconf.xml
joe/.gconf/apps/panel/%gconf.xml
joe/.gconf/apps/panel/applets/
joe/.gconf/apps/panel/applets/show_desktop_button_screen1/
joe/.gconf/apps/panel/applets/show_desktop_button_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/notification_area_screen1/
joe/.gconf/apps/panel/applets/notification_area_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/show_desktop_button_screen0/
joe/.gconf/apps/panel/applets/show_desktop_button_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/notification_area_screen0/
joe/.gconf/apps/panel/applets/notification_area_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/trashapplet_screen1/
joe/.gconf/apps/panel/applets/trashapplet_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/%gconf.xml
joe/.gconf/apps/panel/applets/indicator_applet_screen1/
joe/.gconf/apps/panel/applets/indicator_applet_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen1/
joe/.gconf/apps/panel/applets/window_list_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen1/prefs/
joe/.gconf/apps/panel/applets/window_list_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen1/
joe/.gconf/apps/panel/applets/clock_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen1/prefs/
joe/.gconf/apps/panel/applets/clock_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/prefs/
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/indicator_applet_screen0/
joe/.gconf/apps/panel/applets/indicator_applet_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/prefs/
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/fast_user_switch_screen0/
joe/.gconf/apps/panel/applets/fast_user_switch_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/fast_user_switch_screen1/
joe/.gconf/apps/panel/applets/fast_user_switch_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/trashapplet_screen0/
joe/.gconf/apps/panel/applets/trashapplet_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen0/
joe/.gconf/apps/panel/applets/window_list_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen0/prefs/
joe/.gconf/apps/panel/applets/window_list_screen0/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen0/
joe/.gconf/apps/panel/applets/clock_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen0/prefs/
joe/.gconf/apps/panel/applets/clock_screen0/prefs/%gconf.xml
joe/.gconf/apps/%gconf.xml
joe/.gconf/apps/seahorse/
joe/.gconf/apps/seahorse/%gconf.xml
joe/.gconf/apps/seahorse/windows/
joe/.gconf/apps/seahorse/windows/%gconf.xml
joe/.gconf/apps/seahorse/listing/
joe/.gconf/apps/seahorse/listing/%gconf.xml
joe/.gconf/apps/evolution/
joe/.gconf/apps/evolution/%gconf.xml
joe/.gconf/apps/evolution/calendar/
joe/.gconf/apps/evolution/calendar/%gconf.xml
joe/.gconf/apps/evolution/calendar/notify/
joe/.gconf/apps/evolution/calendar/notify/%gconf.xml
joe/.gconf/apps/brasero/
joe/.gconf/apps/brasero/%gconf.xml
joe/.gconf/apps/brasero/config/
joe/.gconf/apps/brasero/config/priority/
joe/.gconf/apps/brasero/config/priority/%gconf.xml
joe/.gconf/apps/brasero/config/%gconf.xml
joe/Pictures/
joe/Pictures/logo.gif
joe/Pictures/chuck_norris_random_fact_generator_6_3957_2224_image_2561.jpg
joe/Pictures/chuck_norris_random_fact_generator_6_3957_2224_image_2578.jpg
joe/Pictures/funny_421.jpg
joe/.esd_auth
joe/.xsession-errors
joe/.gtk-bookmarks
joe/.mozilla/
joe/.mozilla/firefox/
joe/.mozilla/firefox/profiles.ini
joe/.mozilla/firefox/ji5h5a20.default/
joe/.mozilla/firefox/ji5h5a20.default/compreg.dat
joe/.mozilla/firefox/ji5h5a20.default/chrome/
joe/.mozilla/firefox/ji5h5a20.default/chrome/userContent-example.css
joe/.mozilla/firefox/ji5h5a20.default/chrome/userChrome-example.css
joe/.mozilla/firefox/ji5h5a20.default/mimeTypes.rdf
joe/.mozilla/firefox/ji5h5a20.default/key3.db
joe/.mozilla/firefox/ji5h5a20.default/compatibility.ini
joe/.mozilla/firefox/ji5h5a20.default/XPC.mfasl
joe/.mozilla/firefox/ji5h5a20.default/cert8.db
joe/.mozilla/firefox/ji5h5a20.default/pluginreg.dat
joe/.mozilla/firefox/ji5h5a20.default/extensions/
joe/.mozilla/firefox/ji5h5a20.default/formhistory.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.ini
joe/.mozilla/firefox/ji5h5a20.default/downloads.sqlite
joe/.mozilla/firefox/ji5h5a20.default/search.sqlite
joe/.mozilla/firefox/ji5h5a20.default/places.sqlite-journal
joe/.mozilla/firefox/ji5h5a20.default/urlclassifierkey3.txt
joe/.mozilla/firefox/ji5h5a20.default/signons.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.rdf
joe/.mozilla/firefox/ji5h5a20.default/prefs.js
joe/.mozilla/firefox/ji5h5a20.default/search.json
joe/.mozilla/firefox/ji5h5a20.default/secmod.db
joe/.mozilla/firefox/ji5h5a20.default/.parentlock
joe/.mozilla/firefox/ji5h5a20.default/cookies.sqlite
joe/.mozilla/firefox/ji5h5a20.default/bookmarks.html
joe/.mozilla/firefox/ji5h5a20.default/localstore.rdf
joe/.mozilla/firefox/ji5h5a20.default/Cache/
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_003_
joe/.mozilla/firefox/ji5h5a20.default/Cache/2A32E8DAd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BD3457DEd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/3954CE6Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/2F85709Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/47445552d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E0A9A442d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/611C9EECd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/5634D1F9d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/5B0122ACd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6B8C2D8Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A843C8B8d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/47C815E0d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A8A78C65d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0F03B2C5d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/D7DFB6FAd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_002_
joe/.mozilla/firefox/ji5h5a20.default/Cache/A718913Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/60F3724Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6D7313F3d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/EAE50599d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1BB76077d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/FCC698B7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0B66D1E4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/2B2A6EB8d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/8E40E94Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A1FB26EBd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F9D7526Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1F9212B5d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/4E25B9B1d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BC64C5CFd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6A26639Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/35B9FFA4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/67C3D603d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6FD58703d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/323F825Dd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/24ABAC5Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1AE4C69Dd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_001_
joe/.mozilla/firefox/ji5h5a20.default/Cache/ED38E2E7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A9D1B795d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1F09BCFDd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E7A5F3EFd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F9D0526Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1FF0F532d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/63B1734Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/36A05174d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E461A381d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/444225A7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/642BEFBCd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0509B832d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/75687CC9d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/D96BCE28d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BE437AE0d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_MAP_
joe/.mozilla/firefox/ji5h5a20.default/Cache/D97B28E1d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/4B46226Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F5C1B0B4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A4B02E4Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F0FDAB5Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/582030EBd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A842CB0Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/DBA2D3E0d01
joe/.mozilla/firefox/ji5h5a20.default/xpti.dat
joe/.mozilla/firefox/ji5h5a20.default/XUL.mfasl
joe/.mozilla/firefox/ji5h5a20.default/permissions.sqlite
joe/.mozilla/firefox/ji5h5a20.default/bookmarkbackups/
joe/.mozilla/firefox/ji5h5a20.default/bookmarkbackups/bookmarks-2010-05-23.json
joe/.mozilla/firefox/ji5h5a20.default/urlclassifier3.sqlite
joe/.mozilla/firefox/ji5h5a20.default/places.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.cache
joe/.mozilla/firefox/ji5h5a20.default/content-prefs.sqlite
joe/.mozilla/extensions/
joe/.mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/
joe/Desktop/
joe/Joe Hacker.asc
joe/.macromedia/
joe/.macromedia/Flash_Player/
joe/.macromedia/Flash_Player/macromedia.com/
joe/.macromedia/Flash_Player/macromedia.com/support/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#www.smilebox.com/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#www.smilebox.com/settings.sol
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#smilebox.com/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#smilebox.com/settings.sol
joe/.macromedia/Flash_Player/#SharedObjects/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/www.smilebox.com/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/www.smilebox.com/smilebox_webusage.sol
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/smilebox.com/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/smilebox.com/smilebox_clientproperties.sol
joe/.cache/
joe/.cache/gedit/
joe/.cache/gedit/gedit-metadata.xml
joe/.cache/compizconfig/
joe/.cache/compizconfig/ezoom.pb
joe/.cache/compizconfig/loginout.pb
joe/.cache/compizconfig/titleinfo.pb
joe/.cache/compizconfig/commands.pb
joe/.cache/compizconfig/gears.pb
joe/.cache/compizconfig/switcher.pb
joe/.cache/compizconfig/obs.pb
joe/.cache/compizconfig/session.pb
joe/.cache/compizconfig/splash.pb
joe/.cache/compizconfig/shelf.pb
joe/.cache/compizconfig/reflex.pb
joe/.cache/compizconfig/wobbly.pb
joe/.cache/compizconfig/svg.pb
joe/.cache/compizconfig/core.pb
joe/.cache/compizconfig/wallpaper.pb
joe/.cache/compizconfig/inotify.pb
joe/.cache/compizconfig/mblur.pb
joe/.cache/compizconfig/bicubic.pb
joe/.cache/compizconfig/crashhandler.pb
joe/.cache/compizconfig/extrawm.pb
joe/.cache/compizconfig/scaleaddon.pb
joe/.cache/compizconfig/scale.pb
joe/.cache/compizconfig/snap.pb
joe/.cache/compizconfig/showdesktop.pb
joe/.cache/compizconfig/colorfilter.pb
joe/.cache/compizconfig/resize.pb
joe/.cache/compizconfig/blur.pb
joe/.cache/compizconfig/bench.pb
joe/.cache/compizconfig/firepaint.pb
joe/.cache/compizconfig/dbus.pb
joe/.cache/compizconfig/screenshot.pb
joe/.cache/compizconfig/cubeaddon.pb
joe/.cache/compizconfig/zoom.pb
joe/.cache/compizconfig/regex.pb
joe/.cache/compizconfig/rotate.pb
joe/.cache/compizconfig/put.pb
joe/.cache/compizconfig/text.pb
joe/.cache/compizconfig/workarounds.pb
joe/.cache/compizconfig/widget.pb
joe/.cache/compizconfig/fade.pb
joe/.cache/compizconfig/ring.pb
joe/.cache/compizconfig/water.pb
joe/.cache/compizconfig/mousepoll.pb
joe/.cache/compizconfig/mag.pb
joe/.cache/compizconfig/grid.pb
joe/.cache/compizconfig/staticswitcher.pb
joe/.cache/compizconfig/thumbnail.pb
joe/.cache/compizconfig/vpswitch.pb
joe/.cache/compizconfig/animationaddon.pb
joe/.cache/compizconfig/place.pb
joe/.cache/compizconfig/fs.pb
joe/.cache/compizconfig/winrules.pb
joe/.cache/compizconfig/maximumize.pb
joe/.cache/compizconfig/gnomecompat.pb
joe/.cache/compizconfig/annotate.pb
joe/.cache/compizconfig/opacify.pb
joe/.cache/compizconfig/fadedesktop.pb
joe/.cache/compizconfig/imgjpeg.pb
joe/.cache/compizconfig/scalefilter.pb
joe/.cache/compizconfig/kdecompat.pb
joe/.cache/compizconfig/shift.pb
joe/.cache/compizconfig/trailfocus.pb
joe/.cache/compizconfig/expo.pb
joe/.cache/compizconfig/3d.pb
joe/.cache/compizconfig/decoration.pb
joe/.cache/compizconfig/png.pb
joe/.cache/compizconfig/animation.pb
joe/.cache/compizconfig/neg.pb
joe/.cache/compizconfig/resizeinfo.pb
joe/.cache/compizconfig/group.pb
joe/.cache/compizconfig/cube.pb
joe/.cache/compizconfig/move.pb
joe/.cache/compizconfig/addhelper.pb
joe/.cache/compizconfig/showmouse.pb
joe/.cache/compizconfig/glib.pb
joe/.cache/compizconfig/minimize.pb
joe/.cache/compizconfig/video.pb
joe/.cache/compizconfig/wall.pb
joe/.cache/compizconfig/clone.pb
joe/.cache/notify-osd.log
joe/.cache/vlc/
joe/.cache/vlc/CACHEDIR.TAG
joe/.cache/vlc/plugins-04041e.dat
joe/.cache/event-sound-cache.tdb.9588dbce1fca58830d10168a4aba6077.i486-pc-linux-gnu
joe/.gnome2/
joe/.gnome2/accels/
joe/.gnome2/accels/gedit
joe/.gnome2/accels/nautilus
joe/.gnome2/gedit/
joe/.gnome2/gedit/gedit-2
joe/.gnome2/nautilus-scripts/
joe/.gnome2/keyrings/
joe/.gnome2/keyrings/login.keyring
joe/.gnome2/panel2.d/
joe/.gnome2/panel2.d/default/
joe/.gnome2/panel2.d/default/launchers/
joe/.openoffice.org/
joe/.openoffice.org/3/
joe/.openoffice.org/3/user/
joe/.openoffice.org/3/user/wordbook/
joe/.openoffice.org/3/user/temp/
joe/.openoffice.org/3/user/Scripts/
joe/.openoffice.org/3/user/uno_packages/
joe/.openoffice.org/3/user/uno_packages/cache/
joe/.openoffice.org/3/user/uno_packages/cache/uno_packages/
joe/.openoffice.org/3/user/uno_packages/cache/uno_packages.db
joe/.openoffice.org/3/user/uno_packages/cache/registry/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.executable.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/registry/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/registered_packages.db
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.sfwk.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.script.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.component.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/stamp.sys
joe/.openoffice.org/3/user/uno_packages/cache/log.txt
joe/.openoffice.org/3/user/basic/
joe/.openoffice.org/3/user/basic/dialog.xlc
joe/.openoffice.org/3/user/basic/Standard/
joe/.openoffice.org/3/user/basic/Standard/dialog.xlb
joe/.openoffice.org/3/user/basic/Standard/script.xlb
joe/.openoffice.org/3/user/basic/Standard/Module1.xba
joe/.openoffice.org/3/user/basic/script.xlc
joe/.openoffice.org/3/user/autotext/
joe/.openoffice.org/3/user/autotext/mytexts.bau
joe/.openoffice.org/3/user/registry/
joe/.openoffice.org/3/user/registry/cache/
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Types.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Paths.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Commands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Recovery.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Common.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Jobs.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.GraphicFilter.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Linguistic.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Substitution.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.ucb.Configuration.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Writer.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.WriterWindowState.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.UISort.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.TabBrowse.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.LDAP.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.WriterCommands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.WriterWeb.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.System.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Views.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Filter.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.ucb.Store.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.GenericCommands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Addons.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Misc.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.VCL.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.DataAccess.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.SFX.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.TypeDetection.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.UserProfile.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.Factories.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Accelerators.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Logging.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.Controller.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.ProtocolHandler.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Events.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Setup.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Compatibility.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.GlobalSettings.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Histories.dat
joe/.openoffice.org/3/user/registry/data/
joe/.openoffice.org/3/user/registry/data/org/
joe/.openoffice.org/3/user/registry/data/org/openoffice/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Histories.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Recovery.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Common.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Views.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Writer.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/UI/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/UI/WriterWindowState.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Linguistic.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Setup.xcu
joe/.openoffice.org/3/user/config/
joe/.openoffice.org/3/user/config/javasettings_Linux_x86.xml
joe/.openoffice.org/3/user/config/modern_en-GB.sog
joe/.openoffice.org/3/user/config/autotbl.fmt
joe/.openoffice.org/3/user/config/cmyk.soc
joe/.openoffice.org/3/user/config/palette_en-GB.soc
joe/.openoffice.org/3/user/config/standard.soc
joe/.openoffice.org/3/user/config/soffice.cfg/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/toolbar/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/images/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/images/Bitmaps/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/menubar/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/statusbar/
joe/.openoffice.org/3/user/config/hatching_en-US_en-ZA.soh
joe/.openoffice.org/3/user/config/standard.sod
joe/.openoffice.org/3/user/config/palette_en-US_en-ZA.soc
joe/.openoffice.org/3/user/config/html.soc
joe/.openoffice.org/3/user/config/arrowhd_en-GB.soe
joe/.openoffice.org/3/user/config/web.soc
joe/.openoffice.org/3/user/config/hatching_en-GB.soh
joe/.openoffice.org/3/user/config/standard.sob
joe/.openoffice.org/3/user/config/modern_en-US_en-ZA.sog
joe/.openoffice.org/3/user/config/standard.soh
joe/.openoffice.org/3/user/config/palette_en-US.soc
joe/.openoffice.org/3/user/config/modern_en-US.sog
joe/.openoffice.org/3/user/config/hatching_en-US.soh
joe/.openoffice.org/3/user/config/standard.sog
joe/.openoffice.org/3/user/config/classic_en-GB.sog
joe/.openoffice.org/3/user/config/styles_en-US.sod
joe/.openoffice.org/3/user/config/arrowhd_en-US_en-ZA.soe
joe/.openoffice.org/3/user/config/classic_en-US.sog
joe/.openoffice.org/3/user/config/classic_en-US_en-ZA.sog
joe/.openoffice.org/3/user/config/gallery.soc
joe/.openoffice.org/3/user/config/standard.soe
joe/.openoffice.org/3/user/config/arrowhd_en-US.soe
joe/.openoffice.org/3/user/config/sun-color.soc
joe/.openoffice.org/3/user/config/styles_en-US_en-ZA.sod
joe/.openoffice.org/3/user/config/styles_en-GB.sod
joe/.openoffice.org/3/user/backup/
joe/.openoffice.org/3/user/template/
joe/.openoffice.org/3/user/psprint/
joe/.openoffice.org/3/user/psprint/driver/
joe/.openoffice.org/3/user/psprint/fontmetric/
joe/.openoffice.org/3/user/psprint/pspfontcache
joe/.openoffice.org/3/user/autocorr/
joe/.openoffice.org/3/user/gallery/
joe/.openoffice.org/3/user/gallery/sg30.thm
joe/.openoffice.org/3/user/gallery/sg30.sdv
joe/.openoffice.org/3/user/gallery/sg100.sdv
joe/.openoffice.org/3/user/gallery/sg100.thm
joe/.openoffice.org/3/user/database/
joe/.openoffice.org/3/user/database/evolocal.odb
joe/.openoffice.org/3/user/database/biblio.odb
joe/.openoffice.org/3/user/database/biblio/
joe/.openoffice.org/3/user/database/biblio/biblio.dbf
joe/.openoffice.org/3/user/database/biblio/biblio.dbt
joe/.openoffice.org/3/user/store/
joe/Documents/
joe/Documents/cryptoD.gpg
joe/Documents/.hiddenDocuments/
joe/Documents/.hiddenDocuments/SuperSecret.odt
joe/gppg-stuff.txt
joe/.thumbnails/
joe/.thumbnails/normal/
joe/.thumbnails/normal/95e207e441e8b3e27f8e31ad31500fee.png
joe/.viminfo
joe/.gnome2_private/
joe/.gimp-2.6/
joe/.gimp-2.6/scripts/
joe/.gimp-2.6/themes/
joe/.gimp-2.6/sessionrc
joe/.gimp-2.6/levels/
joe/.gimp-2.6/brushes/
joe/.gimp-2.6/patterns/
joe/.gimp-2.6/curves/
joe/.gimp-2.6/gfig/
joe/.gimp-2.6/colorrc
joe/.gimp-2.6/controllerrc
joe/.gimp-2.6/templaterc
joe/.gimp-2.6/fractalexplorer/
joe/.gimp-2.6/tmp/
joe/.gimp-2.6/pluginrc
joe/.gimp-2.6/fonts/
joe/.gimp-2.6/parasiterc
joe/.gimp-2.6/modules/
joe/.gimp-2.6/plug-ins/
joe/.gimp-2.6/tool-options/
joe/.gimp-2.6/themerc
joe/.gimp-2.6/menurc
joe/.gimp-2.6/interpreters/
joe/.gimp-2.6/toolrc
joe/.gimp-2.6/gtkrc
joe/.gimp-2.6/environ/
joe/.gimp-2.6/gradients/
joe/.gimp-2.6/gimpressionist/
joe/.gimp-2.6/palettes/
joe/.gimp-2.6/dockrc
joe/.gimp-2.6/unitrc
joe/.gimp-2.6/gflare/
joe/.gimp-2.6/templates/
joe/.update-notifier/
joe/scans/
joe/scans/localhost.scan
joe/Videos/
joe/.gconfd/
joe/.gconfd/saved_state
joe/.recently-used.xbel
joe/.adobe/
joe/.adobe/Flash_Player/
joe/.adobe/Flash_Player/AssetCache/
joe/.adobe/Flash_Player/AssetCache/SZK5XWWC/
joe/.secrets
joe/Templates/
joe/.bash_logout
joe/.local/
joe/.local/share/
joe/.local/share/gvfs-metadata/
joe/.local/share/gvfs-metadata/home-dbd603fd.log
joe/.local/share/gvfs-metadata/home
joe/.blueproximity/
joe/.blueproximity/standard.conf
joe/.gstreamer-0.10/
joe/.gstreamer-0.10/registry.i486.bin

[zoidberg@/dev/null:~/FORENSICS ] $

Oh wow, what do we have here. Looks like we have someone called joe’s home directory 🙂 Now my instant thought was to grep for something similar to what we have seen in other flags, which was the string ‘Flag:’ so I performed a grep on the joe directory for ‘Flag’:

[zoidberg@/dev/null:~/SMP/CH4 ] $ grep -R 'Flag' joe/
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Writer.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.GraphicFilter.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Common.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Filter.dat matches
Binary file joe/network_sniff.pcap matches
Binary file joe/.mozilla/firefox/ji5h5a20.default/Cache/47445552d01 matches
Binary file joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_003_ matches
Binary file joe/Downloads/hackerFiles/ntfs-hidden-data-analysis.pdf matches
grep: joe/.pulse/9588dbce1fca58830d10168a4aba6077-runtime: No such file or directory
joe/.gimp-2.6/pluginrc: (proc-arg 0 "at-top" "Flag for drawing numbers at top of film")
joe/.gimp-2.6/pluginrc: (proc-arg 0 "at-bottom" "Flag for drawing numbers at bottom of film")

[zoidberg@/dev/null:~/SMP/CH4 ] $

Which narrowed it down to the above files.. the only thing that stood out there was “Binary file joe/network_sniff.pcap matches”. I proceeded to open the packet up in wireshark. I then did a search on the string ‘File’ which turned up:

2290 532.914137 192.168.15.132 74.52.142.122 HTTP GET /flagg.jpg HTTP/1.1

I hit follow TCP stream on the above packet and got the following GET request and response:

GET /flagg.jpg HTTP/1.1

Host: www.penfest.ca

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 ( .NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive



HTTP/1.1 200 OK

Date: Wed, 30 Jun 2010 01:05:16 GMT

Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Last-Modified: Wed, 30 Jun 2010 01:04:26 GMT

ETag: "46cc02b-94a5-48a34ef62ba80"

Accept-Ranges: bytes

Content-Length: 38053

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: image/jpeg


......JFIF.....H.H.....4This is your Flag: Seeing is not always

*** I have cut it short as the rest is random characters ***

BINGO! There you have the flag:

This is your Flag: Seeing is not always

I thought this challenge was awesome, I guess thats because I have never done a forensic challenge before, it has definatley wet my appitite! Until the next time…

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: