Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #Heath Street
- Heath Street was a 100 point forensics challenge. The steps required to get the key were extremely simple, and what ultimately caused us to spend time on the challenge was a "red herring" encrypted zip file that seems to have nothing to do with the key. The provided file was an ext4 file system image.
- I mounted the image to a mount point (in my case /mnt/tmp/) via the command
- mount secretArchive
- Listing the contents of the image showed 1985 files listed as secret1 to secret1985. catting some of the files revealed that each file contained a couple sentences of snippets from multiple 1900s texts.
- Thinking there might be something useful in one of the text files, I concatenated all of the files into one text file by using
- cat * > secrets.txt
- Browsing through the concatenated file through less, I noticed one segment was a bunch of unrecognizable text. I grepped a phrase from the text directly below the chunk of text
- grep -r "The Nazis had acquired"
- which pointed to file secret1338, meaning the problematic chunk was secret1337 (aka the red herring). Checking the file header of secret1337 showed that the file was a zip archive, however when I tried to unzip it, there was a password prompt.
- I tried a few things to unzip this, such as taking some key words from the texts that this challenge was based on and trying them as passwords. I also tried using a bash utility called fcrackzip and formatted the concatenated text file to be fed into fcrackzip as potential passwords for the zip file, with no luck.
- Eventually I decided that the password was likely somewhere else on the image. Thinking that that the image might contain some data that was previously deleted, I downloaded a file recovery utility (extundelete) to look through deleted data.
- I downloaded a fresh image to ensure I hadn't written over anything useful when catting the files together, and ran extundelete on it via the command
- extundelete secretArchive --restore-all.
- This revealed more ASCII files, this time labeled secret5000 to secret 5366, also ASCII text. Thinking there might be one that was not a text file, similar to the previous situation, I ran
- file secret*
- which showed that all were 367 were ASCII text. I catted them together into a text file, which just resulted in more excerpts from 1900s texts. Looking for a different angle, I checked for hidden files via ls -a, which revealed a hidden file called secrets.31337. running
- file .secret.31337
- showed that this file was a kgb file, which is a form of data compression. I downloaded a kgb decompresser (kgb) and used it to decompress the file, resulting in a new file .secret, which contained the key in plaintext.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement