CSAW – Clams Don’t Dance

a

In this Forensics challenge, an image file was provided.

Opening a new Case and viewing the image file in Autopsy, I was faced with:

1

Upon viewing the files within the image, one particularly caught my attention, the .pptx file. I exported and saved the file for further analysis.

Since the file was appended with a .pptx extension, I then knew I could open the file with an archiver – WinRar, 7zip etc.

2

I opened the file with WinRar and extracted the contents. Navigating through the \ppt\media folders, I was met with images:

3

Of all the images, the one that really caught my attention was the one on the upper left corner:

image0

With a little research, I found out that the image is a Maxicode.

Running this on a decoder produced the flag:

4

Flag Captured!

Headsup – Forensics Task

Wow! It has been a while I dropped anything here.

Well, I have been at Capturing some Flags lately and today I will be detailing a flag I helped capture.

A friend requested for help regarding Capturing a Flag for a task I suppose he got engaged in. I later found out that the task was a Forensics challenge for the angstromctf that came up in April, 2016.

The file provided for the challenge was duly downloaded and work began earnestly on it, to get the flag out.

A look at the file will indicate that it is a PDF, because of the .pdf extension. Oops! Having opened the file, the below error message appears.

With my little experience on CTFs, hints can always be derived from the subject of the challenge. On siting the task subject (headsup.pdf), I knew there was a pointer to the file header.

Using my favourite Hex Editor, I went ahead to view the file. Looking at the file header, I knew for certain that there was something wrong with the given file. Viewing the file headers, I came up with this:

2           5

The %PDF is a standard header for every PDF. The wrong thing about this is the IHDR, which a typical header format for PNG files. To satisfy my curiosity, I decided to view how the file ends, using the hex editor, and I found this:

3

A typical PDF ends thus:

7

I now concluded that this could be a picture file and not a PDF. To be sure I was dealing with a picture file, I opened a picture file, with the .png extension with a hex editor and arrived at this:

4              6

The above gives a clear picture of how the file signature of a picture file (.png) looks like. Knowing this, I began to manually tweak the file headers to ensure it turns up a perfect PNG file. The tweaking entails my using the ‘Fill Selection’ tool, in the Edit menu to fix in the right hex strings using the hex editor.

After doing that, knowing well that the file was downloaded with a .pdf extension, I now change the extension to a .png.

Opening the file, I see this:

8

Flag captured!!!

 

SMiShing – BVN validation

There is no way phishing attacks will ever stop. The one and only way to overcome this form of attack is not to get caught – do not be a victim.

Despite the prevalence of this form of attack, not everybody becomes a victim. One of the ways I would subscribe to avoiding being a victim of this form of attack is the application of “Common Sense”. Common Sense, some say, may not entirely be common after all. This is coming out of the fact that what one should ordinarily not be a victim to automatically catches up with one.

With the presence of phones and its widespread usage, communication is done through exchanging of SMS. Phishing has now evolved to the usage of messages to carry out these attacks. The aim of this attack is to get gullible users fall victim to it. One tool being employed in carrying out this form of attack is what I call “Subtle Intimidation”.

These messages sent have ways of invoking fear in the minds of the users and would at times harvest victims. This however is not to revoke from our minds that every one of us is a potential victim. Ending up as a victim depends entirely on what you do with the message you receive.

SMiShing is the art of making use of text messages to carry out phishing attacks.

I recently received an SMS, which I immediately knew was an attack. The message I received is :

“Dear Customer, Due to the BVN validation in compliance with CBN bank directives, your ATM card has been De_activated call our help line on (07033680531) now”

The above message was sent from +2349037918543.

Though phishing attack messages can be crafted without leaving room for suspicion, the above SMS is a poorly crafted one.

Certain features that mark the above as an attack include the poor usage of punctuation marks, issues with capitalization, wrong usage of words, and if this message actually came from my bankers, it would have been addressed to my person.

Care therefore must be taken to avoid being victims of these kinds of attacks. Do not be hasty to respond to any message that comes your way.

Should you want to call the above phone numbers to do your BVN (Bank Verification Number) validation, you can go ahead and place the call.

Goodluck 🙂

SECCON 2015 Online CTF – Steganography 3 solution

Having participated in the concluded SECCON 2015 Online CTF and capturing some flags, I decided to do this write-up to one of the challenges posed – Steganography 3.

Capture1

A file was provided for us to examine, with the view to finding out what was embedded in it.

After downloading the file and viewing it with a picture viewer, we are faced with this:

Capture2.PNG

Viewing this picture does not in any way reveal much, however, it leaves much to our imagination.

One thing in particular that gave me the strongest hint was the down-right part of the picture – where the picture file is opened using Paint.

I decided to open the file with Paint, but the result was no different from how it appeared having used another picture viewer.

Yes, Paint could do some tricky stuff. I took advantage of what I knew could be the solution to what I sought.

Clicking on the “Fill with color” tool, I left clicked on the picture and this showed up:

Capture SECCON{the_hidden_message_ever}.PNG

The flag was revealed: SECCON{the_hidden_message_ever}.

CTF Global Cyberlympics 2015 Challenge Write Up

The Global Cyberlympics finals recently held on the 20th of October, 2015, in Washington D.C. The competition is one where Ethical Hackers representing different organizations, all over the world gather to test their mettle on CTF exercises.

This however is not possible without them first having gone through preliminary stages to determine those who would represent the various regions around the world. Just as other groups represented various parts of the world, the African region got represented by 2 teams from Nigeria – Team Naija and HAWX. They participated in the competition and to me, they are indeed champions, having topped the chart to represent Africa.

Hack.ERS (Europe) emerged the winners of the competition, Sector C (Europe) came out first runner ups and CTRL+ALT+DEL (North America) emerged third place. Congratulations.

Several write ups have started being published, so as to aid others. One of such can be found here.

This is a write up on how I solved one of the challenges (I was not at the cyberlympics this year 🙂 ).

According to my friend (he participated), “the question was to find out what’s wrong with the pcap…the answer lies within the pcap…”.

I downloaded the .pcap file and one thing that got me curious was the size. I assumed it was not large enough.

It then occurred to me that no matter the size of the file, “packets don’t lie”.

After opening the .pcap file with Wireshark, I noticed that packets 20 to 77 had a continuous flow of data on the SSL protocol.

Cap1

Afterwards, I reassembled the packets (SSL) by following the TCP Stream, which resulted in this hex editor:

Cap2

Sighting the .PNG header, I knew a picture was involved. I saved the file with a .png extension, selecting the ‘raw’ radio button. After saving it, I opened the file and found this:

Capture1

Hmmmm, warl0ck gam3z…I love these guys.

Network Miner has a way of indicating what a .pcap file contains but when I opened this file using Network Miner, there was no indication that a picture was embedded therein.

On the picture is indeed a clue as to what to work on.

Using my favourite online hash decrypter I tried decrypting the hash:

Capture3

and I got this:

Capture4

Wow! It can clearly be seen that the key asked for is the MD5 hash of ‘wg’.

Hashing ‘wg’, I got this:

Capture5

Voila…Flag captured…challenge solved.

Ciao.

The Network of Things

Back in 1998, a hacker group named L0pht, disclosed to a panel of United States lawmakers, the impending disaster that would eventually rock the internet world. Their disclosure was that computers were not secure.

They foretold this based on the vulnerabilities and bugs they had found out in carrying out several tests on IT equipment. This disclosure was further enhanced by their point that IT products were not been hardened with enough security to ensure that end users utilize these products without having to concern themselves with “so much” security.

However, the case we have nowadays is that end users have been handed the task of ensuring the security of the products they buy from IT vendors.

The question which now is asked is “Who should be responsible for Security?”

Should security lie in the hands of end users who buy these products or vendors who make and sell these products at very expensive rates (including open source)? This is a question which has not gotten a universally accepted reply. If I need to buy a product – be it software or hardware – at a very dear rate, why then should I bother myself with ensuring that it is not hacked? Why should I pay so much and end up with sleepless nights because I do not want my product to be hacked.

This was the warning L0pht was intimating the world about, but it was disregarded, hence the several news about hacking. Consequently, Bill Gates, in his May 26, 1995 memo to his Microsoft staff had clearly foretold of an interconnected world, no wonder he titled his memo “The Internet Tidal Wave”.

Looking at the warning L0pht gave, Microsoft seems to be one of the major channels through which this warning came to fruition. In May 2000, the ILOVEYOU bug gained recognition by exploiting a feature in Microsoft Outlook. This was followed by the PIKACHU, ANNA KOURNIKOVA and NIMDA bugs.

Should we therefore conclude that the world is paying for not heeding the timely warning?

Furthermore, the interconnections of devices today have made communication and other aspects of life easier. This does not however take away the fact that hackers are still on the prowl.

To this effect, companies have come up with Bug Bounties for bugs to be found and fixed before they are disclosed to the public.

The rave of the moment is the Internet of Things, where gadgets now connect to the internet. Sincerely, I cannot understand why my refrigerator must be connected to the internet and end up giving me challenges.

According to a Computer Scientist at the University of California, Santa Barbara, hackers are like water, whom after putting a plug in place, they find another crack.

The essence therefore is for everybody to imbibe a security consciousness.

If I purchase an IT product at an expensive price, why must I break my sleep for its security?

FREE Computer Forensics Training

Have you ever thought of arousing your IT forensics instincts with some training?

I have come to notice that many people who are interested in IT Security tend to have more leanings towards Hacking. This is in no way to say that they are making wrong choices but several other areas abound in the world of security that you can delve into.

The world of Forensics is one that not so many people are interested in, but this is an aspect of IT Security that spurs up one’s security consciousness. As an IT person, security is of utmost importance to the IT infrastructures installed in the organization one works in.

The need to know what may have happened that resulted in a system crash is the Digital Forensics domain.

EH Academy is a platform where one can get training on Computer Forensics. Simply visit EH Academy and you will be availed of the course and several other courses.

To avail yourself of the Computer Forensics course, simply visit http://academy.ehacking.net/courses/computer-hacking-forensics-investigation/.

This course will teach you several ways to go about that investigation you are finding hard to go through.

Do not miss visiting here.