/* 404CTF */

404CTF Writeup - Forensics

Jun 20, 2023 · 10 min read

Pêche au livre

Quite an classic challenge. Just open the pcap capture with wireshark. We immediately see an unencrypted HTTP exchange. Textually, the string 404CTF{... is not present, so we need to look at the non-textual content: the images:

The flag is: 404CTF{35SY_W1r35h4rk}

Le Mystère du roman d’amour

In this challenge, we are handed Vim swap file fichier-etrange.swp and to solve the challenge with must find:

We can use the file command to inspect the file given to use and we already find a lot of informations:

file fichier-etrange.swp
# fichier-etrange.swp: Vim swap file, version 7.4, pid 168, user jaqueline, host aime_ecrire, file ~jaqueline/Documents/Livres/404 Histoires d'Amour pour les bibliophiles au coeur d'artichaut/brouillon.txt

Then we can actually recover the file by opening it in vim using vim -r fichier-etrange.swp. We notice that the content is really an image, as revealed by the header \x89PNG\r\n\x1A\n. We then recover it by typing :w restored.png in vim.

Here is the image we find:

We can then use stegsolve (instructions in another blog post here). In stegsolve we can walk through the different color channels until we stumble upon something interesting: QR code.

I scanned this image with my phone and I got the following text:

Il était une fois, dans un village rempli d'amour, deux amoureux qui s'aimaient...

Bien joué ! Notre écrivaine va pouvoir reprendre son chef-d'oeuvre grâce à vous !
Voici ce que vous devez rentrer dans la partie "contenu du fichier" du flag : 3n_V01L4_Un_Dr0l3_D3_R0m4N

Concatenating all of this information, we find the flag: 404CTF{168-~jaqueline/Documents/Livres/404 Histoires d'Amour pour les bibliophiles au coeur d'artichaut/brouillon.txt-jaqueline-aime_ecrire-3n_V01L4_Un_Dr0l3_D3_R0m4N}

Les Mystères du cluster de la Comtesse de Ségur

A checkpoint-bash_default-bash-2023-05-06T090421Z.zip file is provided.

At first, I tried to see if I could get the flag for free with it:

grep -ir 404CTF checkpoint-bash_default-bash-2023-05-12T09:04:21Z

No chance.

Let’s look at the files manually. A rather interesting file io.kubernetes.cri-o. In particular io.kubernetes.cri-o.LogPath logs everything that has been executed by the container in the Kubernetes cluster.

cat checkpoint-bash_default-bash-2023-05-12T09:04:21Z/io.kubernetes.cri-o.LogPath

On this file, we can see that a user has become root. Close inspection of this file shows that the attacker is executing:

curl agent.challenges.404ctf.fr -o agent.zip
unzip agent.zip

Doing the same as they did, when we unzip the agent.zip archive, we find a file containing the flag: 404CTF{K8S_checkpoints_utile_pour_le_forensic}.

Lettres volatiles

In this challenge, we are given an archive file C311M1N1.zip containing the home directory of a user on a machine. Let’s start by unzipping the file and searching for clues in various directories such as Images, Downloads, and Documents.

Soon enough, we come across the file s3cr37.zip in the /Documents/perso folder, which requires a password (this ZIP file contains a suspicious PDF). Cracking passwords can be time-consuming, so let’s explore a more efficient method. While walking through the file system, I found a mysterious file named C311M1N1-PC-20230514-200525.raw. It could be anything but given the challenge’s name, there’s a chance that it could be a RAM (volatile memory) dump. A widely used tool for analyzing such dumps is volatility.

This is one of the first articles I read about using the tool and also happens to be a good Introduction.

# Retrieve some information on the RAM dump
vol.py -f C311M1N1-PC-20230514-200525.raw imageinfo

The password could be anywhere, and I spent some time looking in different places until I found it: in the clipboard.

# Dump the clipboard
vol.py -f C311M1N1-PC-20230514-200525.raw --profile Win7SP1 clipboard
# ... Z1p p4s5wOrd : F3eMoBon8n3GD5xQ ...

We can now unzip the secrets archive:

unzip -P F3eMoBon8n3GD5xQ s3cr37.zip

Inside, we find this letter:

And at the bottom of it, we discover the flag: 404CTF{V0147i1I7y_W1Ll_N3v3r_Wr8_loV3_l3ttEr5}