Rootme Find the cat
Root-me.org
Find the cat
Rescue/Data mining
We’re presented with an archive. If we uncompress it and do file on it we get the following text
file ch9
ch9: DOS/MBR boot sector; partition 1 : ID=0xb, start-CHS (0x0,32,33), end-CHS (0x10,81,1), startsector 2048, 260096 sectors, extended partition table (last)
So this is a DOS/MBR boot sector. There’s big changes that we can mount it on our system.
Let’s first gather more important about the image.
fdisk -l ch9
Disk ch9: 128 MiB, 134217728 bytes, 262144 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xc5ce543f
Device Boot Start End Sectors Size Id Type
ch9p1 2048 262143 260096 127M b W95 FAT32
We got a filesystem type and the necessary information to know the offset.
Offset = Units size * Start
Offset = 512 * 2048 (1048576)
We’ll mount it now.
sudo losetup -o 1048576 /dev/loop0 ch9
sudo fsck -fv /dev/loop0
sudo mount /dev/loop9 mount/
Investigation
If we browse our mount, we’ll find A LOT of files. After spending some time on them i couldn’t find anything related to a cat/city or whatever.
What we need to do is to retrieve the deleted files from the mount.
We’ll be using photorec to recover those files.
wget https://www.cgsecurity.org/testdisk-7.1-WIP.linux26-x86_64.tar.bz2
bunzip2 testdisk-7.1-WIP.linux26-x86_64.tar.bz2
tar xvf testdisk-7.1-WIP.linux26-x86_64.tar
sudo ./testdisk-7.1-WIP/photorec_static
PhotoRec 7.1-WIP, Data Recovery Utility, November 2017
Christophe GRENIER <[email protected]>
https://www.cgsecurity.org
PhotoRec is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter):
Disk /dev/sda - 120 GB / 111 GiB (RO) - Corsair Force 3 SSD
Disk /dev/sdb - 750 GB / 698 GiB (RO) - Crucial_CT750MX300SSD1
Disk /dev/sdc - 240 GB / 223 GiB (RO) - OCZ-ARC100
>Disk /dev/loop0 - 133 MB / 127 MiB (RO)
We’ll be choosing our /dev/loop0 mount.
PhotoRec 7.1-WIP, Data Recovery Utility, November 2017
Christophe GRENIER <[email protected]>
https://www.cgsecurity.org
Disk /dev/loop0 - 133 MB / 127 MiB (RO)
Partition Start End Size in sectors
Unknown 0 0 1 260095 0 1 260096 [Whole disk]
> P FAT32 0 0 1 260095 0 1 260096
P FAT32 0 0 1 260095 0 1 260096
To recover lost files, PhotoRec needs to know the filesystem type where the
file were stored:
[ ext2/ext3 ] ext2/ext3/ext4 filesystem
>[ Other ] FAT/NTFS/HFS+/ReiserFS/...
P FAT32 0 0 1 260095 0 1 260096
Please choose if all space needs to be analysed:
>[ Free ] Scan for file from FAT32 unallocated space only
[ Whole ] Extract files from whole partition
Keys: Arrow keys to select another directory
C when the destination is correct
Q to quit
Directory /home/p0pp3t/CTF/rootme/forensic/ch9
>drwxrwxr-x 1000 1000 4096 8-Dec-2017 18:10 .
drwxrwxr-x 1000 1000 4096 8-Dec-2017 03:30 ..
drwxr-xr-x 0 0 512 mount
drwxr-xr-x 1000 1000 4096 8-Dec-2017 17:42 testdisk-7.1-WIP
-rw-rw-r-- 1000 1000 134217728 8-Dec-2017 17:21 ch9
-rw-rw-r-- 1000 1000 12314757 8-Dec-2017 04:19 ch9.gz
-rw-rw-r-- 1000 1000 19886080 8-Dec-2017 17:40 testdisk-7.1-WIP.linux26-x86_64.tar
Disk /dev/loop0 - 133 MB / 127 MiB (RO)
Partition Start End Size in sectors
P FAT32 0 0 1 260095 0 1 260096
24 files saved in /home/p0pp3t/CTF/rootme/forensic/ch9/recup_dir directory.
Recovery completed.
You are welcome to donate to support and encourage further development
https://www.cgsecurity.org/wiki/Donation
Once we’re done, we’ll have a new folder called recup_dir.1
ls -lha
total 6.5M
drwxr-xr-x 2 root root 4.0K Dec 8 17:42 .
drwxrwxr-x 7 p0pp3t p0pp3t 4.0K Dec 8 18:12 ..
-rw-r--r-- 1 root root 657K Dec 8 17:42 f0005707_pdf,_Job_18.pdf
-rw-r--r-- 1 root root 1.3M Jan 24 2004 f0012614.pdf
-rw-r--r-- 1 root root 1.5M Dec 8 17:42 f0015175.pdf
-rw-r--r-- 1 root root 2.3M Jul 22 2013 f0019458.odt
-rw-r--r-- 1 root root 103K Dec 8 17:42 f0028623.txt
-rw-r--r-- 1 root root 3.5K Dec 8 17:42 f0028828.png
-rw-r--r-- 1 root root 148K Dec 8 17:42 f0028836.txt
-rw-r--r-- 1 root root 9.3K Dec 8 17:42 f0029131.txt
-rw-r--r-- 1 root root 8.8K Dec 8 17:42 f0029151.txt
-rw-r--r-- 1 root root 55K Dec 8 17:42 f0029170.txt
-rw-r--r-- 1 root root 214 Dec 8 17:42 f0029281.png
-rw-r--r-- 1 root root 9.3K Dec 8 17:42 f0029283.txt
-rw-r--r-- 1 root root 63K Dec 8 17:42 f0029304.txt
-rw-r--r-- 1 root root 728 Dec 8 17:42 f0029431.h
-rw-r--r-- 1 root root 204 Dec 8 17:42 f0029433.png
-rw-r--r-- 1 root root 2.4K Dec 8 17:42 f0029435.png
-rw-r--r-- 1 root root 15K Dec 8 17:42 f0029440.jpg
-rw-r--r-- 1 root root 1.6K Dec 8 17:42 f0029469.png
-rw-r--r-- 1 root root 751 Dec 8 17:42 f0029473.png
-rw-r--r-- 1 root root 385 Dec 8 17:42 f0029475.png
-rw-r--r-- 1 root root 1.8K Dec 8 17:42 f0029477.h
-rw-r--r-- 1 root root 14K Dec 8 17:42 f0029482.txt
-rw-r--r-- 1 root root 173K Dec 8 17:42 f0029510.txt
-rw-r--r-- 1 root root 219K Dec 8 17:42 f0032407_Exchangeable_image_file_format_-_Wikipedia,_the_free_encyclopedia.html
-rw-r--r-- 1 root root 6.3K Dec 8 17:42 report.xml
We have a lot of txt and images. After browsing all the files we found the ransom note in f0019458.odt.
We’ll save the image from the ransom note in our computer.
We’ll take a look at the exif to see if there’s something interesting.
exiftool cat.png
ExifTool Version Number : 10.40
File Name : cat.png
Directory : .
File Size : 2.2 MB
...
GPS Altitude : 16.7 m Above Sea Level
GPS Latitude : 47 deg 36' 16.15" N
GPS Longitude : 7 deg 24' 52.48" E
GPS Position : 47 deg 36' 16.15" N, 7 deg 24' 52.48" E
Image Size : 3264x2448
...
We got some GPS coordonates. Let’s look them up.
We got the name of the city.