Forensic
100
$
curl -O
http://nopsr.us/ctf2008qual/forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd
$ file forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd
forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd:
x86 boot sector,
code offset 0x3c, OEM-ID "MSDOS5.0",
sectors/cluster 2,
root entries 512,
sectors 32067 (volumes <=32 MB) ,
Media descriptor 0xf8,
sectors/FAT 63,
heads 255,
hidden sectors 63,
serial number 0x6708c07,
unlabeled, FAT (16 bit)
$ strings forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd
:\ken\sho\to\XXXXXXXXXX
D:\ken\sho\to\XXXXXXXXXX
# mount -o loop forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd /mnt/forensic/
root@ubuntu1:/mnt/forensic/ken/sho/to# ls
AVPNFmgZbN FScfoTUmOh JzSwstHunY PytxtdIMyv VEdmVMKpnS ZBswznYmML ebsxdwqeUL lNGWSjTIAQ qNbSkmtkKh uTvtoPUlkF
AaByMPoAKv FcIPmWgBHN KClJsjZXjB QEVWjhBZBm VNzdRmfWlD ZrMLARCscm gAsTyTRKSN lqjHqlokfk qUhthnwpPA uWTQlgleNm
BBQEyWGnwj FcflIiTboh KQmYWcZKNl RcenDqVmsq VfhcfmDKjQ aZDRYklDqw gLybspWeLd mDfBLxoQXf qcCwBSoGAl wUzaRxVVkg
BWMXaALZmc FqEAlrEBJD LSebVYMISF SZCgYeEVMW VkcdGnpQbU bPIjUnOCRm glrrQhFZDQ mRmOvtcZWm quOLEOtxpB xJpQFbdiAD
BZWsTItWkb FttGZgqXjx LydBpuLCGH TGTkvZCETy XCOdwCDnUO bhncjvutqF hkgMSgbrOp mWaEepZXoL qznvICEtDL xPksbGRnxg
BcjrSoIBOt GRIeCDYBDT MBNNNHNZLC TNcgAzEGLN XKvUxpOmdl bwMLdELzon idSifeOQaO mzgzdvQRbc rRnGguqXYk xULkEXrPjW
EmGEkBosAz HGDXZekqMs OJsKBAjOqN TWUsCUuWRR XUrWaXdVzZ cFmRtdHVUJ jMMTKSyzzp oHrHICKUQy tBewdlAWjw ypvjfpVHGt
FDHhbAcDHn ImuUccjwWA PfapiAtvHK UgENKDYhTl XiFXTCAYwQ dOkdSxgSXi jQFZPstzXx ociiSvaTsv tPSPUSjrmq yxHvjLtvHO
FEHCAsCXJj JJHADCrWTB PsZrrQRqWM UhBsDHunWA YneitTrZsR dxUbNUBIuG lLYHHAiKlu pvgAYQcqPF uSvROjRFWz
# strings forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd > image.txt
# cat /mnt/forensic/ken/sho/to/* > mount.txt
# sort image.txt > image-sort.txt
# sort mount.txt > mount-sort.txt
# diff image-sort.txt mount-sort.txt
181d50
< kentucky ham
200
# file forensics200-20c6d7dee480b31b28802f2c3b951313
forensics200-20c6d7dee480b31b28802f2c3b951313:
LHarc 1.x/ARX archive data [lh0]
# file key
key: PPMD archive data
# mv key 01_key.ppmd
#
aptitude search ppmd
#
aptitude install ppmd
# ppmd d 01_key.ppmd
# file key
key: data
# strings key
key.arj
#
aptitude search arj
#
aptitude install arj
# mv key 02_key.arj
# arj e 02_key.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [23 Jun 2008]
Processing archive: 02_key.arj
Archive created: 2008-05-27 11:11:09, modified: 2008-05-27 11:11:09
Extracting key OK
1 file(s)
# file key
key:
7-zip archive data, version 0.2
#
aptitude search zip
#
aptitude install p7zip-full
# mv key 03_key.7zip
# 7z e 03_key.7zip
7-Zip 4.58 beta Copyright (c) 1999-2008 Igor Pavlov 2008-05-05
p7zip Version 4.58 (locale=ja_JP.
UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Processing archive: 03_key.7zip
Extracting key
Everything is Ok
Size: 8771
Compressed: 8951
# file key
key: bzip2 compressed data, block size = 900k
# mv key 04_key.bzip2
# bzip2 -d 04_key.bzip2
# file 04_key.bzip2.out
04_key.bzip2.out: data
# hexdump -c 04_key.bzip2.out | head
0000000 \0 351 U C L 377 001 032 \0 \0 \0 001 - \a \0 004
0000010 \0 \0 \0 \0 F \0 \0 F 037 213 \b \b 274 m
0000020 ; H \0 003 k e y \0 025 227 211 177 325 T 376 376
#
wget http://www.oberhumer.com/opensource/ucl/download/ucl-1.03.tar.gz
#
aptitude install g++
# ./uclpack -d ../../key.out key.gz
# mv key.gz 05_key.gz
300
ラプラスで解凍すると多量な画像ファイルとファイルが出てくる。
ファイルをエディターで開くと答えが出る。