Rhino Hunt CTF– Digital Forensics
Digital forensics is the process of identifying, collecting, and analyzing evidences, to be presented for investigations and/or legal claims. In this Rhino Hunt CTF, we will run through the process of digital forensics by correlating the evidence into a cohesive narrative through the following questions.
---- ----
The task:
Recover at as many rhino pictures from the available evidence and provide answers to as many of the following questions as possible:
· Who gave the accused a telnet/ftp account?
· What’s the username/password for the account?
· What relevant file transfers appear in the network traces?
· What happened to the hard drive in the computer? Where is it now?
· What happened to the USB key?
· What is recoverable from the dd image of the USB key?
· Is there any evidence that connects the USB key and the network traces? If so, what?
** skip to the end of this post for the answers ***Some hints to get started - https://learndotresources.s3.amazonaws.com/workshop/60a057489f4b170004862b1d/RhinoCTFHelper.pdf
---- ----
Let’s get started!
When we download the files we’ll notice three log files and a USB disk image.
We’ll start off by using the foremost command, a file carver command, to recover any lost files from the USB copy.
Since the challenge is hunting for rhino images, we can utilize the -t option to recover any jpg, gif, png files. ** other forensic tools like photorec or autopsy should produce similar or same results
INPUT: foremost -t jpg,gif,png -o restore -v -i RHINOUSB.dd
Foremost recovered seven jpg files, two gif files, and even one doc file.
We can head over to our GUI to examine these images. Go to the /restore directory that was created when we ran the foremost command.
*** censored files are to avoid spoilers!
We’ll find separate directories for the files we’ve recovered.
In the gif folder we have two drawings of rhinos.
Nice! But we want the real thing so let’s keep searching. Next, we can check the jpg folder and sure enough we’ll find two more rhino pictures, and this time they’re real rhinos.
So far so good. We’ve managed to recover a few rhinos from the USB disk image, and before we move onto the log files, let’s take a quick look at doc file.
Interestingly, depending on how we open the doc file, we’ll get different results.
The image on the left is opened via the cat command, and the image on the right via the GUI.
The repeated string “CHARLIE” could be some indication that the file was overwritten to mask the original data, but on the right we still managed to recover a doc file of what seems to be a diary. But more on this later.
For now, we’ll continue hunting for some rhinos by examining the first rhino log. Open a pcap file of the log by using the wireshark command.
To filter through the noise, we can ctrl+f and search for “rhino” under the “String option” as shown below.
The search will direct us to packet number 1546 for an FTP request of rhino1.jpg.
The next entry will point us towards an FTP data packet that is being received (probably from the request made on packet number 1546).
We can add an additional filter, “FTP-DATA” to narrow our results to any packet that received rhino images under the FTP protocol.
Much cleaner. When we scroll down, we’ll also notice rhino3.jpg. Seems like we found a couple of more rhinos.
To extract rhino1.jpg and rhino3.jpg from this pcap file, we’ll follow the TCP stream of the packet. For rhino1.jpg we are taken to tcp.stream 71 and we’ll see the ASCII encoding of the jpg file by default. However, we can change the packet data to show the raw encoding.
Save the file of the raw encoding.
And open the file.
When we repeat the same steps in wireshark for rhino3.jpg we’ll find another rhino.
We’ll continue searching our wireshark filter (strings:“rhino”; ftp-data) and find the final set of packets called “contraband.zip”. For some reason this packet shows in the filter, despite it not being named “rhino”; perhaps this suggests that the zip file contains a hidden rhino? Let’s check!
To recover the zip file follow the stream like we did for rhino1.jpg and rhino3.jpg
Find the file from where it was saved and try extracting the file.
Unfortunately, we’ll need a password to access the contents of the zipped file…
Fortunately, we have a free tool to help us crack zip file passwords called fcrackzip.
This is a great tool to have handy, so download this if you haven’t already.
**** Please note that I ran into the error “unable to locate package…” when downloading this tool.
If you are having the same problem, follow these directions to troubleshoot: https://ourcodeworld.com/articles/read/961/how-to-solve-kali-linux-apt-get-install-e-unable-to-locate-package-checkinstall
Now that we’ve downloaded fcrackzip we can enter the following command to launch a dictionary attack against the contraband.zip file.
INPUT: fcrackzip -v -D -u -p {file path for password list} {file path being targeted} ** refer to the flag options in image below.
*** This step also took me a while for it to work. I noticed that the command is extremely syntax sensitive; for example, when I gave the absolute path for the files, I kept running to a “No such file or directory” error. By placing the rockyou.txt file and contraband.zip file in the same directory and using the relative path instead, I was able to crack the password “monkey”.
Now attempt to unzip the contraband.zip file and input the password:“monkey” to get rhino2.jpg.
Here’s the image.
Wait, hold on. If we pay close attention to rhino3.jpg we might recognize that this is the same gif image from the disk drive.
Super interesting! We’ll circle back to this and make sense of what this means later.
--- --- There definitely are more rhino images in the other pcap files (should be about 9 in total), but for this exercise we’ll take a step back and re-examine the set of questions to help us contextualize the information.
Earlier when we were viewing wireshark, we set our filter to “ftp-data” to look for the specific packets with the rhino images. Now, let’s check for the account associated with those ftp-data downloads. This time we’ll filter wireshark to “FTP” to see all other communications around the account. **don’t forget to remove “rhino” from the strings filter for this step; include “ftp” filter only.
Notice packets 1625, 1629, 1649 have a request for user gnome and the pass gnome123. We can also see the evidence of rhino3.jpg data (and other rhino images pulled from ftp-data) as being associated with the user gnome account.
Follow the TCP stream; we’ll confirm the user gnome successfully signed in using the credentials form above.
From packets 1625 and 1629 and from TCP stream 69, we found the user: gnome and password: gnome123.
Great, let’s check on another protocol aside from FTP. The question earlier also hinted us to look at the telnet protocol so let’s filter wireshark to telnet.
Follow the stream; in tcp stream 60 , we’ll notice another gnome account associated with the group “cscistu”. The image seems to indicate that the user is attempting to change the password but fails. Though I’m not sure what this means, I notice in the stream a large jpg image called golden that seems worth checking out.
Let’s Ctrl + F search “golden” and follow the stream from packet 1752.
We can find another login information, but this time the information is encoded. After noticing the “==” padding at the end, I realize that this is in base64 encoding and decode the information in cyber chef.
And we got the credentials for the user: golden and password: kinky!tang
Certainly a strange password.
What does all these evidences mean? Let’s go back to the doc file of the diary we recovered from the USB disk image.
The full document isn’t too long and can be read rather quickly. It isn’t until the last page where we might connect a few terms that pique our interest.
This journal entry certainly gives us more context of the evidences we found earlier. The gold.jpg and account we found has something to do with being a “gold member” and the illegal “Rhino” pictures were hidden. Whoever stored and hid the rhino photos in the USB used the gnome account that was given by Jeremy.
As predicted (from the ‘CHARLIE,CHARLIE,….’ ouput of the doc file), this person also attempted to reformat the USB and threw away their hard drive into the Mississippi River.
***
ANSWERS
• Who gave the accused a telnet/ftp account? Jeremy • What’s the username/password for the account? user:gnome, pass:gnome123; user:golden, pass:kinky!tang • What relevant file transfers appear in the network traces? Any of those (illegal) rhino images. • What happened to the hard drive in the computer? Where is it now? Zapped and somewhere in the Mississippi River. • What happened to the USB key? Reformatted; potentially at Radio Shack. • What is recoverable from the dd image of the USB key? The rhino images and doc file of diary. • Is there any evidence that connects the USB key and the network traces? If so, what? The image for the contraband zip file: rhino2.jpg from the network trace and 00106409.jpg carved from the USB disk drive are the SAME image.
***
Closing thoughts
In the real world, the rhino images that we’ve found in this CTF aren’t actually rhino images… rather these might be dangerous and malicious images that digital forensics can help us to identify and stop.
The context of the diary entry suggests that these illegal photos were being downloaded from a shared account between the suspect and Jeremy. Moreover, the diary suggests that the suspect made attempts to eradicate the evidence. The crucial evidence might be how we found the same image in the network trace and in the USB image, but of course, all the evidences put together points to the likelihood that the owner of the USB is also the user of ip address on the gnome account. Even if the accesed denies that the account was Jeremy’s, we’ve identified a record of the ip address being linked to when the gnome account was logged in.
The power of digital forensics reveals all this information and helps us piece together a narrative for us to understand, and of course, for us to prevent!
