CTF-BR

Pwn2Win 2014 - fs

Pontos: 50, Categoria: forense

Autor: danilonc, Time:BugNotFound

4ch3 4 fl46 (50 points) Attached file

Write-up

Vamos baixar e identificar o binário

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ wget https://www.shellterlabs.com/media/files/0406081f-329d-4650-88e1-53288e63c30d.gz
--2014-11-24 13:13:40--  https://www.shellterlabs.com/media/files/0406081f-329d-4650-88e1-53288e63c30d.gz
Resolving www.shellterlabs.com (www.shellterlabs.com)... 200.129.50.196
Connecting to www.shellterlabs.com (www.shellterlabs.com)|200.129.50.196|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 148656 (145K) [application/octet-stream]
Saving to: `0406081f-329d-4650-88e1-53288e63c30d.gz'

100%[===========================================================================================================================================================================>] 148.656     --.-K/s   in 0,1s    

2014-11-24 13:13:46 (1,02 MB/s) - `0406081f-329d-4650-88e1-53288e63c30d.gz' saved [148656/148656]

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ tar tzvf 0406081f-329d-4650-88e1-53288e63c30d.gz
-rw-rw-r-- alisson/alisson 1411072 2014-10-08 05:44 for50_fs
vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ tar xzvf 0406081f-329d-4650-88e1-53288e63c30d.gz
for50_fs
vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ file for50_fs 
for50_fs: x86 boot sector, code offset 0x52, OEM-ID "NTFS    ", sectors/cluster 8, reserved sectors 0, Media descriptor 0xf8, dos < 4.0 BootSector (0x80)

Parece ser a imagem de uma partição, vamos tentar montar:

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ mkdir mnt
vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ sudo mount for50_fs mnt/
vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ cd mnt/
vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs/mnt$ ls
Pwn

Vamos executa o find e ver se há algo interessante:

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs/mnt$ find
.
./Pwn
./Pwn/2
./Pwn/2/Win
./Pwn/2/Win/0
...
./Pwn/2/Win/13
./Pwn/2/Win/13/file-fl46.pwn
./Pwn/2/Win/14
...
./Pwn/2/Win/file-112.pwn
./Pwn/2/Win/file-113.pwn

./Pwn/2/Win/13/file-fl46.pwn parece suspeito, flag = fl46 em leet speak (e como odeio leet speak)

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs/mnt$ cat ./Pwn/2/Win/13/file-fl46.pwn
|-|0\\|/ |-|0\\|/ |-|0\\|/
4 |#146 |\\|40 35+4 4?|_|!
(0|\\|+!|\\||_|3 |>|20(|_||24|\\||)0
\\/4 |\\/|4!5 |#|_||\\||)0

Fazendo o replace do leet speak

|-| -> H, |\| -> N, |) -> D, |> -> P, |2 -> R, |_| -> U, ( -> C, |# -> F, 4 -> A, 1 -> L, 6 -> G, 5 -> S, 0 -> o, + -> T, 3 -> E, \|/ -> W, ? -> Q, ! -> I, \|/ -> V, |V| -> M,

obtemos o texto:

HOW HOW HOW A FLAG NAO ESTA AQUI CONTINUE PROCURANDO VA MAIS FUNDO

Vamos procurar nos arquivos deletados usando o fls do sleuthkit

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ fls -r for50_fs | head -n 30
r/r 4-128-1:	$AttrDef
r/r 8-128-2:	$BadClus
r/r 8-128-1:	$BadClus:$Bad
r/r 6-128-1:	$Bitmap
r/r 7-128-1:	$Boot
d/d 11-144-2:	$Extend
+ r/r 25-144-2:	$ObjId:$O
+ r/r 24-144-3:	$Quota:$O
+ r/r 24-144-2:	$Quota:$Q
+ r/r 26-144-2:	$Reparse:$R
r/r 2-128-1:	$LogFile
r/r 0-128-1:	$MFT
r/r 1-128-1:	$MFTMirr
r/r 9-128-2:	$Secure:$SDS
r/r 9-144-3:	$Secure:$SDH
r/r 9-144-4:	$Secure:$SII
r/r 10-128-1:	$UpCase
r/r 10-128-2:	$UpCase:$Info
r/r 3-128-3:	$Volume
d/d 64-144-2:	Pwn
+ d/d 65-144-2:	2
++ d/d 66-144-2:	Win
+++ d/d 268-144-2:	0
+++ d/d 269-144-2:	1
+++ d/d 278-144-2:	10
+++ d/d 279-144-2:	11
+++ d/d 280-144-2:	12
+++ d/d 281-144-2:	13
++++ r/r 299-128-2:	file-fl46.pwn
++++ -/r * 300-128-2:	file-1337.flag

file-1337.flag parece ser a flag, vamos ver o conteúdo usando o command icat do sleuthkit:

vagrant@packer-virtualbox-iso:/vagrant/Pwn2Win/fs$ icat for50_fs 300
4n_4u70p5y_m4y_b3_d33p

Flag: 4n_4u70p5y_m4y_b3_d33p

comments powered by Disqus