Challenge 4 Write-Up – SMP CTF 2010 Hacker Olympics…

July 15, 2010 at 12:15 pm (Capture The Flag, SMP CTF)

Hey,

This challenge was beaten by team member HaP. Here is how he did it. The challenge was:

Retrieve the secret key and decipher it..

Website: http://66.225.157.70:8009/level1

So when you clicked on the link, an authentication box popped up. This was a GET HTML form, which basically said Authenticate with a user name and password box. Enter in some random characters such as “aa” and it brings you to a page that said: “Welcome aa”. If you entered “administrator” it redirected you to a page that said: “Denied”. After playing around with the form a bit, we changed GET to POST and re-submitted with “administrator” as the username and it took you to a page with a lot of encoded characters.. straight away you could tell this was base64:

/9j/4AAQSkZJRgABAQEASABIAAD//gATQ3JlYXRlZCB3aXRoIEdJTVD/2wBDAAUDBAQEAwUEBAQF
BQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBD
AQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4e
Hh4eHh4eHh7/wAARCAGQAoADASIAAhEBAxEB/8QAGwABAAIDAQEAAAAAAAAAAAAAAAYHBAUIAwH/
xAA1EAEAAQMDAwQBAwIFAwUAAAAAAQIDBAUGEQcSIRMUFTEiCBZBIzIXJDNRYRhCgSVDUnFy/8QA
FAEBAAAAAAAAAAAAAAAAAAAAAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AOyw
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYur6lp2kafd1HVtQxNPwrMc3cjKvU2rdEc8c1VVTER/wCQ
ZQj+2977L3LnV4O3N37f1nLt2pvV2MDUrORcpoiYia5poqmYp5qpjn65mP8AdIAAABhZeraVh6pg
6Xl6nhY+fqHqeyxbt+mm7k+nT3XPTomea+2mYmeIniPMs0AAAAAAAAAAAGFl6tpWHqmDpeXqeFj5
+oep7LFu36abuT6dPdc9OiZ5r7aZiZ4ieI8yDNAAHjn5eLgYORnZ2TZxcTGtVXr9+9cii3aopjmq
uqqfFNMREzMz4iIMDLxc/Bx87BybOViZNqm9Yv2bkV27tFUc0101R4qpmJiYmPExIPYAAAAAAYXy
2lfOfBfJ4Xy3tvd+x9en3Hod3Z6vp893Z3fj3ccc+OeWaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA88qxYysa7i5Nm3fsXqJt3bdymKqa6ZjiaZifExMeOHoA5k1GvevSjUb3RbZ9uvIs
bsu3Ktl59y540qifyzLdfM8zFmmZuUcczPdH3PhkdPc3f2mWtV2L0Q25terQtpZden6hqm4b16Lu
p6hTETfmmLX1V3T91cx9eYjiItPfGytV1zrF063jiZGFRgbY+T97bu11Rdue5x6bVv04imYniqJ5
5mnx9c/SJZnT3qttLd+49S6Vbg2rGk7kzqtRy8HXrF6ZxcquIi5ctVWv7u7iJ4q8eIjjxzIYlHXL
WM3Z+0NSx9DxNP1bN35j7R1/Byu67GLXM1xe9Oqmqn8vFExM8xHMxMT9px+9dV/6i/8ADn2+F8T+
0fm/W7Kvcev7z0e3u7u3s7fPHbzz/PHhBc7oRrNnpJiaNpe5se7vLG3NRuyrVMqzMWL+pRVMzNVN
PMxRxPHiJ+onjzxG36e9P+ouN1vudSd86zt7NryNsTpNePplF2inHu+5puRTbpriZqt9tMzNVVXd
3VzHbxEAwf079QurPU3SNB3RqWh7T03bN6ci3n3aa78ZOTVRVcpoqxqOaqaKIqiimr1Kpme2uY48
I9+tTG3vn5GxtL0+ztbI25n7m07GosahF+bl7UKqr3bRfin8ZxJp7e6I/PnnhaX6d9lar076O6Fs
7W8jCyM/T/cercw66qrVXqZF27HbNVNM/wBtcc8xHnn/AOzrRsrVd6fsr4vIwrPwO7sDW8r3NdVP
fYsd/fTR20zzXPdHETxH3zMAqzpLt7K21+qnHwdT0PaWjapX07uXs6xtnEnHwKq51SYprppqiKpq
9Om3EzV55if4iGVpHXHd2B1E2/o27K+nORga7qNGnRiaBrU5Woabeucxb9enniqO7imZppiImfv6
iZru/pnq+v8AV7WN00anjYWmajsO/tmmu3VVOVZyLmRVc9WKe3t7Ypn77ueY+v5VVtv9Om98K5sm
cqjptiftjX8HMqyNL0+5azM7Gs1TVXVevzRNVV2eKeKI4omZmZnmKQWRu7f/AFF1LqtqexOmGh7d
yatAxbGRrOZrd67Rbiq9T327NuLXmKpojnumJj75iOPO1/T1v/X+oWibnzdxaTiaVlaTuXL0mjFs
czNu3aptzFNyqapiq5E11RNVPFM8eIhAeq13L2H1r1Tcu1eo+xdvZ+vaXjV6xpu6a66Ka6LXfatZ
FmaOJrqiKK6ezn+J557o4236K7GXPTnces5GVezbOt7sz9Qxc29Z9KrMtVenR600/wDb3VW6p4/g
Eo6ia/8AHddulmhfCaLl/L/L/wCeysXvy8L0sWmv/L3Of6ffz21+J7qYiPCuOlvXPfu+d72sK1jb
BwcOrUpxr2hZWdfs63Zsxc7a6+Kv6ddVNMTXNMRzPEx4WnvjZWq651i6dbxxMjCowNsfJ+9t3a6o
u3Pc49Nq36cRTMTxVE88zT4+ufpX+V0p6pbn39tbVN76xsa5hbc1SzqNGpaXp121qebNqeabdzn8
aaKvHMUzx/xPEAufSNR13J3Prmn6htz2Gk4ft/jdS97Rc+R76Jm7/SiO616dXFP5c93PMeEQ/UX1
C1Ppp0+o1/SdMxs3JvZ9nC9TLmuMbEi53f1r3Z+XZHbEeOPNUJfpH7q/c+ufLfC/Af5f4X2vq+7/
ALJ9f3Hd+H9/HZ2f9vPPlgdS8Leedt+3RsXP0TF1OjIiu5b1fGqvYuTZ7KoqtV9n5U8zNNXdHn8e
PqZBXuz+pm9M3pJvTd+p3tiarc0XSr2bp2Zt7Lu38W9dos3bk2r1uuYuUTTNFvmOY5ivxxwjFHWn
q1pujbK3XrmyNvX9B3ZGPhYWLhZVynNqzb9marMzNczRRauVxMxH5TTTPmeY4nc7K6N7p07ZvVGn
WMzbVnX984FeNTi6RYrsabh1Rj3bVExzT3flNzmqe2Z8c+Zludf6X6/n9Ouku3LOZplOXszV9Gzd
RrruVxbu0YdmaLsWpijmqqZn8e6KYmPuYB7dMt+b7v8AVXU+nPUbSdAxdUt6TRrODf0W7dqs1403
fSmmr1PPdFUxHPER4nx9SimmdTOt26Mve1GzdrbRyMfa+4s7TvUzbl+irMtWaoii1bppqn+txzNV
VU00fnTERHlYn7K1X/qL/wARvcYXxP7R+E9Hvq9x6/vPW7u3t7ezt8c93PP8ceVK9LtI6s5uX1Wr
6c7i27g4+Xv3V8XKt6tYuzVjVRVRPr2KrfP5zFfE01xMfhT/AMg2Nzdt3r/uvZe1sfUNS0HbOftq
7uHV8fDyJt3cqqnJnG9t6keeym5RVM8cd0fxE8cWBov6d+l2iZdd3R9M1PBs5GNfxM3Ft6vkzZzb
N6zXarou01VzzHFczE0zExVETE+Glq6EZu39s7Nr6f7np0ndW1MS5i2s3Jx+/Hz7d2qbl63eo+4o
m5VVVHHM08z9zxMSfZGF10ubmw8nfOtbGsaNj983sXQ8XIqu5XNFUUxVXe/siKppq/H77ePqQUz1
E6CdJ9J67dLNs6ftT0dJ175f5LH+QyqvX9DFprtflNyaqe2qZn8Zjn+eYYX6gOnHTXY+8+lu28PY
OtavtrKydayszRNIuZGVl5V2cbGpiqjm7Ff4zbt1TEVxEU0TP+/N/wC+NlarrnWLp1vHEyMKjA2x
8n723drqi7c9zj02rfpxFMxPFUTzzNPj65+jfGytV1zrF063jiZGFRgbY+T97bu11Rdue5x6bVv0
4imYniqJ55mnx9c/QNN+mvbmxNJ0PVtU2V073Nsf3mTRj5eLr9u/byL/AKVPdRcpou3bn4f1q4iY
mOZiqJ+oZvUTX/juu3SzQvhNFy/l/l/89lYvfl4XpYtNf+Xuc/0+/ntr8T3UxEeFmK/3xsrVdc6x
dOt44mRhUYG2Pk/e27tdUXbnucem1b9OIpmJ4qieeZp8fXP0CrOlvXPfu+d72sK1jbBwcOrUpxr2
hZWdfs63Zsxc7a6+Kv6ddVNMTXNMRzPEx4dDa98r8Hn/AAXsvlvbXPY+97vb+v2z6fqdn5dndx3d
vnjnjyozK6U9Utz7+2tqm99Y2NcwtuapZ1GjUtL067a1PNm1PNNu5z+NNFXjmKZ4/wCJ4h0ADkDo
V+/v+jbcHyH7Z/ZX7R1z470PX+S9fvv8+rz/AEuzn1uO3z/Z/wApR006idRdq7Y6S29d25oNrZWv
WdN0LDuWsi5VqFF2vHpptXbn/txRXNE1RTETMU/cxLd7G6WdTtudMNy9Kr+qbRy9q3tE1LD0TJpj
IozYv5NVc0ev4miLcerc57Ymr+3jlvdf6X6/n9Ouku3LOZplOXszV9GzdRrruVxbu0YdmaLsWpij
mqqZn8e6KYmPuYBFt49ddfyN8a7t/ZmpdNdGxdByqsLJyd36zOPcy79H+pTZtUVRVFNM/j3VeJmJ
/wCYiyuhHUW31M2PXrdWLj4ubh5t3T8+1jZFN+xF+1xzNq5T4roqpqpqiY/ir7n7mt949Ctcxt76
3uLZemdNdbsa5l1ZuTh7w0X3FWPfr/1JtXqKZr7ap/LsnxEzPH3Kzeiu09X2ftbJwdatbXsZeTnV
5U2Nu6XThYlmJot09sUxETXV+EzNdXmeYj6pgEZ3n1A6g6l1N1Hp/wBLND0DIzNFxrN/WNR129dp
xrFV6O61apptfnNU0+efr78eOZbz6j7825oG0tDq2tpWR1F3NlX8bHwbeXVODbizMzXfmv8Aumj0
+yvt8THdMc80+fm9On/UHTepuodQOlmt7fx8vWsazj6xp2u2rtWNfqsx22rtNVr84qime3jxH358
8R93n0535uLQNpa7VunScfqLtnKv5OPm0YlUYNyL0zFdiaP7oo9Pso7vNU9szxzV4DA03qrvbZ+7
f251j0bQcaMrS8vUtP1LQLl2qxdpxbc3b9qaLv5RVFETVz4j6j+eY0n+KnXD9j/4pfsfan7M9v7/
AOO95e+U9lx3er3/AOl/Z+f1zx/Dd6d0q3tvDdv7j6x6zoOTGLpeXpun6boFu7TYtU5VubV+7Nd3
8pqmiZp48x9T/HE6T/Cvrh+x/wDC398bT/Znt/YfI+zvfKey47fS7P8AS/s/D754/kHvTurSJ/VD
G9vVrjR56RfK+p2/l7f3vq88f79v8IxX+o/eVei1bys3OlNGh00TkRoFzccfN1WY88cRV2Rc7fPZ
293Pjjnws2npBTHU6M+a8Wdox09/Z/tfVq9zMetzz/b29vpeOe7nn+OPKvcLoJvnQcajQtI0borr
WmWY9Ozqet7ZmdR7P4muKKZouVxH/dVPM8cz9gyt5fqC3HXv+zoO1Ktk6Jpt3TMPUMbM3bkX7Eah
RkWqbtPo1W/xp4irtmap47ony8eteR1Ny+unRXK0TF2piaxe0zUbmLj6hdvXbNrMnFicui7Xa/ut
xbmiLdVHmaoqmrxw3vUXpj1Z17bMbMw9T6dZm3bum2MLvztHrs5GBNNii3cqxqLcTbp5qpqrpjiO
zuimPFMS2++Olu7beL011DYes6PVruw8W5h2J1u3c9vl27mNRYrqr9PmqKuKOeI/+U+fALZ0L5X4
PA+d9l8t7a3772Xd7f1+2PU9Pv8Ay7O7nt7vPHHPlzt0m6e6J1223c6m9Tr2pa3OrZmT8dpfv7tj
F07Ht3q7dFFNFuqme78JmZmfPjxzzM9E6F8r8HgfO+y+W9tb997Lu9v6/bHqen3/AJdndz293njj
nypzH6c9VdganqVrpLuLa9zbuoZdzMp0jcVi924Ny5PNcWbln8pomfMUzxEf8zzMht736d+lmZoe
LousaRqOr4GDk3sjAtZmrZNXs/VptU127dVNcT2T6NE8VTPEzVMfcqm6BdBOk+6P8QPndqe7+I3v
qWl4P/qGVR6WLa9P07f4XI7uO6fyq5qnnzMujOnGJvbE0O9+/dX0rUtWvZNVyn4zGqs2Me120xFq
nu/KriYqq7qvP5cfw0vRfZWq7L/evymRhXvnt3Z+t4vtq6quyxf7OymvupjiuO2eYjmPriZBy1o+
j9NdQ3x1Ivbx6M9QN759O99Upt5+gYeRdx7dr1YmLVU279Ed8VTVVMcc8V0+fqI7Y0LS8DQ9DwNE
0ux7fA0/Gt4uLa76qvTtW6Ypop5qmZnimIjmZmf90M6L7K1XZf71+UyMK989u7P1vF9tXVV2WL/Z
2U191McVx2zzEcx9cTKwAcw5H6h9z67dz9W2hqHSrTtDxb9y3j4m49wRY1LOpomY76aIrim13cfj
Ff8AxPmPKabS60Zmv7i6eZtOn4mPtTe2n5FFmuqmqcjF1KxVPdaqud3bNExTVTT+MTMxzz/CIVfp
+3NtnLysLZui9JNd0W9kXL2PO69Bm7m4lNdU1enF23TM3Yp58TX544j6hOtd6V63m9EdK2xjZe3s
XdWi59Gq6Zk4WDGFgY+VRkVXaYptW4nto7a6qJmI5nmap8zIPPcvWW5oev8AULPu4eNe2nsrBsW7
9yimr3GVqV2qOLNFfd2xRTFVFNX4zMVVc88eEBj9RO6tF9lr+5s3pTm6Dfv2qMnTtC3BF/VcO3cq
iO+ae6aLs0c81RRH8T9RzMWDtroxRc6Dat0/3dn28jVNwXr+drOoYkzVFeZcuxci7T3REz2zTb+4
jns/jlBLPQ7qHTap0mrQ+hPtKYi38v8AtKKs6Y+u+bU0+j3fzx9cglWp9QurOr9Yd79P9i6HtO5R
oEYFy1qGrV36LVqm9jxcqpuxbmaq66qp/DtimIiirnmeGb0morp/U11trmmYpq+B7Z/34wq0k2Ps
rVdD6xdRd45eRhV4G5/jPZW7VdU3bftseq1c9SJpiI5qmOOJq8ffH03m39N1jF3xufUc3T9t2NNz
faewyMGzXTn5HZamm57yqY7au2riLfbzxTzyCSAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
0+4tq7X3HVZq3DtvR9Yqsf6U5+Dbvzb/APz30zx/4bTGsWcbHt4+NZt2bNqmKLdu3TFNNFMeIiIj
xER/s9AAAAAAABhaVpOlaT7v4vTMLA95k15eV7axTb9e/Xx33a+2I7q6uI5qnmZ4jmWaAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA//Z

If you took these encoded characters and placed them in a file, you can run it through base64 like so:

[zoidberg@/dev/null:~ ] $ cat secretkey.b64 | base64 -d > picture

[zoidberg@/dev/null:~ ] $ file picture
picture: JPEG image data, JFIF standard 1.01, comment: "Created with GIMP\377"

Oooh, what do we have here? A jpeg image, lets open this up in an image viewer. When I opened it up in GIMP, I got the following text:

Your flag is: smpCTF is the coolest CTF ever!

The jpeg image can be found here. Now we have the flag, we found the Challenge key in the source of the challenge page:

!---Challenge Key: de270765 ---

Yay, that was a nice fun level and an interesting way to hide an image 🙂

Permalink Leave a Comment

Challenge 5 Write-Up – SMP CTF 2010 Hacker Olympics…

July 14, 2010 at 9:26 pm (Capture The Flag, SMP CTF)

Hey,

This was an awesome challenge and my very first crack at forensics. The challenge was simply this:

We are sure we left, a flag in here somewhere... Right redsand?

Can you help find it? The file: download

Looking at the challenge page web source, I instantly found the key:

!--Challenge Key: 74bf0f65--

Then we downloaded the file which was simple called ‘forensic-image’:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file forensic1-image
forensic1-image: rzip compressed data - version 2.1 (15185973 bytes)

So looking at the output of file we know that it is an rzip compressed data file. I had never heard of rzip until I saw this, so time to hit google. I found the following site on google here. I then proceeded to check my distributions package database for the utility ‘rzip’ low and behold the following turned up:

rzip - compression program for large files

I installed it and proceeded to decompress the image file:

[zoidberg@/dev/null:~/SMP/CH4 ] $ mv forensic1-image forensic1-image.rz
[zoidberg@/dev/null:~/SMP/CH4 ] $ rzip -d forensic1-image.rz
[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 14832
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image

[zoidberg@/dev/null:~/SMP/CH4 ] $ file forensic1-image
forensic1-image: LHarc 1.x/ARX archive data [lh0]

[zoidberg@/dev/null:~/SMP/CH4 ] $

Rzip allowed me to extract the file. I then checked what the result was, again with the file utility. Which told me that it was an LHarc archive file. Then I proceeded to extract the data:

[zoidberg@/dev/null:~/SMP/CH4 ] $ lha e forensic1-image
FS.tar - Melted : oooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 29664
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

After I extracted the data, I was then left with POSIX tar archive:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS.tar
FS.tar: POSIX tar archive (GNU)

[zoidberg@/dev/null:~/SMP/CH4 ] $ tar xvf FS.tar
FS

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: bzip2 compressed data, block size = 900k

[zoidberg@/dev/null:~/SMP/CH4 ] $ bunzip2 FS.bz2

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 44476
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 15163583 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

I extracted the tar archive, which then gave me a bzip2 archive, I extracted that, and guess what ? Yes, you guessed it, yet another archive:

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: gzip compressed data, was "FS", from Unix, last modified: Wed Jun 30 02:42:18 2010, max compression

[zoidberg@/dev/null:~/SMP/CH4 ] $ mv FS FS.gz

[zoidberg@/dev/null:~/SMP/CH4 ] $ gunzip FS.gz

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93688
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

[zoidberg@/dev/null:~/SMP/CH4 ] $ file FS
FS: Linux rev 1.0 ext2 filesystem data, UUID=c8a4643d-d89b-43db-bae8-6192db41dcc1 (large files)

This time it was gzip compressed data file, extracted that and was left with an ext2 file partition… ooohh now we’re getting a little bit more interesting. So I proceeded to mount the ext2 file partition and take a look what was there:

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93688
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar

[zoidberg@/dev/null:~/SMP/CH4 ] $ mkdir mnt

[zoidberg@/dev/null:~/SMP/CH4 ] $ sudo mount -t ext2 -o loop FS mnt/

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls
total 93692
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar
drwxr-xr-x 3 root root 4096 2010-06-30 02:50 mnt

[zoidberg@/dev/null:~/SMP/CH4 ] $ ls mnt/
total 15392
-rw-r--r-- 1 root root 15723366 2010-06-30 02:50 forensic_image
drwx------ 2 root root 16384 2010-06-30 02:42 lost+found

After I mounted the filesystem I was left with yet another forensic_image file, there was nothing in the lost+found directory. So lets investigate this forensic_image:

[zoidberg@/dev/null:/mnt ] $ file forensic_image
forensic_image: data

[zoidberg@/dev/null:~/SMP/CH4/mnt ] $ hexdump -C forensic_image |head
00000000 00 e9 55 43 4c ff 01 1a 00 00 00 01 2d 07 00 04 |..UCL.......-...| <--- UCL!!
00000010 00 00 00 04 00 00 00 04 00 00 6a 6f 65 2f 00 00 |..........joe/..|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 30 |..............00|
00000080 30 30 37 35 35 00 30 30 30 31 37 35 33 00 30 30 |00755.0001753.00|
00000090 30 31 37 35 35 00 30 30 30 30 30 30 30 30 30 30 |01755.0000000000|
000000a0 30 00 31 31 34 31 32 35 31 35 32 30 30 00 30 30 |0.11412515200.00|
000000b0 37 37 34 36 00 20 35 00 00 00 00 00 00 00 00 00 |7746. 5.........|
000000c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

OK so, it seemed like a data file, checking it with hexdump utility gives us a little hint as to what type of file this is. UCL is a compression library, more information and the tools to enable you to decompress these files are available from here. So lets see whats inside it:

[root@/dev/null:~/SMP/CH4 ] $ ./uclpack -d forensic_image uclunpacked-image

UCL data compression library (v1.03, Jul 20 2004).
Copyright (C) 1996-2004 Markus Franz Xaver Johannes Oberhumer
http://www.oberhumer.com/opensource/ucl/

uclpack: block-size is 262144 bytes
uclpack: decompressed 15723366 into 31989760 bytes

[root@/dev/null:~/SMP/CH4 ] $ ls
total 124940
-rw-r--r-- 1 zoidberg zoidberg 15185973 2010-07-10 00:41 forensic1-image
-rw-r--r-- 1 zoidberg zoidberg 4415 2010-07-13 13:18 forensic-writeup
-rw-r--r-- 1 zoidberg zoidberg 65560576 2010-06-30 02:52 FS
-rw-r--r-- 1 zoidberg zoidberg 15185920 2010-06-30 02:53 FS.tar
drwxr-xr-x 3 root root 4096 2010-06-30 02:50 mnt
-rw-r--r-- 1 root root 31989760 2010-07-13 13:26 uclunpacked-image

[root@/dev/null:~/SMP/CH4 ] $ file uclunpacked-image
uclunpacked-image: POSIX tar archive (GNU)

Ok so, back to another tar archive, lets extract it and see what we have:

[zoidberg@/dev/null:~/FORENSICS ] $ sudo tar xvf uclunpacked-image.tar
joe/
joe/.dbus/
joe/.dbus/session-bus/
joe/.dbus/session-bus/9588dbce1fca58830d10168a4aba6077-2
joe/.dbus/session-bus/9588dbce1fca58830d10168a4aba6077-1
joe/Public/
joe/.bashrc
joe/examples.desktop
joe/.fontconfig/
joe/.fontconfig/10b13308be32295bb2869d1e42a8fb41-x86.cache-2
joe/Downloads/
joe/Downloads/hackerFiles/
joe/Downloads/hackerFiles/ntfs-hidden-data-analysis.pdf
joe/.nautilus/
joe/.xine/
joe/.xine/catalog.cache
joe/.ssh/
joe/.config/
joe/.config/gnome-disk-utility/
joe/.config/gnome-disk-utility/ata-smart-ignore/
joe/.config/compiz/
joe/.config/compiz/compizconfig/
joe/.config/compiz/compizconfig/config
joe/.config/user-dirs.locale
joe/.config/gnome-session/
joe/.config/gnome-session/saved-session/
joe/.config/user-dirs.dirs
joe/.config/gtk-2.0/
joe/.config/gtk-2.0/gtkfilechooser.ini
joe/network_sniff.pcap
joe/.pulse/
joe/.pulse/9588dbce1fca58830d10168a4aba6077-runtime
joe/.pulse/9588dbce1fca58830d10168a4aba6077-stream-volumes.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-device-volumes.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-card-database.tdb
joe/.pulse/9588dbce1fca58830d10168a4aba6077-default-source
joe/.pulse/9588dbce1fca58830d10168a4aba6077-default-sink
joe/.compiz/
joe/.compiz/session/
joe/.compiz/session/1025d49d578b178380127463786965591400000185720025
joe/.compiz/session/10273bd0f849d10abc127465244339743600000011830025
joe/.bash_history
joe/.profile
joe/.gvfs/
joe/.gnupg/
joe/.gnupg/random_seed
joe/.gnupg/pubring.gpg
joe/.gnupg/secring.gpg
joe/.gnupg/pubring.gpg~
joe/.gnupg/trustdb.gpg
joe/.gnupg/gpg.conf
joe/.ICEauthority
joe/JoeHackerPrivate.gpg
joe/.gegl-0.0/
joe/.gegl-0.0/plug-ins/
joe/.gegl-0.0/plug-ins/Makefile
joe/.gegl-0.0/swap/
joe/Music/
joe/.gconf/
joe/.gconf/desktop/
joe/.gconf/desktop/%gconf.xml
joe/.gconf/desktop/gnome/
joe/.gconf/desktop/gnome/peripherals/
joe/.gconf/desktop/gnome/peripherals/keyboard/
joe/.gconf/desktop/gnome/peripherals/keyboard/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/keyboard/kbd/
joe/.gconf/desktop/gnome/peripherals/keyboard/kbd/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/%gconf.xml
joe/.gconf/desktop/gnome/peripherals/touchpad/
joe/.gconf/desktop/gnome/peripherals/touchpad/%gconf.xml
joe/.gconf/desktop/gnome/accessibility/
joe/.gconf/desktop/gnome/accessibility/keyboard/
joe/.gconf/desktop/gnome/accessibility/keyboard/%gconf.xml
joe/.gconf/desktop/gnome/accessibility/%gconf.xml
joe/.gconf/desktop/gnome/applications/
joe/.gconf/desktop/gnome/applications/%gconf.xml
joe/.gconf/desktop/gnome/applications/window_manager/
joe/.gconf/desktop/gnome/applications/window_manager/%gconf.xml
joe/.gconf/desktop/gnome/%gconf.xml
joe/.gconf/apps/
joe/.gconf/apps/gnome-terminal/
joe/.gconf/apps/gnome-terminal/%gconf.xml
joe/.gconf/apps/gnome-terminal/profiles/
joe/.gconf/apps/gnome-terminal/profiles/Default/
joe/.gconf/apps/gnome-terminal/profiles/Default/%gconf.xml
joe/.gconf/apps/gnome-terminal/profiles/%gconf.xml
joe/.gconf/apps/gedit-2/
joe/.gconf/apps/gedit-2/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/
joe/.gconf/apps/gedit-2/preferences/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/ui/
joe/.gconf/apps/gedit-2/preferences/ui/statusbar/
joe/.gconf/apps/gedit-2/preferences/ui/statusbar/%gconf.xml
joe/.gconf/apps/gedit-2/preferences/ui/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/
joe/.gconf/apps/gedit-2/plugins/filebrowser/
joe/.gconf/apps/gedit-2/plugins/filebrowser/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/filebrowser/on_load/
joe/.gconf/apps/gedit-2/plugins/filebrowser/on_load/%gconf.xml
joe/.gconf/apps/gedit-2/plugins/%gconf.xml
joe/.gconf/apps/compiz/
joe/.gconf/apps/compiz/general/
joe/.gconf/apps/compiz/general/allscreens/
joe/.gconf/apps/compiz/general/allscreens/%gconf.xml
joe/.gconf/apps/compiz/general/allscreens/options/
joe/.gconf/apps/compiz/general/allscreens/options/%gconf.xml
joe/.gconf/apps/compiz/general/%gconf.xml
joe/.gconf/apps/compiz/%gconf.xml
joe/.gconf/apps/nautilus/
joe/.gconf/apps/nautilus/desktop-metadata/
joe/.gconf/apps/nautilus/desktop-metadata/%gconf.xml
joe/.gconf/apps/nautilus/desktop-metadata/directory/
joe/.gconf/apps/nautilus/desktop-metadata/directory/%gconf.xml
joe/.gconf/apps/nautilus/%gconf.xml
joe/.gconf/apps/nautilus/preferences/
joe/.gconf/apps/nautilus/preferences/%gconf.xml
joe/.gconf/apps/panel/
joe/.gconf/apps/panel/general/
joe/.gconf/apps/panel/general/%gconf.xml
joe/.gconf/apps/panel/objects/
joe/.gconf/apps/panel/objects/menu_bar_screen0/
joe/.gconf/apps/panel/objects/menu_bar_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/browser_launcher_screen0/
joe/.gconf/apps/panel/objects/browser_launcher_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/yelp_launcher_screen1/
joe/.gconf/apps/panel/objects/yelp_launcher_screen1/%gconf.xml
joe/.gconf/apps/panel/objects/%gconf.xml
joe/.gconf/apps/panel/objects/menu_bar_screen1/
joe/.gconf/apps/panel/objects/menu_bar_screen1/%gconf.xml
joe/.gconf/apps/panel/objects/yelp_launcher_screen0/
joe/.gconf/apps/panel/objects/yelp_launcher_screen0/%gconf.xml
joe/.gconf/apps/panel/objects/browser_launcher_screen1/
joe/.gconf/apps/panel/objects/browser_launcher_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/background/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/background/
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/bottom_panel_screen0/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen1/
joe/.gconf/apps/panel/toplevels/top_panel_screen1/background/
joe/.gconf/apps/panel/toplevels/top_panel_screen1/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen1/%gconf.xml
joe/.gconf/apps/panel/toplevels/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen0/
joe/.gconf/apps/panel/toplevels/top_panel_screen0/background/
joe/.gconf/apps/panel/toplevels/top_panel_screen0/background/%gconf.xml
joe/.gconf/apps/panel/toplevels/top_panel_screen0/%gconf.xml
joe/.gconf/apps/panel/%gconf.xml
joe/.gconf/apps/panel/applets/
joe/.gconf/apps/panel/applets/show_desktop_button_screen1/
joe/.gconf/apps/panel/applets/show_desktop_button_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/notification_area_screen1/
joe/.gconf/apps/panel/applets/notification_area_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/show_desktop_button_screen0/
joe/.gconf/apps/panel/applets/show_desktop_button_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/notification_area_screen0/
joe/.gconf/apps/panel/applets/notification_area_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/trashapplet_screen1/
joe/.gconf/apps/panel/applets/trashapplet_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/%gconf.xml
joe/.gconf/apps/panel/applets/indicator_applet_screen1/
joe/.gconf/apps/panel/applets/indicator_applet_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen1/
joe/.gconf/apps/panel/applets/window_list_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen1/prefs/
joe/.gconf/apps/panel/applets/window_list_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen1/
joe/.gconf/apps/panel/applets/clock_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen1/prefs/
joe/.gconf/apps/panel/applets/clock_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/prefs/
joe/.gconf/apps/panel/applets/workspace_switcher_screen1/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/indicator_applet_screen0/
joe/.gconf/apps/panel/applets/indicator_applet_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/prefs/
joe/.gconf/apps/panel/applets/workspace_switcher_screen0/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/fast_user_switch_screen0/
joe/.gconf/apps/panel/applets/fast_user_switch_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/fast_user_switch_screen1/
joe/.gconf/apps/panel/applets/fast_user_switch_screen1/%gconf.xml
joe/.gconf/apps/panel/applets/trashapplet_screen0/
joe/.gconf/apps/panel/applets/trashapplet_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen0/
joe/.gconf/apps/panel/applets/window_list_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/window_list_screen0/prefs/
joe/.gconf/apps/panel/applets/window_list_screen0/prefs/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen0/
joe/.gconf/apps/panel/applets/clock_screen0/%gconf.xml
joe/.gconf/apps/panel/applets/clock_screen0/prefs/
joe/.gconf/apps/panel/applets/clock_screen0/prefs/%gconf.xml
joe/.gconf/apps/%gconf.xml
joe/.gconf/apps/seahorse/
joe/.gconf/apps/seahorse/%gconf.xml
joe/.gconf/apps/seahorse/windows/
joe/.gconf/apps/seahorse/windows/%gconf.xml
joe/.gconf/apps/seahorse/listing/
joe/.gconf/apps/seahorse/listing/%gconf.xml
joe/.gconf/apps/evolution/
joe/.gconf/apps/evolution/%gconf.xml
joe/.gconf/apps/evolution/calendar/
joe/.gconf/apps/evolution/calendar/%gconf.xml
joe/.gconf/apps/evolution/calendar/notify/
joe/.gconf/apps/evolution/calendar/notify/%gconf.xml
joe/.gconf/apps/brasero/
joe/.gconf/apps/brasero/%gconf.xml
joe/.gconf/apps/brasero/config/
joe/.gconf/apps/brasero/config/priority/
joe/.gconf/apps/brasero/config/priority/%gconf.xml
joe/.gconf/apps/brasero/config/%gconf.xml
joe/Pictures/
joe/Pictures/logo.gif
joe/Pictures/chuck_norris_random_fact_generator_6_3957_2224_image_2561.jpg
joe/Pictures/chuck_norris_random_fact_generator_6_3957_2224_image_2578.jpg
joe/Pictures/funny_421.jpg
joe/.esd_auth
joe/.xsession-errors
joe/.gtk-bookmarks
joe/.mozilla/
joe/.mozilla/firefox/
joe/.mozilla/firefox/profiles.ini
joe/.mozilla/firefox/ji5h5a20.default/
joe/.mozilla/firefox/ji5h5a20.default/compreg.dat
joe/.mozilla/firefox/ji5h5a20.default/chrome/
joe/.mozilla/firefox/ji5h5a20.default/chrome/userContent-example.css
joe/.mozilla/firefox/ji5h5a20.default/chrome/userChrome-example.css
joe/.mozilla/firefox/ji5h5a20.default/mimeTypes.rdf
joe/.mozilla/firefox/ji5h5a20.default/key3.db
joe/.mozilla/firefox/ji5h5a20.default/compatibility.ini
joe/.mozilla/firefox/ji5h5a20.default/XPC.mfasl
joe/.mozilla/firefox/ji5h5a20.default/cert8.db
joe/.mozilla/firefox/ji5h5a20.default/pluginreg.dat
joe/.mozilla/firefox/ji5h5a20.default/extensions/
joe/.mozilla/firefox/ji5h5a20.default/formhistory.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.ini
joe/.mozilla/firefox/ji5h5a20.default/downloads.sqlite
joe/.mozilla/firefox/ji5h5a20.default/search.sqlite
joe/.mozilla/firefox/ji5h5a20.default/places.sqlite-journal
joe/.mozilla/firefox/ji5h5a20.default/urlclassifierkey3.txt
joe/.mozilla/firefox/ji5h5a20.default/signons.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.rdf
joe/.mozilla/firefox/ji5h5a20.default/prefs.js
joe/.mozilla/firefox/ji5h5a20.default/search.json
joe/.mozilla/firefox/ji5h5a20.default/secmod.db
joe/.mozilla/firefox/ji5h5a20.default/.parentlock
joe/.mozilla/firefox/ji5h5a20.default/cookies.sqlite
joe/.mozilla/firefox/ji5h5a20.default/bookmarks.html
joe/.mozilla/firefox/ji5h5a20.default/localstore.rdf
joe/.mozilla/firefox/ji5h5a20.default/Cache/
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_003_
joe/.mozilla/firefox/ji5h5a20.default/Cache/2A32E8DAd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BD3457DEd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/3954CE6Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/2F85709Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/47445552d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E0A9A442d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/611C9EECd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/5634D1F9d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/5B0122ACd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6B8C2D8Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A843C8B8d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/47C815E0d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A8A78C65d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0F03B2C5d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/D7DFB6FAd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_002_
joe/.mozilla/firefox/ji5h5a20.default/Cache/A718913Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/60F3724Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6D7313F3d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/EAE50599d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1BB76077d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/FCC698B7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0B66D1E4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/2B2A6EB8d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/8E40E94Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A1FB26EBd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F9D7526Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1F9212B5d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/4E25B9B1d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BC64C5CFd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6A26639Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/35B9FFA4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/67C3D603d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/6FD58703d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/323F825Dd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/24ABAC5Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1AE4C69Dd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_001_
joe/.mozilla/firefox/ji5h5a20.default/Cache/ED38E2E7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A9D1B795d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1F09BCFDd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E7A5F3EFd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F9D0526Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/1FF0F532d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/63B1734Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/36A05174d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/E461A381d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/444225A7d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/642BEFBCd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/0509B832d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/75687CC9d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/D96BCE28d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/BE437AE0d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_MAP_
joe/.mozilla/firefox/ji5h5a20.default/Cache/D97B28E1d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/4B46226Fd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F5C1B0B4d01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A4B02E4Bd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/F0FDAB5Ad01
joe/.mozilla/firefox/ji5h5a20.default/Cache/582030EBd01
joe/.mozilla/firefox/ji5h5a20.default/Cache/A842CB0Ed01
joe/.mozilla/firefox/ji5h5a20.default/Cache/DBA2D3E0d01
joe/.mozilla/firefox/ji5h5a20.default/xpti.dat
joe/.mozilla/firefox/ji5h5a20.default/XUL.mfasl
joe/.mozilla/firefox/ji5h5a20.default/permissions.sqlite
joe/.mozilla/firefox/ji5h5a20.default/bookmarkbackups/
joe/.mozilla/firefox/ji5h5a20.default/bookmarkbackups/bookmarks-2010-05-23.json
joe/.mozilla/firefox/ji5h5a20.default/urlclassifier3.sqlite
joe/.mozilla/firefox/ji5h5a20.default/places.sqlite
joe/.mozilla/firefox/ji5h5a20.default/extensions.cache
joe/.mozilla/firefox/ji5h5a20.default/content-prefs.sqlite
joe/.mozilla/extensions/
joe/.mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/
joe/Desktop/
joe/Joe Hacker.asc
joe/.macromedia/
joe/.macromedia/Flash_Player/
joe/.macromedia/Flash_Player/macromedia.com/
joe/.macromedia/Flash_Player/macromedia.com/support/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#www.smilebox.com/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#www.smilebox.com/settings.sol
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/settings.sol
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#smilebox.com/
joe/.macromedia/Flash_Player/macromedia.com/support/flashplayer/sys/#smilebox.com/settings.sol
joe/.macromedia/Flash_Player/#SharedObjects/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/www.smilebox.com/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/www.smilebox.com/smilebox_webusage.sol
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/smilebox.com/
joe/.macromedia/Flash_Player/#SharedObjects/TLHF5ZK7/smilebox.com/smilebox_clientproperties.sol
joe/.cache/
joe/.cache/gedit/
joe/.cache/gedit/gedit-metadata.xml
joe/.cache/compizconfig/
joe/.cache/compizconfig/ezoom.pb
joe/.cache/compizconfig/loginout.pb
joe/.cache/compizconfig/titleinfo.pb
joe/.cache/compizconfig/commands.pb
joe/.cache/compizconfig/gears.pb
joe/.cache/compizconfig/switcher.pb
joe/.cache/compizconfig/obs.pb
joe/.cache/compizconfig/session.pb
joe/.cache/compizconfig/splash.pb
joe/.cache/compizconfig/shelf.pb
joe/.cache/compizconfig/reflex.pb
joe/.cache/compizconfig/wobbly.pb
joe/.cache/compizconfig/svg.pb
joe/.cache/compizconfig/core.pb
joe/.cache/compizconfig/wallpaper.pb
joe/.cache/compizconfig/inotify.pb
joe/.cache/compizconfig/mblur.pb
joe/.cache/compizconfig/bicubic.pb
joe/.cache/compizconfig/crashhandler.pb
joe/.cache/compizconfig/extrawm.pb
joe/.cache/compizconfig/scaleaddon.pb
joe/.cache/compizconfig/scale.pb
joe/.cache/compizconfig/snap.pb
joe/.cache/compizconfig/showdesktop.pb
joe/.cache/compizconfig/colorfilter.pb
joe/.cache/compizconfig/resize.pb
joe/.cache/compizconfig/blur.pb
joe/.cache/compizconfig/bench.pb
joe/.cache/compizconfig/firepaint.pb
joe/.cache/compizconfig/dbus.pb
joe/.cache/compizconfig/screenshot.pb
joe/.cache/compizconfig/cubeaddon.pb
joe/.cache/compizconfig/zoom.pb
joe/.cache/compizconfig/regex.pb
joe/.cache/compizconfig/rotate.pb
joe/.cache/compizconfig/put.pb
joe/.cache/compizconfig/text.pb
joe/.cache/compizconfig/workarounds.pb
joe/.cache/compizconfig/widget.pb
joe/.cache/compizconfig/fade.pb
joe/.cache/compizconfig/ring.pb
joe/.cache/compizconfig/water.pb
joe/.cache/compizconfig/mousepoll.pb
joe/.cache/compizconfig/mag.pb
joe/.cache/compizconfig/grid.pb
joe/.cache/compizconfig/staticswitcher.pb
joe/.cache/compizconfig/thumbnail.pb
joe/.cache/compizconfig/vpswitch.pb
joe/.cache/compizconfig/animationaddon.pb
joe/.cache/compizconfig/place.pb
joe/.cache/compizconfig/fs.pb
joe/.cache/compizconfig/winrules.pb
joe/.cache/compizconfig/maximumize.pb
joe/.cache/compizconfig/gnomecompat.pb
joe/.cache/compizconfig/annotate.pb
joe/.cache/compizconfig/opacify.pb
joe/.cache/compizconfig/fadedesktop.pb
joe/.cache/compizconfig/imgjpeg.pb
joe/.cache/compizconfig/scalefilter.pb
joe/.cache/compizconfig/kdecompat.pb
joe/.cache/compizconfig/shift.pb
joe/.cache/compizconfig/trailfocus.pb
joe/.cache/compizconfig/expo.pb
joe/.cache/compizconfig/3d.pb
joe/.cache/compizconfig/decoration.pb
joe/.cache/compizconfig/png.pb
joe/.cache/compizconfig/animation.pb
joe/.cache/compizconfig/neg.pb
joe/.cache/compizconfig/resizeinfo.pb
joe/.cache/compizconfig/group.pb
joe/.cache/compizconfig/cube.pb
joe/.cache/compizconfig/move.pb
joe/.cache/compizconfig/addhelper.pb
joe/.cache/compizconfig/showmouse.pb
joe/.cache/compizconfig/glib.pb
joe/.cache/compizconfig/minimize.pb
joe/.cache/compizconfig/video.pb
joe/.cache/compizconfig/wall.pb
joe/.cache/compizconfig/clone.pb
joe/.cache/notify-osd.log
joe/.cache/vlc/
joe/.cache/vlc/CACHEDIR.TAG
joe/.cache/vlc/plugins-04041e.dat
joe/.cache/event-sound-cache.tdb.9588dbce1fca58830d10168a4aba6077.i486-pc-linux-gnu
joe/.gnome2/
joe/.gnome2/accels/
joe/.gnome2/accels/gedit
joe/.gnome2/accels/nautilus
joe/.gnome2/gedit/
joe/.gnome2/gedit/gedit-2
joe/.gnome2/nautilus-scripts/
joe/.gnome2/keyrings/
joe/.gnome2/keyrings/login.keyring
joe/.gnome2/panel2.d/
joe/.gnome2/panel2.d/default/
joe/.gnome2/panel2.d/default/launchers/
joe/.openoffice.org/
joe/.openoffice.org/3/
joe/.openoffice.org/3/user/
joe/.openoffice.org/3/user/wordbook/
joe/.openoffice.org/3/user/temp/
joe/.openoffice.org/3/user/Scripts/
joe/.openoffice.org/3/user/uno_packages/
joe/.openoffice.org/3/user/uno_packages/cache/
joe/.openoffice.org/3/user/uno_packages/cache/uno_packages/
joe/.openoffice.org/3/user/uno_packages/cache/uno_packages.db
joe/.openoffice.org/3/user/uno_packages/cache/registry/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.executable.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.help.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/registry/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.configuration.PackageRegistryBackend/registered_packages.db
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.sfwk.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.script.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/registry/com.sun.star.comp.deployment.component.PackageRegistryBackend/
joe/.openoffice.org/3/user/uno_packages/cache/stamp.sys
joe/.openoffice.org/3/user/uno_packages/cache/log.txt
joe/.openoffice.org/3/user/basic/
joe/.openoffice.org/3/user/basic/dialog.xlc
joe/.openoffice.org/3/user/basic/Standard/
joe/.openoffice.org/3/user/basic/Standard/dialog.xlb
joe/.openoffice.org/3/user/basic/Standard/script.xlb
joe/.openoffice.org/3/user/basic/Standard/Module1.xba
joe/.openoffice.org/3/user/basic/script.xlc
joe/.openoffice.org/3/user/autotext/
joe/.openoffice.org/3/user/autotext/mytexts.bau
joe/.openoffice.org/3/user/registry/
joe/.openoffice.org/3/user/registry/cache/
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Types.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Paths.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Commands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Recovery.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Common.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Jobs.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.GraphicFilter.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Linguistic.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Substitution.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.ucb.Configuration.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Writer.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.WriterWindowState.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.UISort.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.TabBrowse.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.LDAP.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.WriterCommands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.WriterWeb.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.System.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Views.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Filter.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.ucb.Store.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.GenericCommands.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Addons.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Misc.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.VCL.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.DataAccess.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.SFX.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.TypeDetection.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.UserProfile.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.Factories.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Accelerators.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Logging.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.Controller.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.ProtocolHandler.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Events.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Setup.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Compatibility.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.UI.GlobalSettings.dat
joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Histories.dat
joe/.openoffice.org/3/user/registry/data/
joe/.openoffice.org/3/user/registry/data/org/
joe/.openoffice.org/3/user/registry/data/org/openoffice/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Histories.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Recovery.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Common.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Views.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Writer.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/UI/
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/UI/WriterWindowState.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Office/Linguistic.xcu
joe/.openoffice.org/3/user/registry/data/org/openoffice/Setup.xcu
joe/.openoffice.org/3/user/config/
joe/.openoffice.org/3/user/config/javasettings_Linux_x86.xml
joe/.openoffice.org/3/user/config/modern_en-GB.sog
joe/.openoffice.org/3/user/config/autotbl.fmt
joe/.openoffice.org/3/user/config/cmyk.soc
joe/.openoffice.org/3/user/config/palette_en-GB.soc
joe/.openoffice.org/3/user/config/standard.soc
joe/.openoffice.org/3/user/config/soffice.cfg/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/toolbar/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/images/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/images/Bitmaps/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/menubar/
joe/.openoffice.org/3/user/config/soffice.cfg/modules/swriter/statusbar/
joe/.openoffice.org/3/user/config/hatching_en-US_en-ZA.soh
joe/.openoffice.org/3/user/config/standard.sod
joe/.openoffice.org/3/user/config/palette_en-US_en-ZA.soc
joe/.openoffice.org/3/user/config/html.soc
joe/.openoffice.org/3/user/config/arrowhd_en-GB.soe
joe/.openoffice.org/3/user/config/web.soc
joe/.openoffice.org/3/user/config/hatching_en-GB.soh
joe/.openoffice.org/3/user/config/standard.sob
joe/.openoffice.org/3/user/config/modern_en-US_en-ZA.sog
joe/.openoffice.org/3/user/config/standard.soh
joe/.openoffice.org/3/user/config/palette_en-US.soc
joe/.openoffice.org/3/user/config/modern_en-US.sog
joe/.openoffice.org/3/user/config/hatching_en-US.soh
joe/.openoffice.org/3/user/config/standard.sog
joe/.openoffice.org/3/user/config/classic_en-GB.sog
joe/.openoffice.org/3/user/config/styles_en-US.sod
joe/.openoffice.org/3/user/config/arrowhd_en-US_en-ZA.soe
joe/.openoffice.org/3/user/config/classic_en-US.sog
joe/.openoffice.org/3/user/config/classic_en-US_en-ZA.sog
joe/.openoffice.org/3/user/config/gallery.soc
joe/.openoffice.org/3/user/config/standard.soe
joe/.openoffice.org/3/user/config/arrowhd_en-US.soe
joe/.openoffice.org/3/user/config/sun-color.soc
joe/.openoffice.org/3/user/config/styles_en-US_en-ZA.sod
joe/.openoffice.org/3/user/config/styles_en-GB.sod
joe/.openoffice.org/3/user/backup/
joe/.openoffice.org/3/user/template/
joe/.openoffice.org/3/user/psprint/
joe/.openoffice.org/3/user/psprint/driver/
joe/.openoffice.org/3/user/psprint/fontmetric/
joe/.openoffice.org/3/user/psprint/pspfontcache
joe/.openoffice.org/3/user/autocorr/
joe/.openoffice.org/3/user/gallery/
joe/.openoffice.org/3/user/gallery/sg30.thm
joe/.openoffice.org/3/user/gallery/sg30.sdv
joe/.openoffice.org/3/user/gallery/sg100.sdv
joe/.openoffice.org/3/user/gallery/sg100.thm
joe/.openoffice.org/3/user/database/
joe/.openoffice.org/3/user/database/evolocal.odb
joe/.openoffice.org/3/user/database/biblio.odb
joe/.openoffice.org/3/user/database/biblio/
joe/.openoffice.org/3/user/database/biblio/biblio.dbf
joe/.openoffice.org/3/user/database/biblio/biblio.dbt
joe/.openoffice.org/3/user/store/
joe/Documents/
joe/Documents/cryptoD.gpg
joe/Documents/.hiddenDocuments/
joe/Documents/.hiddenDocuments/SuperSecret.odt
joe/gppg-stuff.txt
joe/.thumbnails/
joe/.thumbnails/normal/
joe/.thumbnails/normal/95e207e441e8b3e27f8e31ad31500fee.png
joe/.viminfo
joe/.gnome2_private/
joe/.gimp-2.6/
joe/.gimp-2.6/scripts/
joe/.gimp-2.6/themes/
joe/.gimp-2.6/sessionrc
joe/.gimp-2.6/levels/
joe/.gimp-2.6/brushes/
joe/.gimp-2.6/patterns/
joe/.gimp-2.6/curves/
joe/.gimp-2.6/gfig/
joe/.gimp-2.6/colorrc
joe/.gimp-2.6/controllerrc
joe/.gimp-2.6/templaterc
joe/.gimp-2.6/fractalexplorer/
joe/.gimp-2.6/tmp/
joe/.gimp-2.6/pluginrc
joe/.gimp-2.6/fonts/
joe/.gimp-2.6/parasiterc
joe/.gimp-2.6/modules/
joe/.gimp-2.6/plug-ins/
joe/.gimp-2.6/tool-options/
joe/.gimp-2.6/themerc
joe/.gimp-2.6/menurc
joe/.gimp-2.6/interpreters/
joe/.gimp-2.6/toolrc
joe/.gimp-2.6/gtkrc
joe/.gimp-2.6/environ/
joe/.gimp-2.6/gradients/
joe/.gimp-2.6/gimpressionist/
joe/.gimp-2.6/palettes/
joe/.gimp-2.6/dockrc
joe/.gimp-2.6/unitrc
joe/.gimp-2.6/gflare/
joe/.gimp-2.6/templates/
joe/.update-notifier/
joe/scans/
joe/scans/localhost.scan
joe/Videos/
joe/.gconfd/
joe/.gconfd/saved_state
joe/.recently-used.xbel
joe/.adobe/
joe/.adobe/Flash_Player/
joe/.adobe/Flash_Player/AssetCache/
joe/.adobe/Flash_Player/AssetCache/SZK5XWWC/
joe/.secrets
joe/Templates/
joe/.bash_logout
joe/.local/
joe/.local/share/
joe/.local/share/gvfs-metadata/
joe/.local/share/gvfs-metadata/home-dbd603fd.log
joe/.local/share/gvfs-metadata/home
joe/.blueproximity/
joe/.blueproximity/standard.conf
joe/.gstreamer-0.10/
joe/.gstreamer-0.10/registry.i486.bin

[zoidberg@/dev/null:~/FORENSICS ] $

Oh wow, what do we have here. Looks like we have someone called joe’s home directory 🙂 Now my instant thought was to grep for something similar to what we have seen in other flags, which was the string ‘Flag:’ so I performed a grep on the joe directory for ‘Flag’:

[zoidberg@/dev/null:~/SMP/CH4 ] $ grep -R 'Flag' joe/
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Writer.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.GraphicFilter.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.Office.Common.dat matches
Binary file joe/.openoffice.org/3/user/registry/cache/org.openoffice.TypeDetection.Filter.dat matches
Binary file joe/network_sniff.pcap matches
Binary file joe/.mozilla/firefox/ji5h5a20.default/Cache/47445552d01 matches
Binary file joe/.mozilla/firefox/ji5h5a20.default/Cache/_CACHE_003_ matches
Binary file joe/Downloads/hackerFiles/ntfs-hidden-data-analysis.pdf matches
grep: joe/.pulse/9588dbce1fca58830d10168a4aba6077-runtime: No such file or directory
joe/.gimp-2.6/pluginrc: (proc-arg 0 "at-top" "Flag for drawing numbers at top of film")
joe/.gimp-2.6/pluginrc: (proc-arg 0 "at-bottom" "Flag for drawing numbers at bottom of film")

[zoidberg@/dev/null:~/SMP/CH4 ] $

Which narrowed it down to the above files.. the only thing that stood out there was “Binary file joe/network_sniff.pcap matches”. I proceeded to open the packet up in wireshark. I then did a search on the string ‘File’ which turned up:

2290 532.914137 192.168.15.132 74.52.142.122 HTTP GET /flagg.jpg HTTP/1.1

I hit follow TCP stream on the above packet and got the following GET request and response:

GET /flagg.jpg HTTP/1.1

Host: www.penfest.ca

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.4) Gecko/20100611 Firefox/3.6.4 ( .NET CLR 3.5.30729)

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 115

Connection: keep-alive



HTTP/1.1 200 OK

Date: Wed, 30 Jun 2010 01:05:16 GMT

Server: Apache mod_fcgid/2.3.5 mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635

Last-Modified: Wed, 30 Jun 2010 01:04:26 GMT

ETag: "46cc02b-94a5-48a34ef62ba80"

Accept-Ranges: bytes

Content-Length: 38053

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Content-Type: image/jpeg


......JFIF.....H.H.....4This is your Flag: Seeing is not always

*** I have cut it short as the rest is random characters ***

BINGO! There you have the flag:

This is your Flag: Seeing is not always

I thought this challenge was awesome, I guess thats because I have never done a forensic challenge before, it has definatley wet my appitite! Until the next time…

Permalink Leave a Comment

Challenge 1 & 2 Write-Up – SMP CTF 2010 Hacker Olympics…

July 13, 2010 at 7:45 pm (Capture The Flag, SMP CTF)

Hey,

This is the first of many write-up’s to come from SMP CTF that happened over the weekend. Challenge 1, which was worth 200 points consisted of the following:

Set S = 1
Set P = 1
Set previous answer = 1

answer = S * P + previous answer + R
R = 39

After this => S + 1 and P + 1 ('answer' becomes 'previous answer') + 39
then repeat this till you have S = 11065.

The final key will be the value of 'answer' when S = 11065.

Example:
So if R = 15..

17 = 1 * 1 + 1 + 15
36 = 2 * 2 + 17 + 15
60 = 3 * 3 + 36 + 15


Submit the correct answer and you will receive a flag. Have fun ;D

Looking at the source page to this challenge we find a hidden hint:

!--VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7--

This looks awfully like base64, lets see…

[zoidberg@/dev/null:~ ] $ echo VGhlIHZhbHVlcyBvZiBTIGFuZCBSIGNoYW5nZSBldmVyeSA1IG1pbnV0ZXMgb3Igc28gaGVoZSA7 | base64 -d
The values of S and R change every 5 minutes or so hehe ;
[zoidberg@/dev/null:~ ] $

So moving on, this is a pretty straight forward math problem that we can easily translate into some perl / python code to work it out for us 😉

Our team member Nex, was the person to complete this challenge, he came up with the following perl one liner:

perl -e 'my $pan=1; for (my $a=1;$a<=11065;$a++) { $ans=$a*$a+$pan+39; $pan=$ans; } print "$ans\n";'

Which pretty much translates to the math problem above, just broken down and put into code. When we run this piece of code, we get the following answer:

451639883701

Which when you submitted it, gave you the following:

Challenge ID: 36b1c546
Flag: WaSThAtFunORwhaT?!?xxxxxx

Yay so we completed that level. I wrote my own code in python for this challenge which consisted of the following:

>>> p_ans = 1
>>> val = 11065
>>> a = 1
>>> r = 39
>>> for i in range(a, val+1):
... answer = i * i + p_ans + r
... p_ans = answer
...
>>> print answer
451639883701
>>>

So that is how we beat Challenge 1. I won’t be writing a write-up for Challenge 2, I will briefly explain it now as it was such a simple challenge. So, this is what we got for challenge 2 (which was for 100 points):

Where's waldo?

ssh -l luser gordo.smpctf.com -p 2282 Password: smpctf

Help find waldo..

Upon logging into the server the users shell must of been set to /usr/bin/vi because we were presented with a vi terminal instead of a shell. This is quite a common trick and can be evaded simply by typing the following:

:set shell=/bin/sh
:sh

This will then drop you to a /bin/sh shell and you can proceed to find waldo any method you wish 🙂

We simply issued a few find / grep commands and found waldo hiding in a dot file under the /usr directory. If my memory serves me correctly it was as simple as this:

find /usr -name smp

This then gave us the following location:

/usr/lib/.flag/smp

Looking at the file ‘smp’ in the .flag directory we seemed to have found waldo 🙂

Challenge Key: cfc6adcc
Flag: HAHAHAHAHAHAHHAHAponies

Anyway, lookout for the next write-up which will be for Challenge 3 – the most craziest challenge there was I think 🙂

Permalink Leave a Comment

SMP CTF – 2010 Hacker Olympics – We Made It To The Finals…

July 12, 2010 at 7:57 pm (Capture The Flag, SMP CTF)

Hey all,

So this weekend was host to the “Spider Monkey Phenomenon” Capture The Flag (SMP CTF), held by redsand and magikh0e of Bl4ack Security. This was the first ever CTF that I have entered. I put together a team which composed of members from the Smash The Stack IRC network. We did really well and managed to get through to the finals at 4th place. The official score board looked like this after the final scores were counted:

1 Nibbles (5747.5)
2 Plaid Parliament of Pwning (5261)
3 n0psl3d (5231)
4 StS (4840)
5 lulzteam (4718.5)
6 Smoked Chicken (4365.75)
7 int3pids (3960.25)
8 0x28 Thieves (3785)

I am very happy with how the team worked and am looking forward to the finals. I will be writing up each challenge that we completed and hopefully the ones that were not released due to time and the couple we missed also due to time. So watch this space 🙂

Permalink Leave a Comment