{"id":2458,"date":"2016-07-04T16:54:46","date_gmt":"2016-07-04T14:54:46","guid":{"rendered":"https:\/\/0x90r00t.com\/fr\/?p=2458"},"modified":"2016-07-04T16:54:46","modified_gmt":"2016-07-04T14:54:46","slug":"ndh-2016web-150-hello-friend-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2016\/07\/04\/ndh-2016web-150-hello-friend-write-up\/","title":{"rendered":"[NDH 2016][WEB 150 – Hello Friend] WRITE UP"},"content":{"rendered":"

Description<\/h2>\n

Une image JPG est mise \u00e0 disposition pour ce challenge.
\n\"hellofriend\"<\/a><\/p><\/blockquote>\n

<\/p>\n

Resolution<\/h2>\n

Nous avons une image JPG \u00e0 disposition :<\/p>\n

\"hellofriend\"<\/a><\/p>\n

J’ai commenc\u00e9 par jeter un coup d’oeil rapide au contenu de l’image :<\/p>\n

curl http:\/\/static.wargame.ndh\/hellofriend.jpg | more<\/pre>\n
On remarque qu’\u00e0 la fin de l’image des chemins apparaissent :<\/p>\n
\r\nWhoAmI.png\r\nHello_friend\/\r\nHello_friend\/0\/\r\nHello_friend\/0\/64.png\r\nHello_friend\/1\/\r\nHello_friend\/1\/61.png\r\nHello_friend\/2\/\r\nHello_friend\/2\/72.png\r\nHello_friend\/3\/\r\nHello_friend\/3\/6b.png\r\nHello_friend\/4\/\r\nHello_friend\/4\/63.png\r\nHello_friend\/5\/\r\nHello_friend\/5\/30.png\r\nHello_friend\/6\/\r\nHello_friend\/6\/64.png\r\nHello_friend\/7\/\r\nHello_friend\/7\/65.png\r\nHello_friend\/8\/\r\nHello_friend\/8\/IsItReal.jpg\r\n<\/pre>\n
Je regarde le contenu exacte \u00e0 l’aide de binwalk :<\/p>\n
\r\nbinwalk hellofriend.jpg\r\nDECIMAL HEXADECIMAL DESCRIPTION\r\n--------------------------------------------------------------------------------\r\n0 0x0 JPEG image data, JFIF standard 1.01\r\n382 0x17E Copyright string: "Copyright (c) 1998 Hewlett-Packard Company"\r\n3192 0xC78 TIFF image data, big-endian, offset of first image directory: 8\r\n116141 0x1C5AD Zip archive data, at least v2.0 to extract, compressed size: 6264, uncompressed size: 6376, name: WhoAmI.png\r\n122445 0x1DE4D Zip archive data, at least v1.0 to extract, name: Hello_friend\/\r\n122488 0x1DE78 Zip archive data, at least v1.0 to extract, name: Hello_friend\/0\/\r\n122533 0x1DEA5 Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/0\/64.png\r\n126981 0x1F005 Zip archive data, at least v1.0 to extract, name: Hello_friend\/1\/\r\n127026 0x1F032 Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/1\/61.png\r\n131474 0x20192 Zip archive data, at least v1.0 to extract, name: Hello_friend\/2\/\r\n131519 0x201BF Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/2\/72.png\r\n135967 0x2131F Zip archive data, at least v1.0 to extract, name: Hello_friend\/3\/\r\n136012 0x2134C Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/3\/6b.png\r\n140460 0x224AC Zip archive data, at least v1.0 to extract, name: Hello_friend\/4\/\r\n140505 0x224D9 Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/4\/63.png\r\n144953 0x23639 Zip archive data, at least v1.0 to extract, name: Hello_friend\/5\/\r\n144998 0x23666 Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/5\/30.png\r\n149446 0x247C6 Zip archive data, at least v1.0 to extract, name: Hello_friend\/6\/\r\n149491 0x247F3 Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/6\/64.png\r\n153939 0x25953 Zip archive data, at least v1.0 to extract, name: Hello_friend\/7\/\r\n153984 0x25980 Zip archive data, encrypted at least v2.0 to extract, compressed size: 4381, uncompressed size: 4882, name: Hello_friend\/7\/65.png\r\n158432 0x26AE0 Zip archive data, at least v1.0 to extract, name: Hello_friend\/8\/\r\n158477 0x26B0D Zip archive data, encrypted at least v2.0 to extract, compressed size: 101679, uncompressed size: 133658, name: Hello_friend\/8\/IsItReal.jpg\r\n260229 0x3F885 Zip archive data, at least v1.0 to extract, name: Hello_friend\/9\/\r\n260274 0x3F8B2 Zip archive data, encrypted at least v2.0 to extract, compressed size: 286495, uncompressed size: 298687, name: Hello_friend\/9\/3xploits.jpg\r\n549041 0x860B1 End of Zip archive\r\n<\/pre>\n
On constate que l’image contient un fichier zip, nous tentons de l’extraire avec la commande :<\/p>\n
\r\nunzip hellofriend.jpg\r\n=> [hellofriend.jpg] Hello_friend\/0\/64.png password:\r\n<\/pre>\n
Un mot de passe nous est demand\u00e9.
\nPour trouver le mot de passe il a fallu le deviner (classique \u00e0 la NDH).
\nEn se r\u00e9f\u00e9rant \u00e0 l’\u00e9nonc\u00e9 et au nom de l’image \u00ab\u00a0Hello Friend\u00a0\u00bb, nous tombons rapidement sur la s\u00e9rie TV \u00ab\u00a0Mr Robots\u00a0\u00bb.
\nEn regardant la page wikip\u00e9dia ( https:\/\/fr.wikipedia.org\/wiki\/Mr._Robot_(s%C3%A9rie_t%C3%A9l%C3%A9vis%C3%A9e) ) nous trouvons rapidement le mot de passe de l’archive : fsociety<\/p>\n
\r\nunzip hellofriend.jpg\r\n=> [hellofriend.jpg] Hello_friend\/0\/64.png password: fsociety\r\n<\/pre>\n
Une fois d\u00e9compress\u00e9 nous obtenons l’arborescence suivante :<\/p>\n
\r\n.\r\n\u251c\u2500\u2500 Hello_friend\r\n\u2502   \u251c\u2500\u2500 0\r\n\u2502   \u2502   \u2514\u2500\u2500 64.png\r\n\u2502   \u251c\u2500\u2500 1\r\n\u2502   \u2502   \u2514\u2500\u2500 61.png\r\n\u2502   \u251c\u2500\u2500 2\r\n\u2502   \u2502   \u2514\u2500\u2500 72.png\r\n\u2502   \u251c\u2500\u2500 3\r\n\u2502   \u2502   \u2514\u2500\u2500 6b.png\r\n\u2502   \u251c\u2500\u2500 4\r\n\u2502   \u2502   \u2514\u2500\u2500 63.png\r\n\u2502   \u251c\u2500\u2500 5\r\n\u2502   \u2502   \u2514\u2500\u2500 30.png\r\n\u2502   \u251c\u2500\u2500 6\r\n\u2502   \u2502   \u2514\u2500\u2500 64.png\r\n\u2502   \u251c\u2500\u2500 7\r\n\u2502   \u2502   \u2514\u2500\u2500 65.png\r\n\u2502   \u251c\u2500\u2500 8\r\n\u2502   \u2502   \u2514\u2500\u2500 IsItReal.jpg\r\n\u2502   \u2514\u2500\u2500 9\r\n\u2502   \u2514\u2500\u2500 3xploits.jpg\r\n\u251c\u2500\u2500 hellofriend.jpg\r\n\u2514\u2500\u2500 WhoAmI.png\r\n<\/pre>\n
A l’aide de binwalk nous identifions rapidement une archive dans l’image \u00ab\u00a03xploits.jpg\u00a0\u00bb :<\/p>\n
\r\nbinwalk Hello_friend\/9\/3xploits.jpg\r\nDECIMAL HEXADECIMAL DESCRIPTION\r\n--------------------------------------------------------------------------------\r\n186158 0x2D72E Zip archive data, encrypted at least v2.0 to extract, compressed size: 112361, uncompressed size: 302979, name: d3bug.png\r\n298665 0x48EA9 End of Zip archive\r\n<\/pre>\n
La encore l’archive est prot\u00e9g\u00e9 par un mot de passe.<\/p>\n
\r\nunzip Hello_friend\/9\/3xploits.jpg\r\n=> [Hello_friend\/9\/3xploits.jpg] d3bug.png password:\r\n<\/pre>\n
Le nom des images png ressemble \u00e0 de l’hexadecimal, nous tentons donc de convertir en chaine de caract\u00e8re :<\/p>\n
\r\necho -en '6461726b63306465' | xxd -r -p\r\n=> darkc0de\r\n<\/pre>\n
Nous tentons donc de mettre cette valeur en tant que mot de passe :<\/p>\n
\r\nunzip Hello_friend\/9\/3xploits.jpg\r\n=> [Hello_friend\/9\/3xploits.jpg] d3bug.png password: darkc0de\r\n<\/pre>\n
Le mot de passe est incorrect.<\/p>\n
Une recherche sur Google nous am\u00e8ne vers un site \u00ab\u00a0WPA \/ WPA2 Word List Dictionaries\u00a0\u00bb sur lequel est \u00e0 disposition un dictionnaire \u00ab\u00a0darkc0de.lst\u00a0\u00bb.
\nJe t\u00e9l\u00e9charge donc le dictionnaire.<\/p>\n
Ensuite j’extrais le fichier ZIP afin de le bruteforcer avec fcrackzip :<\/p>\n
\r\nbinwalk -e Hello_friend\/9\/3xploits.jpg\r\n<\/pre>\n
Une extraction est r\u00e9alis\u00e9e par binwalk :<\/p>\n
\r\n.\r\n\u251c\u2500\u2500 _3xploits.jpg.extracted\r\n\u2502   \u251c\u2500\u2500 2D72E.zip\r\n\u2502   \u2514\u2500\u2500 d3bug.png\r\n<\/pre>\n
Nous avons d\u00e9sormais le fichier ZIP \u00e0 disposition, apr\u00e8s installation de fcrackzip (via apt) nous pouvons bruteforcer le fichier zip :<\/p>\n
\r\nfcrackzip -v -D -u -p ~\/CTFs\/passwords\/darkc0de.lst _3xploits.jpg.extracted\/2D72E.zip\r\nfound file 'd3bug.png', (size cp\/uc 112361\/302979, flags 9, chk be20)\r\nPASSWORD FOUND!!!!: pw == How do you like me now?\r\n<\/pre>\n
Nous d\u00e9compressons l’archive avec le mot de pass \u00ab\u00a0How do you like me now?\u00a0\u00bb :<\/p>\n
\r\nunzip _3xploits.jpg.extracted\/2D72E.zip\r\n[_3xploits.jpg.extracted\/2D72E.zip] d3bug.png password: How do you like me now?\r\n<\/pre>\n
Il nous reste plus qu’\u00e0 regarder l’image PNG contenant le flag :<\/p>\n
\"congratz\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Description Une image JPG est mise \u00e0 disposition pour ce challenge.<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[130,35,180],"tags":[19,177,181],"class_list":["post-2458","post","type-post","status-publish","format-standard","hentry","category-2016-fr","category-ctf-fr","category-nuit-du-hack-wargame","tag-web","tag-write-up","tag-ndh2016"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2458","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=2458"}],"version-history":[{"count":4,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2458\/revisions"}],"predecessor-version":[{"id":2465,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/2458\/revisions\/2465"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=2458"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=2458"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=2458"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}