iHack 2013 Forensic track #3 & 4 - Your eyes are bleeding and you need to split something.

That one was damn fun to realize.  The idea came when I was analyzing some malware binary that was executed under Linux and had to be reverse engineered.  By accident, I happened to open it on Windows with 7zip and it contained more than one file!  How can a file be executed and contain many files?  I had to explore that...

I mentioned it to a fellow CTFer and he told me he’d ask the perfect resource about that.  He came back to me with examples of file combinations such as ZIP + ZIP, EXE + RAR or EXE + ZIP.  It all depends on how the file works, does it depends on its boundaries in the header and the footer?  Does it have garbage space?  Well, that’s interesting, gotta experiment with that in order to reproduce the behavior and it worked.

A few months later, I had to build challenges for the iHack 2013 and I wanted people to discover that too and learn about it.  I then thought about that previous experience, but also had to find out how to reverse the whole process.  After ragequitting on tests with an executable self-extractable passworded/encrypted ZIP file and a RAR file because I couldn’t build a ZIP file that is encrypted AND self-extractable (I’ve been told once that it was due to MS-DOS compatibility.....who cares in 2013!?), I moved on and finally went for a passworded ZIP and a RAR file and it worked flawlessly using a rather simple carving process mentioned here that was based on header identification to give the tip telling you where to “cut” the file.

I needed contents, that isn’t much challenge.  Then I had a flash about a forensic challenge I attempted at PHDays quals 2012 and its writeup (see here, in german) that had 2 ways of being solved :

• stegsolve
• playing with the GIF file structure and identifying the palette of colors and play with them

That challenge offered us a brown square named square.GIF.  Looked like a pretty well used square...  Well I went the wrong way on that challenge and understood everything when I stumbled on a writeup.

I def’ had to include something similar...but not exactly similar, because if someone found that writeup, that’d be too easy.  Can’t hide much stuff inline without finding it when using hexedit...and no straight descriptors I could fill and hide easily.  The second factor of the challenge had to be in the file itself.  Why not voluntarily corrupt it?

Here are the steps :

• # file safe
  safe: Zip archive data, at least v2.0 to extract

  
  

• In Winzip/7zip, we have a file named flag5.txt...that easy?

  
  

• Naw...encrypted and passworded...sure, you could bruteforce it..but that’s lame.

  
  

• Let’s hexedit it :

  • 000000D0   01 01 99 07  00 01 00 41  45 01 08 00  50 4B 05 06  00 00 00 00  01 00 01 00  66 00 00 00  76 00 00 00  00 00 52 61  72 21 1A 07  00 CF 90 73  00 00 0D 00  00 00 00 00  .......AE...PK..........f...v.....Rar!.....s........

    
    

  • 00000104   00 00 59 E3  7A 00 80 23  00 48 00 00  00 4A 00 00  00 02 71 98  0A 53 00 00  00 00 1D 33  03 00 01 00  00 00 43 4D  54 09 55 00  CB E4 CF F9  2B 05 98 24  70 C4 64 A6  ..Y.z..#.H...J....q..S.....3......CMT.U.....+..$p.d.

    
    

  • 00000138   40 88 22 C6  41 68 77 66  86 96 AE 1C  3F 8E 3E 1F  EE C9 BD 5F  AE F7 B0 F7  17 19 98 9D  92 2F 36 26  A5 91 D0 E0  81 91 52 86  03 C6 FF AF  27 4B EA AC  52 FE 6C 49  @.".Ahwf....?.>...._........./6&......R.....'K..R.lI

    
    

  • 0000016C   A7 BD CD 4F  10 C4 66 74  20 90 2F 00  E0 0A 00 00  E0 0A 00 00  02 E8 02 7A  21 04 01 AF  42 1D 30 0A  00 20 00 00  00 73 71 75  61 72 65 2E  67 69 66 00  B0 79 AE 3D  ...O..ft ./............z!...B.0.. ...square.gif..y.=

    
    

  • 000001A0   47 49 46 38  37 61 0A 00  00 A0 80 02  00 FF 30 00  FF 30 01 2C  00 00 00 00  80 02 80 02  00 02 FE 84  8F A9 CB ED  0F A3 9C B4  DA 8B B3 DE  BC FB 0F 86  E2 48 96 E6  GIF87a........0..0.,.............................H..

    
    
  
  
  
  

• But..wasn’t it a ZIP file!?  Uhmmm...maybe a cat file1 file2 > safe?

  
  

• A Google search shows us that “Rar!” is the start of a RAR file header and from here, we know how to handle the rest....carving.

  
  

• As we saw, this RAR file contains a GIF file named square.gif and..a flag!

  
  

• Depending on your GIF file editor, you may read it or not.  Could be corrupted too, esp’ if you read it on Windows and you notice that the file contents do not match the Windows Explorer Thumbnail.  One could think data has been lost, but then why would it work fine in some editors?  Lets see the GIF file header specifications.

  
  

• One hint to take note of would be the GIF filename...maybe the picture needs to be a square?  Let’s check the actual dimensions : sqtr(10x40960px) = 640

  • Means we can form a square of 640x640px with the actual file contents

    
    

  • As per the file ehader specs, we change 7th+8th and 9th-10th bytes to 80 02 80 02

    
    
  
  
  
  

• Right...it’s still one giant red square.  One of GIF’s characteristics is the color palette.  Extract it with the tool of your choice and change one of the colors to put in evidence the string “Unl0¢k it!”

  
  

• Open the initial ZIP archive with that string as the password and get the flag!