Codegate 2010 Challenge 12 writeup

Summary

Problem: Finding the key in one raw-data-file – forensic challenge
Techniques: Using foremost to extract data
Solution: Just extract data and it’s done

Analysis

After downloading the file, let’s skim over.

$ file 514985D4E9D80D8BF227859C679BFB32 514985D4E9D80D8BF227859C679BFB32: CDF V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 949, Title: Chzcxva Pneivat Znqr Rnfl, Author: Flfnqzva, Template: Normal.dotm, Last Saved By: FRETR INHQRANL, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 21:00, Create Time/Date: Mon Feb 22 12:48:00 2010, Last Saved Time/Date: Thu Mar 4 13:54:00 2010, Number of Pages: 7, Number of Words: 1381, Number of Characters: 7876, Security: 0

$ ls -l 514985D4E9D80D8BF227859C679BFB32

-rw-r–r– 1 hieuln hieuln 867328 2010-03-13 21:18 514985D4E9D80D8BF227859C679BFB32

Of course, it’s not CDF document. So, the general step is using foremost to extract inside-data.

$ foremost -c /etc/foremost.conf -v -o out 14985D4E9D80D8BF227859C679BFB32

It got a lot of stuffs. Let’s browsing images file first. I noticed there’s a small image named “00000041.tif” looks like a captcha. Try with that phrase and it is the right key “E5R69267″.

Sad, really upset. That’s such a bad challenge with 300 points. And I can’t imagine that CLGT is the 3rd team submit this flag, it’s the end of first day.

References

Tools: http://foremost.sourceforge.net/
Keywords: files recovery, forensic

Hack.lu CTF 2011: Nebula Death Stick Services writeup (Categories: CTF - CLGT Crew)
#7th at CSAW CTF (Categories: CTF - CLGT Crew)
hack.lu CTF 2011 nebula DB systems (Categories: CTF - CLGT Crew)
#4th at hack.lu CTF (Categories: CTF - CLGT Crew)
DEFCON 19 CTF Quals: writeups collection (Categories: CTF - CLGT Crew)
Padocon 2011 CTF Karma 400 exploit: the data re-use way (Categories: CTF - CLGT Crew)

« Codegate 2010 Challenge 11 writeup CodeGate 2010 Challenge 2 – Xbox pwned »

ORC Team