Monday, May 6, 2019

INS'hAck 2019 - You Shall Not Pass

by Renato "shrimpgo" Pacheco

Description

One of my friends is a show-off and I don’t like that. Help me find the backdoor he just boasted about! :D You’ll find an image of his USB key here. And one last thing, my friend owns you-shall-not-pass.ctf.insecurity-insa.fr.


The challenge consists in one USB image called dd.img. Inspecting further, we noticed its file system is NTFS. Mounting the image, there are several files in three directories:

/mnt/
├── 12ca267ed5abd1ac
│   ├── 2ce368bc4dd8c5be
│   ├── 5884ea064d9bbbaa
│   └── ea4ad4c099f94d16
├── 90dc72fac714514f
│   ├── 3b2aac85367a2dd0
│   ├── 6a72f973770a632f
│   └── 9d7cb2c83e62be3d
├── d4997e4eb81ca133
│   ├── 00badf635a201911
│   ├── 09cc15a15bbb10bc
│   └── 7948954c771171c2
└── e14dbe0c55af6da3
    ├── 18cde626a8a8bd5d
    ├── 9815b38440eb7420
    └── ed3d69ff70b5ae92

And its file types:

/mnt/12ca267ed5abd1ac: directory
/mnt/12ca267ed5abd1ac/2ce368bc4dd8c5be: ASCII text, with very long lines, with no line terminators
/mnt/12ca267ed5abd1ac/5884ea064d9bbbaa: ASCII text, with very long lines, with no line terminators
/mnt/12ca267ed5abd1ac/ea4ad4c099f94d16: ASCII text, with very long lines, with no line terminators
/mnt/90dc72fac714514f: directory
/mnt/90dc72fac714514f/3b2aac85367a2dd0: ASCII text, with very long lines, with no line terminators
/mnt/90dc72fac714514f/6a72f973770a632f: ASCII text, with very long lines, with no line terminators
/mnt/90dc72fac714514f/9d7cb2c83e62be3d: ASCII text, with very long lines, with no line terminators
/mnt/d4997e4eb81ca133: directory
/mnt/d4997e4eb81ca133/00badf635a201911: ASCII text, with very long lines, with no line terminators
/mnt/d4997e4eb81ca133/09cc15a15bbb10bc: ASCII text, with very long lines, with no line terminators
/mnt/d4997e4eb81ca133/7948954c771171c2: ISO Media, MP4 v2 [ISO 14496-14]
/mnt/e14dbe0c55af6da3: directory
/mnt/e14dbe0c55af6da3/18cde626a8a8bd5d: ASCII text, with very long lines, with no line terminators
/mnt/e14dbe0c55af6da3/9815b38440eb7420: ASCII text, with very long lines, with no line terminators
/mnt/e14dbe0c55af6da3/ed3d69ff70b5ae92: ASCII text, with very long lines, with no line terminators

All of files with type ASCII text has a content similar with this:

[“Spicy jalapeno ground round turducken chicken cow filet mignon tail bacon cupim. Chuck pig landjaeger leberkas capicola, pork chop swine short ribs sausage pork rump. Spare ribs cupim ribeye short ribs jerky, burgdoggen pastrami ham hock pork loin doner shankle bacon. Venison salami pig chicken cupim beef. Landjaeger ham frankfurter pork loin drumstick shank cupim tongue sirloin pork chop buffalo cow beef ribs bresaola. Bresaola cow drumstick, pork belly pastrami kevin pork chop hamburger jerky buffalo spare ribs doner.”,”Pancetta t-bone turkey, prosciutto pork belly kielbasa jowl fatback tenderloin kevin. Spare ribs ball tip porchetta jerky cupim burgdoggen shoulder jowl strip steak turducken corned beef kevin frankfurter ribeye. Rump sausage ham hock, strip steak prosciutto pork chop fatback tenderloin short loin bacon meatball tongue ground round. Corned beef tongue andouille burgdoggen fatback alcatra, frankfurter tri-tip capicola kielbasa.”,”Fatback bacon strip steak meatloaf prosciutto tenderloin pork loin pancetta cupim pastrami. Leberkas t-bone tongue alcatra swine. Ground round shankle chuck tongue pig. Jerky ham hock filet mignon sirloin brisket beef ribs tri-tip kevin frankfurter swine shoulder hamburger cupim pork pork belly. Brisket spare ribs t-bone cupim kielbasa, ham hock tri-tip flank meatball landjaeger porchetta burgdoggen beef.”]

These files were ignored. Only different file was ISO Media. MP4 and we ran it. It’s a cut scene of Lord of Rings and we had ignored this file too. Our next try was search by deleted files. testdisk and photorec failed to find something. Alisson remembered a tool called FTK Imager Lite for Windows (Linux version is soooooo Lite and doesn’t worth it) and he used it to analyze this USB image. He looked at every single directory and he found, at d4997e4eb81ca133/7948954c771171c2, a File Slack.

image

But wtf is this? According this site, File Slack “is the difference between the physical file size and logical file size.(…) As file slack is literally the space on the hard drive between the logical and physical file size, it means that anything that was in that space before become file slack. As a new file is created by overwriting unallocated space (even if it means deleting a file immediately before the request to write) this means that file slack is essentially old fragments of unallocated file space” So, that’s why testdisk and photorec failed miserably. Cool! Alisson extracted this unallocated space in file (let’s call b64.txt) and he decoded its content, showing a GZIP file.

$ strings -e l b64.txt | tr -d '\n' | sed 's/-BGZ-//g;s/-EGZ-//g' | base64 -d > idunno.gz

Gunziping this file brings us this:

$ zcat idunno.gz | sed -r 's/\[/\[\n/g;s/\},/\},\n/g;s/\],/\],\n/g'

{  "door": 20000,  "sequence": [
    {"port": 10010, "proto": "UDP"},
    {"port": 10090, "proto": "UDP"},
    {"port": 10020, "proto": "TCP"},
    {"port": 10010, "proto": "UDP"},
    {"port": 10060, "proto": "TCP"},
    {"port": 10080, "proto": "UDP"},
    {"port": 10010, "proto": "UDP"},
    {"port": 10000, "proto": "TCP"},
    {"port": 10000, "proto": "UDP"},
    {"port": 10040, "proto": "TCP"},
    {"port": 10020, "proto": "UDP"}  ],
  "open_sesame": "GIMME THE FLAG PLZ...",  "seq_interval": 10,  "door_interval": 5}

As soon as @dapolinario saw this, he guessed that was a Port Knocking technique. So I made a simple script that follow the sequence mentioned above, not forgeting to get the host mentioned on challenge description:

#!/bin/bash

sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10010 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10090 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sS --host-timeout 201 --max-retries 0 -p 10020 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10010 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sS --host-timeout 201 --max-retries 0 -p 10060 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10080 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10010 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sS --host-timeout 201 --max-retries 0 -p 10000 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10000 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sS --host-timeout 201 --max-retries 0 -p 10040 you-shall-not-pass.ctf.insecurity-insa.fr
sudo nmap -Pn -sU --host-timeout 201 --max-retries 0 -p 10020 you-shall-not-pass.ctf.insecurity-insa.fr

echo -n "GIMME THE FLAG PLZ..." | nc you-shall-not-pass.ctf.insecurity-insa.fr 20000

Flag: INSA{213dca08e606ef9e5352f4bdd8b6dd9d6c559e9ce76b674ae3739a34c5c3be37}

Acknowledgement

  • Alisson “Infektion” Bezerra
  • Daniel “dapolinario” Apolinario

Capture the Flag , Forensics , Writeup