Forensics – 2. Hard Shells

Worth: $200

Description: After a recent hack, a laptop was seized and subsequently analyzed. The victim of the hack? An innocent mexican restaurant. During the investigation they found this suspicous file. Can you find any evidence that the owner of this laptop is the culprit?

 

The challenge starts off with a file download called “hardshells”. Running the file command on the system shows it’s likely a Zip archive, at least based on the file signature header:

Renaming the file with a zip extension and attemping to unzip the archive prompts the for a password:

Next I attempt to bruteforce the archive using the FCrackZip utility. I try the low-hanging fruit and try lowercase characters [a-z], which finds a password candidate of “tacos”:

-b: Select brute force mode. This tries all possible combinations of the letters you specify.
-c: Select the characters to use in brute-force cracking. Must be one of:
        a      include all lowercase characters [a-z]
       A      include all uppercase characters [A-Z]
       1       include the digits [0-9]
       !        include [!:$%&/()=?{[]}+*~#]
       :        the following characters upto the end of the specification string are included in the character set. This way you can include any character except binary null (at least under unix).
-l: Use an initial password of length min, and check all passwords up to passowrds of length max (including).You can omit the max parameter.
-u: Try to decompress the first file by  calling unzip with the guessed password. This weeds out false positives when not enough files have been given.

Next, changing into the newly opened directory, we’re presented with a new file called “d”, which appears to take on the format of a Minix filesystem:

In most (if not all cases) Minix filesystems can be mounted directly in Linux. In my case I just ran the command “mount d /mnt/minix/”, then I can interact with any files in “/mnt/minix”.

Inside the filesystem is a data file called dat:

Using strings and grep don’t produce anything useful, so I opened up the file in a hex editor. The next portions can be referenced at the following index of known File Signatures by Gary Kessler, at https://www.garykessler.net/library/file_sigs.html

The file header:

The file trailer:

Searching for the hex in the footer on Gary Kessler’s site matches the standard footer of a PNG file:
49 45 4E 44 AE 42 60 82 (IEND®B`‚...)

But comparing the standard file header for a PNG compared to our file, you will see one subtle difference.

Standard:
89 50 4E 47 0D 0A 1A 0A
Our File:
89 50 55 47 0D 0A 1A 0A
Opening the file back up in a hex editor and changing the 55 to a 4E, will properly render a valid PNG image:

Within the image is the flag we’ve been seeking:

 

Flag = IceCTF{look_away_i_am_hacking}