Linux Forensics

CTF made by Stanislav Atanasov

The zip file that was for download contained:

ctf.E01 ctf.E02 ctf.E03 ctf.E04 ctf.E05 ctf.E06 ctf.E07 ctf.E08 ctf.E09 ctf.E10 ctf.E11 ctf.E12 ctf.E13

Questions to answer:

What is the MD5 Checksum of the case?
What is the case number?
How many partitions are in the archive?
What is the password for the LUKS?
What is the OS and version?
What is the second command executed by root?
What is the username of the normal user for the system?
What is the flag hidden in the root’s directory?
What is displayed if you access the apache server (and I don’t mean the default page)?
Which is the user’s favorite Social network (there is a logo in one of the folders)

UTP CTF

The CTF consists of 10 questions that need to be answered. No question can be answered without answering the one before.

I am doing this ctf on my Kali Linux machine.

And we begin...

Pre-Requisits

... after downloading the zip file from the cloud drive, and unziping the files inside it, we get a file called UTP CTF with 13 images inside.

first, we want to make sure we have the right tools.

Since we are working with .e01,02... witch are all parts of one image, we want to have the right tools for examination.

I will use ewf for analyzing, examination. (Another popular option on linux is autopsy)

To download the tools we run:

sudo apt-get install ewf-tools

Examination

Now we can examine the data associated with the image by running:

ewfinfo /home/kali/Downloads/UTP\ CTF/ctf.E01

When all the parts of the image are extracted in the same folder, the OS will se it as one whole image, so you only need to specify the first part of the image to refer to the whole. (ctf.E01)

Here we can see a ton of ussefull information that will be useful for further investigation, and our first answers to the questionaree.

The case number is 755585

Notes on some passwords.

MD5 checksum

So we acctually found the answers to the first 2 questions.

1. What is the MD5 Checksum of the case? – 0df5c2b36344631471556be619367c21

2. What is the case number? – 755585

Raw Image Mount

Lets create a mount point that we will use to mount the E01 as a raw device

mkdir -p /mnt/ewf_mount

This creates a directory in the mnt, called "ewf_mount"

Mount the E01 image:

sudo ewfmount /home/kali/Downloads/UTP\ CTF/ctf.E01 /mnt/ewf_mount

The "ewfmount 20140814" output means that the mount was successful.

3. How many partitions are in the archive?

After mounting the E01 image, we can utalize the mmls command to examine the partition structure of the mounted image:

mmls /mnt/ewf_mount/ewf1

The output provided a breakdown of the partition layout for E01, we can see from the output that 004, 005 and 006 are valid partitions.

The 004 partition is the EFI system, 005 and 006 are likely to be filled with user inputed data so we will check them next.

And we see the answer to the 3rsd question

3. How many partitions are in the archive? - 3

4. What is the password for the LUKS?

Next, we attempted to set up a loop device to access one of the partitions using the losetup command:

losetup -o 537919488 /dev/loop1 /mnt/ewf_mount/ewf1

Btw the number 537919488 I got using this formula:

Calculate the Offset in Bytes: Each sector is 512 bytes, so:
Offset for Partition number: start(1050624 in my case for the partition 005) * 512 = 537919488 bytes

With the loop device set up, we proceeded to mount the newly configured loop device to access its contents:

mount -o ro /dev/loop1 /mnt/logical_mount

And remember that we configured only the 005 partition on the loop device.

If the command is executed successfuly you should be able to see some content of the partition:

ls /mnt/logical_mount

Since the next question is the LUKS password, lets open the 006 partition, this one is not encrypted.

Lets mount the 006 partition. We repeat the losetup and mount commands.

The loop3 is a loop device that we will place our partition on, the partition is defined by the start * 512, and the /mnt/ewf_mount/ewf1 is our whole raw image.

As seen on the picture, this partition is encrypted and we need to decrypt it before we can mount it.

Install the neccesary packages for opening the luks encrypted partition:

Using the installed package for opening, we can see below that we need a passphrase. We saw some hints about it at the beginning.

User is lazy. Password is part of the XKCD comics 936.

The hint we have indicates that the password is related to XKCD comic number 936, which is titled "Password Strength." In this comic, it is explained how using a passphrase composed of multipe, easy to remember words, is way more secure than using a complex single password.

The one used in the comic was: correct horse battery staple

Having in mind the hint from class "One letter is missing" i made a wordlist form the phrase and ereased every letter that could be ereased and made around 20-30 length wordlist.

And since I suck at bash – prompted chatGPT to create one for trying the wordlist so I don’t write it mannualy – automation at it’s finest…

And after blankly watching at the screen for 30 minutes, wondering why none of the passphrases were correct i remembered that the USER WAS LAZY. the example for a “bad” password in the comic was Tr0ub4dor&3. now i made this wordlist:

and the 6th one worked. the password is Tr0b4dor&3.

So we know the password, lets decrypt the partition:

sudo cryptsetup luksOpen /dev/loop2 decrypted_partition

Enter passphrase for /mnt/ewf_mount/ewf1: Tr0b4dor&3

Now if we check dev/mapper we will see the following content:

There is our so called “decrypted partition”. lets see the partition tree:

So we can see the "decrypted partition" has some logical volumes, lets mount the vgxubuntu-root and explore it since we have acces to it thanks to the password we entered earlier.

After trying to mount the root LV to mnt/logical_mount directory i faced some errors like:

so i checked if the LV were active with vgchange-ay

And checked the filesystem on VG with file:

it outputs a link to dev/dm-1 so lets check the filesystem there

its is ext4. So it should work, we proceed with trying to mount from /dev/dm-1

Nop. Lets just mount with read only as we did in the above examples.

sudo mount -o ro /dev/dm-1 /mnt/logical_mount

And we can now see the contents of the encrypted partition in mnt/logical_mount

5. What is the OS and version?

So the next questions asks us to tell the OS and version. lets seek that info in the etc/os-release

5. What is the OS and version? – Ubuntu 23.10 (Mantic Minotaur)

6. What is the second command executed by root?

The next question is to see what was the second command executed by root. To see this we can go in /root and search for it there. its ussualy .bash_history or .zsh_history.

6. What is the second command executed by root? - apt install apache2

7. What is the username of the normal user for the system?

Now we need to see what is the name of the reguar user for the system. We talked about this on the class, when we open the /etc/psswd we can see all the users and info.

7. The name for the regular user is: ctf

8. What is the flag hidden in the root’s directory?

The flag hidden in the root dir under /capture me: e0NURl9MRl9Zb3VfR290X01lIX0=

The flag needs to be decrypted

9. What is displayed if you access the apache server (and I don’t mean the default page)?

What is displayed in the apache server, and not the default page is the next question, from the command history we could see that there were some commands for apache and php.

If we go to var/www/html/index.php we can se the display is: CTF_LF_php

the last question is to write what is the users favorite social media, there is a logo somewhere. We can see it in the /home/ctf

The answer is: Twitter

PreviousAll NextForensic Labs 1

Last updated 2 months ago