2022-10-03 21:33:22 +02:00
|
|
|
---
|
2022-10-03 23:08:20 +02:00
|
|
|
title: FRIctf{forenzika}
|
|
|
|
author: DragonSec
|
2022-10-03 21:33:22 +02:00
|
|
|
patat:
|
|
|
|
eval:
|
|
|
|
figlet:
|
|
|
|
command: figlet
|
|
|
|
fragment: false
|
|
|
|
replace: true
|
|
|
|
---
|
2022-10-03 23:08:20 +02:00
|
|
|
|
2022-10-06 18:18:22 +02:00
|
|
|
```figlet
|
|
|
|
FORENZIKA
|
|
|
|
|
|
|
|
FRIctf 2022
|
|
|
|
```
|
|
|
|
---
|
|
|
|
|
2022-10-03 21:33:22 +02:00
|
|
|
```figlet
|
2022-10-03 23:08:20 +02:00
|
|
|
KAJ JE FORENZIKA ?
|
2022-10-03 21:33:22 +02:00
|
|
|
```
|
2022-10-06 18:18:22 +02:00
|
|
|
* Steganografija
|
2022-10-03 23:08:20 +02:00
|
|
|
* Analiza "memory dumpov"
|
|
|
|
* Analiza tcp/udp paketov
|
|
|
|
|
|
|
|
Basically vse kjer je potrebno izlusciti neko skrito informacijo.
|
2022-10-03 21:33:22 +02:00
|
|
|
|
|
|
|
---
|
|
|
|
|
2022-10-03 23:08:20 +02:00
|
|
|
```figlet
|
|
|
|
ANALIZA SLIK
|
|
|
|
```
|
|
|
|
|
|
|
|
* Najprej si oglejmo sliko
|
|
|
|
```bash
|
|
|
|
feh images/PXL_20220920_141456208.jpg
|
2022-10-03 21:33:22 +02:00
|
|
|
|
2022-10-03 23:08:20 +02:00
|
|
|
# Poglejmo drobovje slike
|
2022-10-13 16:49:33 +02:00
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation » hexdump -C images/PXL_20220920_141456208.jpg | head
|
|
|
|
00000000 ff d8 ff e1 dc 66 45 78 69 66 00 00 49 49 2a 00 |.....fExif..II*.|
|
|
|
|
00000010 08 00 00 00 0d 00 00 01 03 00 01 00 00 00 d0 0b |................|
|
|
|
|
00000020 00 00 01 01 03 00 01 00 00 00 c0 0f 00 00 0f 01 |................|
|
|
|
|
00000030 02 00 07 00 00 00 aa 00 00 00 10 01 02 00 0b 00 |................|
|
|
|
|
00000040 00 00 b1 00 00 00 12 01 03 00 01 00 00 00 01 00 |................|
|
|
|
|
00000050 00 00 1a 01 05 00 01 00 00 00 bc 00 00 00 1b 01 |................|
|
|
|
|
00000060 05 00 01 00 00 00 c4 00 00 00 28 01 03 00 01 00 |..........(.....|
|
|
|
|
00000070 00 00 02 00 00 00 31 01 02 00 15 00 00 00 cc 00 |......1.........|
|
|
|
|
00000080 00 00 32 01 02 00 14 00 00 00 e1 00 00 00 13 02 |..2.............|
|
|
|
|
00000090 03 00 01 00 00 00 01 00 00 00 69 87 04 00 01 00 |..........i.....|
|
2022-10-03 23:08:20 +02:00
|
|
|
```
|
2022-10-03 21:33:22 +02:00
|
|
|
|
2022-10-03 23:08:20 +02:00
|
|
|
---
|
2022-10-13 16:49:33 +02:00
|
|
|
|
2022-10-03 23:08:20 +02:00
|
|
|
```figlet
|
|
|
|
EXIFTOOL
|
|
|
|
```
|
|
|
|
|
|
|
|
* Orodje, ki izlusci vse informacije, ki jih slika/video/gif hrani.
|
|
|
|
|
|
|
|
```bash
|
2022-10-13 16:49:33 +02:00
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation » exiftool images/PXL_20220920_141456208.jpg | grep -i Date
|
|
|
|
File Modification Date/Time : 2022:10:03 22:17:56+02:00
|
|
|
|
File Access Date/Time : 2022:10:13 16:01:45+02:00
|
|
|
|
File Inode Change Date/Time : 2022:10:03 22:17:56+02:00
|
|
|
|
Modify Date : 2022:09:20 16:14:56
|
|
|
|
Date/Time Original : 2022:09:20 16:14:56
|
|
|
|
Create Date : 2022:09:20 16:14:56
|
|
|
|
GPS Date Stamp : 2022:09:20
|
|
|
|
Profile Date Time : 2016:12:08 09:38:28
|
|
|
|
Create Date : 2022:09:20 16:14:56.208+02:00
|
|
|
|
Date/Time Original : 2022:09:20 16:14:56.208+02:00
|
|
|
|
Modify Date : 2022:09:20 16:14:56.208+02:00
|
|
|
|
GPS Date/Time : 2022:09:20 14:14:55Z
|
|
|
|
```
|
|
|
|
---
|
|
|
|
|
|
|
|
```figlet
|
|
|
|
EXIFTOOL
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation 130 » exiftool images/PXL_20220920_141456208.jpg | grep -i gps
|
|
|
|
GPS Latitude Ref : North
|
|
|
|
GPS Longitude Ref : East
|
|
|
|
GPS Altitude Ref : Above Sea Level
|
|
|
|
GPS Time Stamp : 14:14:55
|
|
|
|
GPS Img Direction Ref : Magnetic North
|
|
|
|
GPS Img Direction : 295
|
|
|
|
GPS Date Stamp : 2022:09:20
|
|
|
|
GPS Altitude : 339.1 m Above Sea Level
|
|
|
|
GPS Date/Time : 2022:09:20 14:14:55Z
|
|
|
|
GPS Latitude : 46 deg 1' 53.06" N
|
|
|
|
GPS Longitude : 14 deg 29' 1.37" E
|
|
|
|
GPS Position : 46 deg 1' 53.06" N, 14 deg 29' 1.37" E
|
|
|
|
```
|
|
|
|
---
|
|
|
|
|
2022-10-23 21:29:30 +02:00
|
|
|
```figlet
|
|
|
|
EXIFTOOL
|
|
|
|
```
|
|
|
|
|
|
|
|
```bash
|
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation » exiftool images/PXL_20220920_141456208.jpg | grep -i Lens
|
|
|
|
Lens Make : Google
|
|
|
|
Lens Model : Pixel 4 XL back camera 4.38mm f/1.73
|
|
|
|
Lens ID : Pixel 4 XL back camera 4.38mm f/1.73
|
|
|
|
```
|
|
|
|
|
|
|
|
---
|
|
|
|
|
2022-10-13 16:49:33 +02:00
|
|
|
```figlet
|
|
|
|
FORENSICS == STRINGS & GREP :-)
|
|
|
|
```
|
|
|
|
```bash
|
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation 1 » exiftool images/PXL_20220920_141456208.jpg | grep -i comment
|
|
|
|
Comment : ctf{yay_my_first_forensic_flag}
|
|
|
|
|
|
|
|
```
|
|
|
|
---
|
|
|
|
|
2022-10-23 21:29:30 +02:00
|
|
|
```figlet
|
|
|
|
BASE64
|
|
|
|
```
|
|
|
|
```bash
|
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation » echo "Grem na sprehod" | base64
|
|
|
|
R3JlbSBuYSBzcHJlaG9kCg==
|
|
|
|
```
|
|
|
|
```bash
|
|
|
|
carbon :: ctf/2022/frictf_forensics_presentation » echo R3JlbSBuYSBzcHJlaG9kCg== | base64 -d
|
|
|
|
Grem na sprehod
|
|
|
|
```
|
|
|
|
|
|
|
|
---
|
|
|
|
|
2022-10-13 16:49:33 +02:00
|
|
|
```figlet
|
|
|
|
CYBERCHEF
|
|
|
|
|
|
|
|
VOLATILITY
|
|
|
|
```
|
|
|
|
---
|
|
|
|
|
|
|
|
```figlet
|
|
|
|
APERISOLVE
|
|
|
|
|
|
|
|
WIRESHARK
|
|
|
|
```
|
|
|
|
---
|
|
|
|
|
|
|
|
```Figlet
|
|
|
|
DELAVNICE
|
|
|
|
```
|
|
|
|
* @Pixel -> memory dump challenge
|
|
|
|
* @spanskiduh -> packet capture challenge
|
|
|
|
|
|
|
|
```figlet
|
|
|
|
VPRASANJA ?
|
2022-10-03 23:08:20 +02:00
|
|
|
```
|