ebCTF 2013 - For 300 (Heidi)

01 August 2013 by ea

We are given an zip archive containing what appears to be two USB flash drive images. Challenge description has a thing or two to say about them:

This Rick Astley fan is planning to do a karaoke on the OHM2013 campsite, this plan must be stopped!

Investigators imaged two of his USB-sticks. Are you able to find his plans for the OHM2013 karaoke.

During a cryptoparty he got a little drunk and spoiled his passwords:
1) NeverGonnaGiveYouUp
2) NeverGonnaLetYouDown

Are you able to recover a delicate Photo?

So, we are looking for a photo that will hopefully contain a flag. Flash drive images are called blue and red. If we mount the blue one, we see only one file named ohm2013promotion.wmv. If you extract it, it won’t play. Carving the blue image also gives no results.

Lets take a look at red one. Simply opening the red one with 7zip for example gives nothing, but carving on the other hand yields two files:

  • OHM2013_promo.mp4
  • ohm2013promotion.wmv

Unfortunately, ohm2013promotion.wmv seems to be partially overwritten by OHM2013_promo.mp4. OHM2013_promo.mp4 does actually play, but has nothing interesting.

Now comes the interesting part. If you take a look at the first ohm2013promotion.wmv file (from blue flash drive), you’ll notice two things. It’s exactly 200mb long and it has pretty high entropy. First idea that pops into my mind is that it’s TrueCrypt container. Try to mount it, use the “NeverGonnaGiveYouUp” as a password and it works! But not so fast. There are a few files there. Some more promotional videos, and one image. None of these has the flag. One of those files is another TrueCrypt container which decrypts with the second password, but it’s empty, so no luck there.

Lets turn back to the red flash image. Partially overwritten ohm2013promotion.wmv file is also exactly 200mb long. If you recover it from the image , it’s first 80+ megabytes will be overwritten by OHM2013_promo.mp4, but the rest does look like it’s encrypted. Unfortunately, TrueCrypt volume key is contained in the first 512bytes and there is no way to mount it as is.

Now, what we could do is assume that both ohm2013promotion.wmv file (from blue and from red flash drive) are the same TrueCrypt container, but with different contents. They’d still have the same key.

With a little help of dd, extract the first 88.7mb from the first ohm2013promotion.wmv file and write them over the first 88.7mb of the second ohm2013promotion.wmv (the partially overwritten one) file. Try to mount it with first password, and it works!

Again, the mounted volume contains the same files, but if you now try to mount the GEEK2017_promo.wmv file with the second password, it’s no longer empty, but contains that same tent image, now with clearly visible flag.