Forensics
Last updated
Last updated
Files can always be changed in a secret way. Can you find the flag?
Run exiftool:
The selected string is in Base64 encoding.
Open the Word document and go to "View -> Macros -> runpython -> Edit":
The selected string is in Base64 encoding.
Use binwalk -e <filename> four times.
This has got to be one of the most rediculous problem I've ever done, I wanted to say this is hyper unrealistic but it actually has some references to.
After downloading this file, and do a file command on it, I found it's just data.
If you read the Hacktricks page, you would know. Download GIMP and follow the guide. Eventually you get an image with flag on it:
Follow TCP stream:
The highlighted string is ROT13 encoded.
Unzip the PowerPoint file. The message is located in ppt/slideMasters/hidden. Remove spaces and Base64 decode it.
Go to "Wireshark => Export Objects => TFTP...":
Then click Save All:
Here we get three images, two encrypted messages, as well as a file named program.deb. Note that those two encrpyted messages are simply ROT13 encrypted. ROT13 decryption gives us the following messages:
Instruction: TFTP doesn't encrypt our traffic, so we must disguise our flag transfer. Figure out away to hide the flag and I will check back for the plan.
Plan: I used the program and hide it with - DUEDILIGENCE. Check out the photos.
Extract program.deb:
Note that tmp/usr/bin contains steghide. It turns out that we could use the password DUEDILIGENCE to extract the flag from picture3.bmp:
Decompress:
Search for human-readable strings:
Open the image in Autopsy and search for down-at-the-bottom.txt:
Someone, pls solve it!
Todo!
Download the image:
Run zsteg:
Someone, pls solve it!
Todo!
What could go wrong if we let Word documents run programs? (aka "in-the-clear"). .
Matryoshka dolls are a set of wooden dolls of decreasing size placed one inside another. What's the final one? Image:
We found this . Recover the flag.
But doing strings command also found nothing as there was no noticable file signatures. I have no idea how, but I remembered one of the HackTheBox machine I did a long time ago, which the privilege escalation step would exploit the video group of a low-privileged user. does a wonderful job explaining it, and in fact, they have a lot of great pentest tips and tricks.
Can you find the flag? .
I've hidden a flag in this file. Can you find it?
Figure out how they moved the .
Can you find the flag? .
Use srch_strings from the sleuthkit and some terminal-fu to find a flag in this disk image:
All we know is the file with the flag is named down-at-the-bottom.txt... Disk image:
While you're going through the FBI's servers, you stumble across their incredible taste in music. One you found is particularly interesting, see if you can find the flag!
Finding a flag may take many steps, but if you look diligently it won't be long until you find the light at the end of the tunnel. Just remember, sometimes you find the hidden treasure, but sometimes you find only a hidden map to the treasure.
