이 영역을 누르면 첫 페이지로 이동
포렌식 & 개발 이야기 - Forensics & Development 블로그의 첫 페이지로 이동

포렌식 & 개발 이야기 - Forensics & Development

페이지 맨 위로 올라가기

포렌식 & 개발 이야기 - Forensics & Development

Pental - Forensics / iOS / Windows / Android / Kakaotalk / Telegram / Etc

Puzzle #1: Ann’s Bad AIM

  • 2017.08.11 13:11
  • CTF/Puzzel - Network Forensics
글 작성자: pental

Puzzle #1: Ann’s Bad AIM

SEPTEMBER 25, 2009 / ADMIN / 5 COMMENTS

Anarchy-R-Us, Inc. suspects that one of their employees, Ann Dercover, is really a secret agent working for their competitor. Ann has access to the company’s prize asset, the secret recipe. Security staff are worried that Ann may try to leak the company’s secret recipe.

Security staff have been monitoring Ann’s activity for some time, but haven’t found anything suspicious– until now. Today an unexpected laptop briefly appeared on the company wireless network. Staff hypothesize it may have been someone in the parking lot, because no strangers were seen in the building. Ann’s computer, (192.168.1.158) sent IMs over the wireless network to this computer. The rogue laptop disappeared shortly thereafter.

“We have a packet capture of the activity,” said security staff, “but we can’t figure out what’s going on. Can you help?”

You are the forensic investigator. Your mission is to figure out who Ann was IM-ing, what she sent, and recover evidence including:

1. What is the name of Ann’s IM buddy?
2. What was the first comment in the captured IM conversation?
3. What is the name of the file Ann transferred?
4. What is the magic number of the file you want to extract (first four bytes)?
5. What was the MD5sum of the file?
6. What is the secret recipe?

Here is your evidence file:

http://forensicscontest.com/contest01/evidence01.pcap
MD5 (evidence.pcap) = d187d77e18c84f6d72f5845edca833f5

The MOST ELEGANT solution wins. In the event of a tie, the entry submitted first will receive the prize. Scripting is always encouraged. All responses should be submitted as plain text files.

Exceptional solutions may be incorporated into the SANS Network Forensics Toolkit. Authors agree that their code submissions will be freely published under the GPL license, in order to further the state of network forensics knowledge. Exceptional submissions may also be used as examples and tools in the Network Forensics class. All authors will receive full credit for their work.

Email submissions to answers@lakemissoulagroup.com. Deadline is 9/10/09. Good luck!!


 

 

Forensic Questions Write-up

▷ http://forensicscontest.com/2009/09/25/puzzle-1-anns-bad-aim

▷ Puzzle #1: Ann’s Bad AIM

 

Questions

 

1. What is the name of Ann’s IM buddy?

2. What was the first comment in the captured IM conversation?

3. What is the name of the file Ann transferred?

4. What is the magic number of the file you want to extract (first four bytes)?

5. What was the MD5sum of the file?

6. What is the secret recipe?

 

Answers

 

1. What is the name of Ann’s IM buddy?

First, we get a evidence.pcap File This is packet capture file

We filtered pcap file with tcp.stream eq 2

What is a tcp.stream?

It shows that you can show the packets in a session, and then you can sequentially analyze them as you increase the numbers.

23  18.870898  192.168.1.158  64.12.24.50  SSL  60  Continuation Data

24  18.871477  64.12.24.50  192.168.1.158  TCP   60  443 → 51128

[ACK] Seq=1 Ack=7 Win=64240 Len=0

 

Text

*..`..*..a...........E4628778....Sec558user1....................Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go >:-)....*..b.".........F...........Sec558user1..*.V......

 

1. What is the name of Ann’s IM buddy?

         Answer : Sec558user1

 

2. What was the first comment in the captured IM conversation?

           Answer : Here's the secret recipe... I just downloaded it from the file server. Just copy to a thumb drive and you're good to go

And we find that next to the conversation

 

3. What is the name of the file Ann transferred?

           Answer : recipe.docx

 

 

4. What is the magic number of the file you want to extract (first four bytes)?

           Answer : 50 4B 03 04

Why thus magic number is 50 4B 03 04?

Because .docx file has magic number to 50 4B 03 04

 

5. What was the MD5sum of the file?

 

 

 

6. What is the secret recipe?

We can use filters tcp.stream eq 1 ~ 9.

If you try to transport them, you can communicate with 192.168.1.159 and 192.168.1.158.

We use the Follow TCP stream

But I don’t know after restore…..

 

 

 

 

 

'CTF > Puzzel - Network Forensics' 카테고리의 다른 글

Puzzle #2: Ann Skips Bail  (0) 2017.08.11

댓글

이 글 공유하기

  • 구독하기

    구독하기

  • 카카오톡

    카카오톡

  • 라인

    라인

  • 트위터

    트위터

  • Facebook

    Facebook

  • 카카오스토리

    카카오스토리

  • 밴드

    밴드

  • 네이버 블로그

    네이버 블로그

  • Pocket

    Pocket

  • Evernote

    Evernote

다른 글

  • Puzzle #2: Ann Skips Bail

    Puzzle #2: Ann Skips Bail

    2017.08.11
다른 글 더 둘러보기

정보

포렌식 & 개발 이야기 - Forensics & Development 블로그의 첫 페이지로 이동

포렌식 & 개발 이야기 - Forensics & Development

  • 포렌식 & 개발 이야기 - Forensics & Development의 첫 페이지로 이동

검색

메뉴

  • 홈
  • 태그
  • 미디어로그
  • 위치로그
  • 방명록

카테고리

  • Category (428) N
    • Forensics (103)
      • Magnet AXIOM (28)
      • Digital Forensics Informati.. (9)
      • Iphone Forensics (22)
      • DFC (7)
      • 디지털포렌식전문가2급 자격증 (10)
      • FTK ACE 자격증 (7)
    • 이것저것 (18)
      • Ubuntu (6)
      • 디스코드 봇 (4)
      • Volatility GUI (2)
    • CTF (32)
      • NEWSECU (14)
      • CTF-d (5)
      • Puzzel - Network Forensics (2)
      • Security Traps (2)
      • system32.kr (5)
      • HMCTF (4)
    • Programming (239) N
      • C (10)
      • Python (11)
      • 백준 (185) N
      • 프로그래머스 (32)
    • 그냥 개발 및 잡담 (16)
      • Docker (2)
      • Google Cloud (3)
      • OS 개발 (3)
    • Best of Best (20)

최근 글

인기 글

댓글

공지사항

아카이브

태그

  • 프로그래머스
  • Forensics
  • 포렌식
  • 디지털포렌식
  • pental
  • 백준
  • 파이썬
  • axiom
  • 전체 보기…

정보

pental의 포렌식 & 개발 이야기 - Forensics & Development

포렌식 & 개발 이야기 - Forensics & Development

pental

블로그 구독하기

  • 구독하기
  • RSS 피드

방문자

  • 전체 방문자
  • 오늘
  • 어제

티스토리

  • 티스토리 홈
  • 이 블로그 관리하기
  • 글쓰기
Powered by Tistory / Kakao. Copyright © pental.

티스토리툴바