Insomni’hack Teaser 2022 — ExPiltration — Forensics Challenge
CTF EVENT: Insomni’hack Teaser 2022
CATEGORY: Forensics / Misc
A few weeks ago I had the opportunity to play the insomni’hack teaser 2022. shana and I managed to solve one of the two Forensics challenges of this CTF. This challenge requires a lot of skills that Digital Forensics analysts should have.
I heard that Insomni’hack is known to be a hard CTF. So I wanted to give it a try.
In order to solve this challenge, you must have a basic knowledge of the Linux Filesystem, logs analysis, Python scripting, and a dose of Forensics Mindset.
In this write-up, I will go through the different steps that we applied to solve this challenge. Have fun!
Oh shit.. (!) Our network has been compromised and data stored on an air-gaped device stolen, but we don’t know exactly what has been extracted and how? We have 24/7 video surveillance in the server room, and nobody has approached the device… Here is all I have, could you please give us a hand?
File to download: forensic-data.zip
As soon as we unzip this zip file, we can see a video in .mp4 format and a folder.
Playing the video, give us already some insights :
1- We are dealing with a Raspberry Pi and most of the time in a Linux OS (to be confirmed later).
2- We can see a timelapse in the top left of the screen.
3- It is a 59:32 video long.
4- Only the red light is ON at the beginning of the video, but after a specific moment, we can also see some activities due to the green light.
In the storage folder, we found the following folders :
It confirms that we are dealing with a Linux machine. Indeed, this is Linux Filesystem. Some of those folders are empties. However, in some, we can find a lot of files.
As there are many files, we need to find a way to work efficiently. Maybe the video can help us with that.
Indeed, thanks to the video, we can recreate a timeline of the malicious event.
At a particular moment of the video, we know the lights start blinking, then it stops. Consequently, we can already suppose that the suspicious activity happened.
Knowing that, lest’s focus our investigation during the following time range :
· Start at 17:31:50
· End at 18:19:28
As we have a better idea of the timeline, we can move on to the logs analysis.
On Linux machines, we can find logs file in « /var/log » folder. Most Digital Forensic Specialists start their analysis from the « syslog » when analyzing Linux events. When we checked this log, we found the suspicious activity at 17 :32 :01.
At that point, we know that someone with root privileges ran a Python script (systemupdate.py) and sent the output to the output.txt file located at the /tmp/ folder.
The next step is to investigate those two files: systemupdate.py and output.txt.
When we checked the /tmp/ folder, we realized there was nothing there. The folder is empty. Indeed, to increase the difficulty of this challenge, they deleted this file.
Let’s investigate the Python script => systemupdate.py :
This is an interesting script. However, this is not a system update script (as the name of the file mentioned) but more likely a malicious script.
What does the script do?
1 — It looks in the /home directory if there is any file containing the extension .key or .crt.
2 — If file found: read the information and translate it to binary format.
3 — If the bit is 0, don’t do anything. If the bit is equal to 1, turn the green light ON.
At this stage, we know what happened when they ran this command and script :
· It will change the lights of the Raspberry PI
· It will save the output in a text file.
As the challenge wants to know what kind of information the suspect extracted, the first step is to go to the home folder and check if there is any file with the extension “.key” or “.crt”.
If we go to the home folder, we find two files (with the same extension .key and .cart).
BAD NEWS! They redacted those files. See prints below :
Now, we have an idea of what kind of information they extracted: a private key and a certificate.
At that point, we have just one way to retrieve back the content of those files. We will need to use the video and the sequence of bits generated by the blinking of the lights.
As you can imagine, we won’t spend one hour trying to write bit by bit manually. Instead, we will automate this process. We will create a Python script that will be able to do video analysis to identify when the colors change.
To do video analysis, we will use a Python library called OpenCV. For those not familiar with OpenCV, this library process images, detects objects, colors, formats, etc. This library is widely used in the AI field.
The final script looks like this :
- ** If you want to speed up the video analysis process, you can speed up the video by 300%. ***
If we run this script you will see the following screen :
The right circle represents the red light. If you see a white color inside the circle, it means that the red light is ON. If the inside of the circle is black, it means that the light is OFF. The same logic applies to the left circle, but this time for the green light.
After running the script, two new files has been created :
· malicious_output.txt is the same file that the malicious actor extracted from the system.
· content_decoded.txt is the actual content of the files (private.key and root-ca.crt) that the malicious actor had been extracted.
Knowing that we have the content of the files, we can extract the information and recreate the original files.
The private key doesn’t give us a lot of information. However, there is a way to extract some information from the certificate using OpenSSL :
We finally found the flag that we were looking for.
It has been a really great challenge where we needed to combine different knowledge together in order to find the flag.
I would like to thank shana for her help during this challenge. It was really fun!
I would say that it didn’t take much time to understand the challenge itself. However, it took a bit longer to have a Python script working properly.
I hope that my write-up helped you to understand better all the aspects of this CTF. If you want to read more writeups like this one or have any questions, you can find me on Twitter @dropn0w.
Stay curious and keep learning!