24 November, 2012

PoliCTF 2012 Part 0x00 Forensics-500

This is my write-up for a Forensics-500 challenge from PoliCTF competition


Let's call someone from the old days
Attachment: a918f10f10f2f47.tbz2.gpg
(password: 087c5a2fb9ed3493496416f46cc37f5439a47a85 )


$ gpg -d --output f500.tbz2 a918f10f10f2f47.tbz2.gpg && tar jxvf f500.tbz2
gpg: AES256 encrypted data
gpg: gpg-agent is not available in this session
gpg: encrypted with 1 passphrase

$ file communication.pcap 
communication.pcap: tcpdump capture file (little-endian) - version 2.4 (Ethernet, capture length 65535)

$ wireshark communication.pcap &

And we will see something like that

It is an RTP protocol. That means that we see a voice conversation. Let's check the traffic.

Telephony -> RTP -> Show All Streams

There is two-way conversation. Choose one - "Analyze"

We can immediately listen to the stream by pressing "Player". In one stream there is a music audio and in the second a data payload - modulated sound. Save the second stream payload then and do it in AU format (RAW should also work). Then we should download a program to demodulate the signal. I tried several of them and did it with multimon by Thomas Sailer.

$ mkdir multimon && cd multimon && wget http://www.baycom.org/~tom/ham/linux/multimon.tar.bz2 && tar jxvf multimon.tar.bz2 && make

$ cd bin-i686/
$ ./multimon -t au -c -a afsk1200 2.au
multimod  (C) 1996/1997 by Tom Sailer HB9JNX/AE4WA
available demodulators: POCSAG512 POCSAG1200 POCSAG2400 UFSK1200 CLIPFSK AFSK1200 AFSK2400 AFSK2400_2 AFSK2400_3 HAPN4800 FSK9600 DTMF ZVEI SCOPE
Enabled demodulators: AFSK1200
sox WARN sox: Option `-2' is deprecated, use `-b 16' instead.
AFSK1200: fm OTA22-0 to NOCALL-0 UI  pid=CC

Here I executed multimon with AU file type flag and only with AFSK 1200 demodulation (I tried several modulations before found the right one). Unfortunately, this program has a feature to represent all non-ASCII characters as dots. So, I had to patch the source of multimon.

hdlc.c:   Function: ax25_disp_packet
        while (len) {
                i = *bp++;

                verbprintf(0, "%.2x ",i);    // Add this line

// And comment these if-statements
                if ((i >= 32) && (i < 128)) 
                        verbprintf(0, "%c",i);
                else if (i == 13) {
                        if (j) 
                                verbprintf(0, "\n");
                        j = 0;
                } else 
                        verbprintf(0, ".");
                if (i >= 32) 
                        j = 1;

Recompile and run once more time. According to my calculation this is an IP over AX.25 protocol and the header size is 52 bytes. Therefore, we should concatenate payloads of information frames 6, 7 and 8 to get the PNG file. Theoretically, it is possible to create a pcap file from these packets to import it to Wireshark. Before that, you should make your Kernel and Wireshark understand AX.25. After that just run this commands for each packet:

$ echo -n "45 00 01 00 fd cf ..." | xxd -r -p |hexdump -C >> text

And then just it:

$ text2pcap text ax25.pcap

Then just open the pcap file in Wireshark and save payload. In any case, here is the image:

The first link in Google by question "QR decoder" will be ZXing Decoder Online. Just upload the image and get the result:

The key is: 73e4geru3i21eWuypzFIueK

No comments:

Post a Comment