[IceCTF 2016] [Forensics 150 – Root of All Evil] Write Up

Description

Oh no! Dr.Evil managed to get into one of ours servers, we don’t know what he did. I took an image of the file system, can you take a look and see what he left behind? Note to Foreign teams: Please make a ticket when you solve Root of All Evil and make sure you include proof.

Resolution

There’s a base64 string in the evilcat binary.

To extract the data:

strings evilcat | egrep '[A-Za-z0-9+/]{300,}' | base64 -d > evil

What kind of file it was?

file evil
evil: RIFF (little-endian) data, WAVE audio

Extracting DTMF tones values (with spaces) gave us:

64 12673822 *21 92146998

It was GPS coordinates: 64.12673822,-21.92146998.

Leave a Reply

Your email address will not be published. Required fields are marked *