Zer0 day

[Plaid 2014] forensic : zfs 본문

CTFs/Plaid 2014

[Plaid 2014] forensic : zfs

Zero Day 2016.08.27 16:17

zfs

1
2
3
Forensic : zfs
The Plague is using state of the art systems for storing his data. Our operatives managed to steal a drive from one of his servers,
 but it seems like our haste may have led to some uber-corruption. Can you get the data off the drive to track down The Plague?
cs

First i just search any strings in this file and i can get useful information

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
zero@ubuntu:~/Desktop$ file disk
disk: data
zero@ubuntu:~/Desktop$ strings disk | grep key
not_the_key
not_the_key
xor_key
key.xor_encrypted
key3
not_the_key
not_the_key
xor_key
key.xor_encrypted
key3
6keyIy
+(Jkey
cs

Maybe key data would be encrypted with xor. and the xor key is somewhere (maybe near the key.xor_encrypted)

Then, we need to recover 'disk'. So easy to extract key.xor_encrypted file and xor key somewhere in file...


But, i can't find any recovery tools so i just try to extract the data with my hands.


At offset -> 0x41ae00, There are strange 0x200 bytes data!

So, the let's coding decrypting selected xor encryptd data with python

1
2
3
4
5
6
7
8
9
= open("disk""rb")
f.seek(0x41ae00)
data = f.read(0x200)
 
xor = lambda a, b : ''.join(chr(ord(a) ^ ord(b)) for a, b in zip(a, b))
 
for i in xrange(2):
    d = xor(f.read(0x200), data)
    print "Try %s : " % (i+1), "\n", d
cs

After decrypting is over, we can see the output with strings command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
zero@ubuntu:~/Desktop$ python sol.py
Try 1 :  
......
Try 2 :  
 _________________________
< ZFS_daTa_1s_s4f35t_d4t4 >
 ------------------------- 
  \                    /' )
   \                 /'   (                          ,
   \             __/'     )                        .' `;
    \    _.-~~~~'          ``---..__             .'   ;
    _.--'  b)                       ``--...____.'   .'
   (     _.      )).      `-._                     <
    `\|\|\|\|)-.....___.-     `-.         __...--'-.'.
      `---......____...---`.___.'----.....'         `.;
cs

The flag is ZFS_daTa_1s_s4f35t_d4t4


P.S : i like that ASCII ART

'CTFs > Plaid 2014' 카테고리의 다른 글

[Plaid 2014] pwnable : ezhp  (0) 2016.08.27
[Plaid 2014] reversing : hudak  (0) 2016.08.27
[Plaid 2014] forensic : zfs  (0) 2016.08.27
[Plaid 2014] forensic : rsa  (0) 2016.08.27
[Plaid 2014] forensic : curlcore  (0) 2016.08.27
[Plaid 2014] forensic : bbos  (0) 2016.08.27
0 Comments
댓글쓰기 폼