a8888a a8888a dP d8' ..8b d8' ..8b 88 .d8888b. 88d888b. 88 .P 88 88 .P 88 88d888b. d888888b 88' `88 88' `88 88 d' 88 88 d' 88 88' `88 .d8P' 88. .88 88 88 Y8'' .8P Y8'' .8P 88. .88 .Y8P `8888P88 dP dP Y8888P Y8888P 88Y8888' d888888P .88 d8888P
ebCTF 2013 - For 300 (Heidi)01 August 2013 by ea
We are given an zip archive containing what appears to be two USB flash drive images. Challenge description has a thing or two to say about them:
This Rick Astley fan is planning to do a karaoke on the OHM2013 campsite, this plan must be stopped! Investigators imaged two of his USB-sticks. Are you able to find his plans for the OHM2013 karaoke. Intelligence: During a cryptoparty he got a little drunk and spoiled his passwords: 1) NeverGonnaGiveYouUp 2) NeverGonnaLetYouDown Are you able to recover a delicate Photo?
So, we are looking for a photo that will hopefully contain a flag.
Flash drive images are called blue and red. If we mount the blue one,
we see only one file named
ohm2013promotion.wmv. If you extract it, it won’t
play. Carving the blue image also gives no results.
Lets take a look at red one. Simply opening the red one with 7zip for example gives nothing, but carving on the other hand yields two files:
ohm2013promotion.wmv seems to be partially overwritten by
OHM2013_promo.mp4 does actually play, but has nothing interesting.
Now comes the interesting part. If you take a look at the first
file (from blue flash drive), you’ll notice two things. It’s exactly 200mb long
and it has pretty high entropy. First idea that pops into my mind is that it’s
TrueCrypt container. Try to mount it, use the “NeverGonnaGiveYouUp” as a password
and it works! But not so fast. There are a few files there. Some more promotional
videos, and one image. None of these has the flag. One of those files is
another TrueCrypt container which decrypts with the second password, but it’s
empty, so no luck there.
Lets turn back to the red flash image. Partially overwritten
file is also exactly 200mb long. If you recover it from the image , it’s first
80+ megabytes will be overwritten by
OHM2013_promo.mp4, but the rest does look
like it’s encrypted. Unfortunately, TrueCrypt volume key is contained in the
first 512bytes and there is no way to mount it as is.
Now, what we could do is assume that both
ohm2013promotion.wmv file (from blue
and from red flash drive) are the same TrueCrypt container, but with different
contents. They’d still have the same key.
With a little help of dd, extract the first 88.7mb from the first
file and write them over the first 88.7mb of the second
(the partially overwritten one) file. Try to mount it with first password, and
Again, the mounted volume contains the same files, but if you now try to
GEEK2017_promo.wmv file with the second password, it’s no longer empty,
but contains that same tent image, now with clearly visible flag.