DEFCON2K12 Prequals: for500 writeup
The last forensic challenge was a zip file in which we were asked to find a key. Extracting this zip file gives us three files of the same size, which we quickly discovered were images of ZFS partitioned devices. The ZFS pool name of those three partitions was the same, which led us to think that it was probably a dump of a RAID-Z configuration.
After importing the disk pool to a FreeBSD virtual machine, we found out that it contained a lot of files, most of those being NSFW JPEG images or animated GIFs.
0b5ed41646345b9a89b84bfae0106533: JPEG image data, JFIF standard 1.01, comment: "fX0BPaJ9H8T2a5wJ7gtQmx2QFs8FLOu3HsP1Su+z8WOet4tmuC/Ib2aekHepz0\261"
0f249cbc8db586752dfb331e97657134: JPEG image data, JFIF standard 1.01, comment: "kvhc5jokpYPajJqMamk+sAsEokJbOwYqLyabsqfkDwJOo6qzS9cxmgrb+rYCJu\261"
2f32c9f65313346da3c01c88247bdc39: JPEG image data, JFIF standard 1.01, comment: "78U7thboYbBxTay+7xqeij2XZ7tB0Fqb5bKE8xMKm19F3cTj4XeKRm60cUWj7P\261"
3e950586cd2687f695a25067150c4fd5: GIF image data, version 89a, 300 x 227
7b085e44f864e695dcc64755d9f05b4c: JPEG image data, JFIF standard 1.01, comment: "PQKgOG6Ndp5anv4o/EnBL5ANHy726p4VzBdXPGu/XZEGrq71pK9ETlqdZor7rx\261"
7f30449b9e16cf7be00f7996d6abf839: JPEG image data, JFIF standard 1.01, comment: "dx5XsGR6uWgd0zdGI+sbrFbg2qdPs39DTxolG4i2DumvEJ3O6CCsh8USMH6i5J\261"
9d0559408c909ca2d91152280da30c88: GIF image data, version 89a, 249 x 295
9f9b14f7a3ceed115486730e6b120744: JPEG image data, JFIF standard 1.01, comment: "sRY54QtKnm+vfcbOXNmO6tSPLUYnaU3wzIVddNcuIODaTBKx5UzEJrchtl9swF\261"
13a31872f45f96a12a280b2bdd71edfd: JPEG image data, JFIF standard 1.01
18abb247adf0248c0aa3ffc43c0fb03e: JPEG image data, JFIF standard 1.01
55fbc3ea567c5c851e4c85c6691e6a8b: JPEG image data, JFIF standard 1.01
73d64f38688b04fe36864a6a61f2d36e: PDF document, version 1.3
96cff1a5ce897e03757153d284b211c0: JPEG image data, JFIF standard 1.01
207f5f9b285235c440be0df38d21d35f: JPEG image data, JFIF standard 1.01, comment: "6hUYJGx38IkCNdnhNYesJQ9+SM7hBspDttB5/TRpNSrZbP5cYsI+7MXX1CPhI1\261"
293cb94cdf3519671f2d63d3df070c00: JPEG image data, JFIF standard 1.01, comment: "yB4BrZWmPw6OKA7Nws41vAgw62Uw7djNhU/I/s5BfUiVLHQTusPCNEMOwWp6tI\261"
392b67045436d1400318321c0fb24a2e: JPEG image data, JFIF standard 1.01, comment: "3Ng0rpFSUdpDJkriWF/BP6hHEywzf7G3xbHqvJeDj5N8F8jBfuon9imIj7xEtZ\261"
545a8e8c4c3ab6cc4547c69505093fc6: JPEG image data, JFIF standard 1.01, comment: "fV8//GdrD5STPXy6A2qRscOPdF7lnDcB3nOaYCWxmCd1meDv7XqUDacsIh4z6P\261"
608c1f598338344a61c5de15fa4d9bb2: JPEG image data, JFIF standard 1.01, comment: "N52wpLG6BoDnNMeV9U3pVQ0IYY5sBtcJ7ufwYas6ZYGtvk0hz1gpwzaSO1uOwZ\261"
3387de999809d8a8cc0ec031dadd7316: JPEG image data, JFIF standard 1.01
4798e11ce9cecf2a918abebd791fc93b: ARJ archive data, v11, slash-switched, original name: , os: Unix
45042a121306b75a66f4bb85a22da602: JPEG image data, JFIF standard 1.01
68137a674b58fbbcb3f99d2cd7b752b2: JPEG image data, JFIF standard 1.01, comment: "knoTwX5V+ZHlImntVGLzujemOkfCN/7uhPLuytlXbhpQhGILIGs+dzHudWsmnO\261"
88663f93fc38718df4150ea90c050601: GIF image data, version 89a, 731 x 791
92263de481ae3d8e3616f308f7f6c2b0: WebM
503729d41f8b14d9e14f7a71a3ba2c8b: JPEG image data, JFIF standard 1.01
840036448eed8c04798745a5638c14b0: JPEG image data, JFIF standard 1.01
a4adfc47846b73c651b27d8aad7a688d: GIF image data, version 89a, 490 x 445
a91352dd3784ca2bbd532eac85f9c14f: JPEG image data, JFIF standard 1.01
ac1148e104985b07069b4d43f5ef9008: JPEG image data, JFIF standard 1.01
ad6fd9ea6396274e94a1611507425b34: GIF image data, version 89a, 300 x 350
b14873dd3d074051a196a9a5e592d8ff: JPEG image data, JFIF standard 1.01
bca5db4efdd4585732d01a90640434d9: JPEG image data, JFIF standard 1.01, comment: "ni2Fkh/fDjeDmWCF/95SAMSOvzARqjP4PwoAuzD50PYuxicCX+KlIK8h+U/z0s\261"
c2bed9e75929a56a78a56affb66d9b41: JPEG image data, JFIF standard 1.01, comment: "o0Q/kWHxOLDEM6ADlezPZsW+Ap+T08W0R783rQS52mhQFaOF3PJUKYPweEAKhU\261"
c8c7c8dc9489e7978638def64897d531: JPEG image data, JFIF standard 1.01
c68d8ed8f041ef59d4793c30aa6ef039: JPEG image data, JFIF standard 1.01, comment: "q9HOdh+SdyKFhnd5VMkc5KnyixW16z8kkFG+w/+P+6LkZyjEQcxFj7iFHGIRjy\261"
c3984efb761d9a1fe78b89b40fc8f389: JPEG image data, JFIF standard 1.01, comment: "LSdKKloyyRjICVWdG9dMm862mIct7P3bEKZMo+dKE2AeWEMOl46PJQ/k32MidN\261"
ca876f51f1b6d34efa0744d3c1199d23: JPEG image data, JFIF standard 1.01, comment: "u14qOdqQNCpqS1M8imY0/dDTS41rsL0/1vgQ9nahDVGx+0E8pDNLCXYJ31FLhG\261"
d1e23a792c958f279052fbc580846da5: GIF image data, version 89a, 558 x 364
d853c5aa56ca076337b6a39451a833aa: JPEG image data, JFIF standard 1.01
e39d6a16419cbcdc109928efbd5c397a: JPEG image data, progressive, precision 0, 4360x394
e65f0c23dc67aa0e07be812c901a69eb: JPEG image data, JFIF standard 1.01, comment: "an9x9fJmPziLwWPmwuzJKcCXPQc0NxMjUT82yO/AFlMolTLSgvAWx2zK6Nzjcs\261"
e142fee4b33e05f2210744fc17a0f5f3: JPEG image data, JFIF standard 1.01, comment: "ZO4QBGeVF+ACwLfPuQTYULo+D0a1QThWdpmejK3qojLhN+ZBApgUpMitdrVLx/\261"
f0ecb7aa77cc8f5d3fc3e01dfeb3b36c: GIF image data, version 89a, 390 x 267
fbc66121ef2d8bca22bf132c3b220b9a: JPEG image data, JFIF standard 1.01, comment: "rwIq17KtjqcYCXw8R/LuoAfifkTOj4akNvh9o/tIMP+DMJlXpor0EmHB5G8ZAH\261"
file
allowed us to notice that each of the JPEG file contained a comment with
data encoded as base64. Decoding the base64 gave us data that seemed random (no
apparent structure). Among those files there is also an ARJ archive, which
leads us to other files when extracted:
0b1fb5712a5df421b6d3ece5bcff5cb6: JPEG image data, JFIF standard 1.01, comment: "cDhsWrO+AghGnMBK2ADRkev8vaTariLV+od/aSi18KIKXLcRylzyXxuK9POmgI\261"
0e99ce865f902279b724610a09964031: JPEG image data, JFIF standard 1.01, comment: "tsgggdEkwhUVUHPGwEtwfHzJ3gzrp9hrBJJgMXhGRBbaqx1LypatgG3Z0Z+Fz0\261"
0ef0fef2e2743c22b112a7d560cedb6b: Zoo archive data, v2.10, modify: v2.0+, extract: v1.0+
1dc4bb553570db680933149b3919253c: WebM
2c7e90721cc57b65c1816a2085365a54: JPEG image data, JFIF standard 1.01
3e68228c38355bb89c482cb4a951fdc3: GIF image data, version 89a, 314 x 137
4f94e2f97ca76ad32c06a948d3e3c060: JPEG image data, JFIF standard 1.01, comment: "N24+dImhB4J8vISSdNZgbGNztjAPGbYFlE/jWCXTJ4aVMv6M9AnpSawuNOcw68\261"
5e949f376e3b0e4dd8db786dd96435f3: GIF image data, version 89a, 280 x 229
6c8447612b4d1d8261fcaeab06714f27: PDF document, version 1.4
7dd71595233032e4571f0c3bedddcc3f: JPEG image data, JFIF standard 1.01, comment: "bfEVKZ2Y+yvOPDhzzoy+FzpLvIYqbNTRUiL4Gp/lO7LQw0iNNCfiUdjmkzRk23\261"
8ae73e4ece2f61c87e3bc14e65f7d339: JPEG image data, JFIF standard 1.01, comment: "VXhA/VU+uPHg6JreCb7O2sUQBo2SiPWCSAVPoBpRrBsSTKCWOrp8gwRXkDWDM6\261"
9cc267a18a1f26b098c762f809afa56f: JPEG image data, EXIF standard
9e50dbf322e08f2bda7c83a198939297: JPEG image data, JFIF standard 1.01, comment: "GvtkPOArJDoihVV8oKXD02JDEmSP8Zd222YnHy5QdLA4qA4S7lRWAGIedwSQr5\261"
53e96e9419f103b6f1cfa0469454a8b1: JPEG image data, JFIF standard 1.01, comment: "jFDAv055rEo7Uxz26+MYs5yvG3ScFmtrKDTCl7IMnx/DlhdkK9Kbtqe1IPm4wB\261"
78f4bfbc58c0904445df6ac0ec5a16b4: JPEG image data, JFIF standard 1.01
83b9365809a2d7b529cc5dcf3ce24f53: JPEG image data, JFIF standard 1.01, comment: "GjsiiQOeLmY0uvS5UVqhJm/7GKBmF2Nw49Llg/4taJLx2BfQbAjuC6gfYMqc69\261"
86ee06e53e91c0df42bc26345e5dd035: JPEG image data, JFIF standard 1.01, comment: "6JrfHqR2ISfKB/T0XPjFdX0gXAUEaHskg4GMBkdUlkPapXf/V+FMAxl0vwrUD3\261"
95f4afff972f34b4819d498cbd8d2aca: JPEG image data, JFIF standard 1.01, comment: "fxHb2QSV+COjPxjJINo7G2HFkwBnQbT1lsmPmqGBqmyB8JAsIuNmPHw0kB9ldl\261"
114be37c70a66901c73121479f50e016: JPEG image data, JFIF standard 1.01, comment: "7Ohu0ZezZ+2S+Y+KyA6QRxPFNhqrHB+2tVmS9WDC/q9VWWJeqLSpgXJSZTYwti\261"
333e94b8e09ad6a05121b9fda51af884: JPEG image data, JFIF standard 1.01, comment: "ZFPzQGISSlrCcWp4CywRa5e4XuXygRGPGz674bK6ZU45rYV3apTyEa5mlvTwsC\261"
620e3c35d9f517a8daf783f384e03f10: JPEG image data, JFIF standard 1.01, comment: "NnMb792zbR+VSy+NE578AB51Rwdg98GDUD2UARF4qtz1E7/QDUjeipWtbH9MIr\261"
4415b9c1a6b9bf178009799d25d692e6: JPEG image data, JFIF standard 1.01, comment: "KVeiZGxoNYbcQ5IZaEC8S+S3cE1zRAtkVyva+tIfhcAceYibWMMJ9gGA+pDSUg\261"
5589ba066f243ee00f1e38588797eaff: GIF image data, version 89a, 400 x 347
260631db70a194649e41e9c2b5de821b: GIF image data, version 89a, 250 x 200
18447912f6bda582af0214bd934adccd: JPEG image data, JFIF standard 1.01, comment: "Fti0vI99kxpMKpJnT4Guv2Z4ifQEIp6V5YHlU4vbFCJtDSTOVPksg1jL3XAOrS\261"
392982628867b07eff7e2a1ee4fffd12: JPEG image data, JFIF standard 1.01
a1a862f67ea7f5a450d7c8754376e349: JPEG image data, JFIF standard 1.01
a901114d8baf00617c33725f48402bc1: JPEG image data, JFIF standard 1.01, comment: "gpq5B6t0S3zbnm9/0S3fOOK+zh8gpF4XG2MjYnIHX4moqxm373mHN0TVX3bJ+6\261"
aac169caedf4f741c4b8736623a65d46: GIF image data, version 89a, 373 x 304
ad62d478e3f5636025b9b56055094e71: GIF image data, version 89a, 360 x 386
b0e2d10cc36e288d00c0486169dd9848: JPEG image data, JFIF standard 1.01
b875576cc38943e8acded2286e5f0b8c: JPEG image data, JFIF standard 1.01, comment: "obfk5SmUD+I0gXUJXJAgw4CArWSxoSV0rbisKxUTugRh0pdjBhc/uKcnNaGXFk\261"
c7e7fc2481167684836d7c63d23ba5ea: JPEG image data, JFIF standard 1.01, comment: "UP1Hrp/siVoS17/Nh52ZbLpmEJwb5dxiMi43xfcDNF94o+ikyOBxFBZYFe71JH\261"
c282fdac95df3e3730569d958a670aa6: JPEG image data, JFIF standard 1.01
c391bc7c2ccadaa2bcd8c0f235a1be8d: JPEG image data, JFIF standard 1.01
c6103106db3288692abf76601de1fc58: JPEG image data, JFIF standard 1.01
ca7fbe324ec9630be51394194193aab7: JPEG image data, JFIF standard 1.01, comment: "eUA1N8lWboraDBX1vSNn0m+9G+wK9cjqQtStc5DEmWQtbv+mSbO0RSKzoENAE5\261"
d6d1f1f34327db268f5d2b1393c1958e: JPEG image data, JFIF standard 1.01, comment: "eL3KE8tUkhMOUAYKvgKVgXmfROm6ulOpvnZJ3d2GQK31xIkL1EWc4h5DBrbiyN\261"
d0349e58eb30bc280c0b004470d1d3ea: JPEG image data, JFIF standard 1.01, comment: "s4n8IHQrHHaWScZPfkxMCX5LSYLLQJFaWiNaA3xQW5unLXzcRDeCGWOC7lcy90\261"
e2d5442a2ebc3d459697d39769552858: JPEG image data, JFIF standard 1.01
e5ec682701e68ee0823b7543bb9ac791: JPEG image data, JFIF standard 1.01
e10fad4a379687aafdfcfd93a19a99dd: JPEG image data, JFIF standard 1.01
f09d0c142d5df903bd04f5b60943b7ec: JPEG image data, JFIF standard 1.01, comment: "RjEpFqYD+p/+vOTlkPsR316GyDxBxWljfe+uTKn/OZtbCUxyJaomWM70s8hw1W\261"
f617a2369f7071307169df08dc955a5f: JPEG image data, JFIF standard 1.01, comment: "64Ui64EzDeAtVG62FIorJtnqVG/OhXuTVqXtGpDgbvZ183dYHEWGDMcL/lgNB0\261"
Same pattern here: lots of JPEGs and an archive file. This archive uses the
“Zoo” format, which we had never heard about, but it was easy enough to find a
tool to unpack it, giving us more files. I’ll skip the file
output, but this
archive contained JPEGs and a ZIP file. Unpacking the ZIP gave us even more
JPEGs, but this time no more archive.
We tried to decode all of the base64 comments in order to find one that had some strings or some kind of structure in it. After decoding the base64 comment from all JPEGs, we noticed that one of the extracted files was smaller than the others, and terminated by a readable ASCII string:
0001940: ffff ffff ffff ffff ffff ffff ffef 7061 ..............pa
0001950: 7138 6f38 7a20 2d38 0d0a 3537 3637 3136 q8o8z -8..576716
0001960: 3809 736f 7572 6365 5f66 730d 0a 8.source_fs..
Looking for paq8o8z
on the internet, we found out that this is an unusual
archive/compression format. The file we extracted from the JPEG comment was not
a valid paq8o8z
file: normally the header string should be at the top of the
file, not the bottom. The long strings of ffff ffff ffff ffff
seemed strange
for compressed data too.
Experimenting with the compression tool a bit, we found out that most of the
files we compressed started with the header string, then directly after it the
bytes 1A FX
with X
an arbitrary hex digit. We tried looking at the files we
extracted from the JPEGs to find one that started with this pattern, assuming
that the headers was moved afterwards to mess with us. One of the files matched
this pattern:
0000000: 1afb 643c e02b 243a 2285 557c a0a5 c3d3 ..d<.+$:".U|....
0000010: 6243 1264 8ff1 9776 db66 271f 2e50 74b0 bC.d...v.f'..Pt.
0000020: 38a8 0e12 ee54 5600 621e 7704 90af 9387 8....TV.b.w.....
0000030: 1ad5 074b a2d3 79d5 898b 6e9e 20ca b02b ...K..y...n. ..+
0000040: 105a a5a3 2819 ac24 f2bc 29cb 193c 677e .Z..(..$..)..<g~
Later in the same file, we found another long string of ff
bytes:
00002f0: c01e 71b4 06e5 49ff ffff ffff ffff ffff ..q...I.........
0000300: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000310: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000320: ffff ffff ffff ffff ffff ffff ffff ffff ................
0000330: ffda 2276 5be5 795a eab3 a5e7 2dda aa42 .."v[.yZ....-..B
After thinking about what this could be, we tried compressing a file made
entirely of zero bytes using paq8o8z
. The output was a similar string of ff
bytes, leading us to think that the base64 files are really all part of the
same paq8o8z
archive.
At this point, one member of our team noticed that the base64 was not alone in
the JPEG files comments. It was followed by a 3 bytes string like |00
. We
tried using it as a XOR key for the contents of the file without success, then
assumed that it was an index used to order all of the “chunks” we got from the
JPEG files. The file starting with 1a fb
was |00
, which perfectly matched
our assumptions. We concatenated all of the base64 we found sorted using the
indexes, put the paq8o8z
header at the top of the file, and it unpacked
without errors, giving us a 5767168 bytes ext2 image file named source_fs
.
Mounting this filesystem, we found more JPEG images, animated GIFs as well as some HTML pages saved from the internet. The images did not have a base64 comment, only some kind of hash which we were not able to make any sense of. Using photorec we were able to find more JPEGs as well as a shell script:
#!/bin/sh
# generate verification/auth info
jhead $( file * | awk -F: '/JPEG/{print $1}' ) 2>&1 \
| awk '/Comment/{print $3}' | sort -n \
| openssl dgst -whirlpool | awk '{print $2}'
Basically, this script takes the comments from all JPEG files and computes a
Whirlpool hash from these comments. We noticed some of the JPEG files we
recovered had comments starting with “approved-
” while others did not, so we
only kept the approved ones, giving us 35 JPEGs to compute the hash with. The
key we got was the following:
ec058cf157f975cbee725f39dfe76d354e25b679c584983857f9528692bc16bdce9251d0b7a893f66def87cfc2f6881618222f6604775a0eebad5dd8bfa5bd8b
Submitting this as the answer for the challenge did not work, so we had to look a bit further. Using dff we found an additional file which was deleted from the ext2 filesystem:
0000000: 8c0d 0401 0302 e32f 115d d3bb 0ba9 60c9 ......./.]....`.
0000010: 3d0a 290b bb79 bcf6 d34e 3c6a 5979 8166 =.)..y...N<jYy.f
0000020: a392 a8de ed5a 72fb 3298 681d 445e d7bd .....Zr.2.h.D^..
0000030: 4d28 6635 655d 619c a24d bac2 574c b28a M(f5e]a..M..WL..
0000040: d5de 8486 cebb 830b 8636 8734 12d4 .........6.4..
file
gave us no information about this file format, but it looked a lot like
the output of gpg --symmetric
, which we thought was no coincidence. Using
gpg -d
to decrypt the file gave us an error saying that “cipher 1” is
unknown. Searching for this error on the internet told us that this cipher ID
was used for the IDEA algorithm. Support for this algorithm was removed from
gnupg because of patent issues, so we had to use a plugin to decrypt the file.
After a lot of work on this challenge, we finally found the final key:
```text $ /usr/local/bin/gpg –passphrase-fd 0 -d out Reading passphrase from file descriptor 0 … ec058cf157f975cbee725f39dfe76d354e25b679c584983857f9528692bc16bdce9251d0b7a893f66def87cfc2f6881618222f6604775a0eebad5dd8bfa5bd8b gpg: IDEA encrypted data gpg: encrypted with 1 passphrase a13ea546a1ba387b5fb19ea0c94eedb6dfdcfc14 gpg: WARNING: message was not integrity protected