ctf2008 Forensic

ctf 
Forensic
    

        


    
100

    $ curl -O http://nopsr.us/ctf2008qual/forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd
$ file forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd
forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd: x86 boot sector,
code offset 0x3c, OEM-ID "MSDOS5.0",
sectors/cluster 2,
root entries 512,
sectors 32067 (volumes <=32 MB) ,
Media descriptor 0xf8,
sectors/FAT 63,
heads 255,
hidden sectors 63,
serial number 0x6708c07,
unlabeled, FAT (16 bit)

$ strings forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd
:\ken\sho\to\XXXXXXXXXX
D:\ken\sho\to\XXXXXXXXXX

# mount -o loop forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd /mnt/forensic/
root@ubuntu1:/mnt/forensic/ken/sho/to# ls
AVPNFmgZbN  FScfoTUmOh  JzSwstHunY  PytxtdIMyv  VEdmVMKpnS  ZBswznYmML  ebsxdwqeUL  lNGWSjTIAQ  qNbSkmtkKh  uTvtoPUlkF
AaByMPoAKv  FcIPmWgBHN  KClJsjZXjB  QEVWjhBZBm  VNzdRmfWlD  ZrMLARCscm  gAsTyTRKSN  lqjHqlokfk  qUhthnwpPA  uWTQlgleNm
BBQEyWGnwj  FcflIiTboh  KQmYWcZKNl  RcenDqVmsq  VfhcfmDKjQ  aZDRYklDqw  gLybspWeLd  mDfBLxoQXf  qcCwBSoGAl  wUzaRxVVkg
BWMXaALZmc  FqEAlrEBJD  LSebVYMISF  SZCgYeEVMW  VkcdGnpQbU  bPIjUnOCRm  glrrQhFZDQ  mRmOvtcZWm  quOLEOtxpB  xJpQFbdiAD
BZWsTItWkb  FttGZgqXjx  LydBpuLCGH  TGTkvZCETy  XCOdwCDnUO  bhncjvutqF  hkgMSgbrOp  mWaEepZXoL  qznvICEtDL  xPksbGRnxg
BcjrSoIBOt  GRIeCDYBDT  MBNNNHNZLC  TNcgAzEGLN  XKvUxpOmdl  bwMLdELzon  idSifeOQaO  mzgzdvQRbc  rRnGguqXYk  xULkEXrPjW
EmGEkBosAz  HGDXZekqMs  OJsKBAjOqN  TWUsCUuWRR  XUrWaXdVzZ  cFmRtdHVUJ  jMMTKSyzzp  oHrHICKUQy  tBewdlAWjw  ypvjfpVHGt
FDHhbAcDHn  ImuUccjwWA  PfapiAtvHK  UgENKDYhTl  XiFXTCAYwQ  dOkdSxgSXi  jQFZPstzXx  ociiSvaTsv  tPSPUSjrmq  yxHvjLtvHO
FEHCAsCXJj  JJHADCrWTB  PsZrrQRqWM  UhBsDHunWA  YneitTrZsR  dxUbNUBIuG  lLYHHAiKlu  pvgAYQcqPF  uSvROjRFWz

# strings forensics100-b564a4eca4e1ba6e5c4f626bdd1bcedd > image.txt
# cat /mnt/forensic/ken/sho/to/* > mount.txt
# sort image.txt > image-sort.txt
# sort mount.txt > mount-sort.txt
# diff image-sort.txt mount-sort.txt

181d50
< kentucky ham





    
200

    # file forensics200-20c6d7dee480b31b28802f2c3b951313
forensics200-20c6d7dee480b31b28802f2c3b951313: LHarc 1.x/ARX archive data [lh0]
# file key
key: PPMD archive data
# mv key 01_key.ppmd
# aptitude search ppmd
# aptitude install ppmd
# ppmd d 01_key.ppmd
# file key
key: data
# strings key
key.arj
# aptitude search arj
# aptitude install arj
# mv key 02_key.arj
# arj e 02_key.arj
ARJ32 v 3.10, Copyright (c) 1998-2004, ARJ Software Russia. [23 Jun 2008]

Processing archive: 02_key.arj
Archive created: 2008-05-27 11:11:09, modified: 2008-05-27 11:11:09
Extracting key                         OK
     1 file(s)
# file key
key: 7-zip archive data, version 0.2
# aptitude search zip
# aptitude install p7zip-full
# mv key 03_key.7zip
# 7z e 03_key.7zip

7-Zip  4.58 beta  Copyright (c) 1999-2008 Igor Pavlov  2008-05-05
p7zip Version 4.58 (locale=ja_JP.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)

Processing archive: 03_key.7zip

Extracting  key

Everything is Ok

Size:       8771
Compressed: 8951
# file key
key: bzip2 compressed data, block size = 900k
# mv key 04_key.bzip2
# bzip2 -d 04_key.bzip2
# file 04_key.bzip2.out
04_key.bzip2.out: data
# hexdump -c 04_key.bzip2.out | head
0000000  \0 351   U   C   L 377 001 032  \0  \0  \0 001   -  \a  \0 004
0000010  \0  \0  \0  \0       F  \0  \0       F 037 213  \b  \b 274   m
0000020   ;   H  \0 003   k   e   y  \0 025 227 211 177 325   T 376 376
# wget http://www.oberhumer.com/opensource/ucl/download/ucl-1.03.tar.gz
# aptitude install g++
# ./uclpack -d ../../key.out key.gz
# mv key.gz 05_key.gz





    
300

    ラプラスで解凍すると多量な画像ファイルとファイルが出てくる。
ファイルをエディターで開くと答えが出る。