Belkasoft is back with another CTF. This is the fourth one they've done in the past year or so. For this one, competitors were given 24 hours to answer all the questions and were provided trials to Belkasoft X as well as Passware (more on this usage later) if needed. The image was a small Linux machine which isn't my wheelhouse but I got through it okay.
One thing I've come to find doing these is that the answers aren't always straight forward to find, you have to dig deep to answer. So let's kick this off and walk through the 9 questions.
Users - 100 points
List all users of the laptop.
Format: username1, username2, username 3
Simple and to the point, knowing a little about how a Linux folder structure looks, we can navigate to the following path:
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/
We see two folders with the names of "ivan" and "stanley". So the answer in the correct format was "ivan,stanley".
Figure 1: Users in the forensic image
Special Web Site - 100 points
What web application was used by the boy to earn his pocket money?
A quick look at the Firefox web history reveals that x-tux-0.web.app had multiple hits. We can see some interesting items up for sale.
For being one of the "Baby" category questions, it sure took me way too long to figure this one out. Navigating to the web page from above and clicking on a product, you can see the wallet address.
Figure 3: Product details from x-tux-0.web.app
The Bitcoin wallet address was 1KFHE7w8BhaENAswwryaoccDb6qcT6DbYY.
Passme - 500 points
On which date does the kid's database show the most sales for "Acapulco Gold"?Format: YYYY-MM-DD
After running through email messages, there are some conversations from a person named "Tux" with the subject "Sell Database".
Figure 4: Sell Database email from Tux
The attachment was a 10 million password list which is convenient since we were provided a Passware trial. You can find the password list here. In a follow up email, Stanley provided the database back to Tux (allowing us access to the direct file).
Figure 5: Return DB email from Stanley to Tux
The database file could also be found at the following path on the file system:
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/stanley/.db/Dec/Monthly_DB.zip
I tried running the 10 million password list as a Dictionary attack against the Monthly_DB.zip but nothing hit which I thought would have been a sure fire answer. I went digging back into the file system looking for other files and came across one that was in Stanley's trash:
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/stanley/.local/share/Trash/files/trashwords.txt
It was a similar password list and it ended up working in Passware to reveal that the password for the zip was "vondutcemonaheem_gangsta78". This password as well as the trashwords.txt file could also be found in a folder for the mail client Thunderbird:
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/stanley/.thunderbird/xzyby22m.default-release/Mail/Local Folders/Trash.txt |
Figure 6: date_5_2021 file from Monthly_DB.zip
The answer was formatted as "2021-05-12".
Cryptlet - 750 points
What was the other BTC wallet of the victim, which he used to hide his "under the counter" sales from his superior?
I accidentally got this answer ahead of the easier question for wallets above when I was working through the CTF. In exploring the file system in Autopsy, I saw hits for Metadata on some files that didn't appear to be what they were supposed to be. They can be found at the following path:
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/ivan/Documents/.custom/
It would appear that each were changed from PDF's to look like other random files.
Figure 7: .custom folder files of Invoices
These files were all actually invoices for drugs.
Figure 8: Sample Invoice, Inv.mp4
Two files appeared to be corrupted a bit, "101.bin" and ".Inv.sys". I opened them in HxD hex editor and it was readily apparent that some manipulation has occurred.
Figure 9: PDF's in HxD, good on left, manipulated on right
You can see two things:
- The PDF header is missing from the file on the right
- The bit endianess have been reversed
Copying the manipulated hex into CyberChef we can fix this quick with the recipe Swap Endianess.
Figure 10: CyberChef recipe
Copying the output back into HxD and adding the proper PDF header we can save the new file and open it to see the BTC address we were looking for.
Figure 11: Corrected PDF invoice
The wallet address for the answer was bc1qxy2kgdygjrsqtzq2n0yrf2493p83kkfjhx0wlh.
Notipass - 750 points
What is the password to the boy's notes?
This was a two part question, you had to find the actual note as well as the password for it. Luckily finding the note was the easy part (sort of). More file system traversal lead me to the path:
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/stanley/Documents/.mynote
Inside were two files, "mynote.odt" and "notes" (extensionless). The first one had nothing of interest but the second seemed odd because of the missing extension. I tried opening it with Microsoft Word and it prompted me for a password so this seemed promising that this was what I was supposed to be looking for.
Figure 12: password protected "notes" file
Now to find that password! In my prior hunting in the Metadata parse in Autopsy I saw a file called "NOTHING_IMPORTANT_INFO.pdf" which seems suspicious.
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/ivan/.info/NOTHING_IMPORTANT_INFO.pdf
Autopsy actually shows it had an attachment called "passwd". Exporting and opening it in a text editor shows a blob of interest.
Figure 13: passwd attachment from NOTHING_IMPORTANT_INFO.pdf
When all else fails, run it through CyberChef. It autodetected it as using Base32 encoding. We can start to see some results but we still need to do more manipulation.
Figure 14: passwd text in CyberChef
Having seen a lot of ciphers from other CTF's my first guess was ROT13 and that worked right away to reveal the note password.
Figure 15: passwd text in CyberChef with ROT13 added
Trying the password "!mp0rt4nTNot3" on the "notes" file worked.
Figure 16: Snippet of the unlocked "notes" file
Specudio - 1000 points
What is the "secret pin" mentioned in the notes?
At the very end of the unlocked notes file was a "Last Note" entry, cryptic as always.
Figure 17: Last Note entry
The key word here is "shark file". Off to scour the file system again. If something looks out of place it probably is relevant. Inside Ivan's music folder was a PCAPNG file, commonly used by Wireshark (I see what you did there).
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/ivan/Music/.secs/.secret.pcapng
Opening the file in Wireshark we can look for any packets of interest. We see some HTTP GET requests for a file called "vault_secret_code.wav", that seems promising.
Note: I'm a beginner at network forensics so I'm learning as I go here
Figure 18: HTTP GET request
A quick Google search led me to figure out how to export out files using:
File > Export Objects > HTTP...
Let's export out that .wav file!
Figure 19: Export objects in Wireshark
Opening the .wav in VLC only gives us garbled static noise, not the first time I've heard this before so I knew exactly what to do next. Often times people who make CTF's will hide text in audio files. We can open the file up in Audacity and look at the Spectrogram. After zooming out a bit the text becomes clear, the secret pin was "flag{1257}".
Figure 20: Spectrogram of "vault_secret_code.wav" in Audacity
Ultimatum - 100 points
When did the boy receive a threat?Flag format: Epoch time
This one was basically already solved when finding the "notes" file prior. We can see a timestamp in Unix Epoch already but you have to read the full thing to understand the context of what answer they are looking for.
Figure 21: Last Note entry again
We see the note was written 10 minutes after he was threatened by Tux. So we need to convert minutes to Unix Epoch seconds. This site shows that 10 minutes is equal to 600 seconds so we just subtract that from the timestamp in the note to get 1637948267.
Whois - 200 points
Who was the kidnapper?Format: Nickname, email
/img_BelkaCTF_Kidnapper_Case.E01/vol_vol6/home/ivan/.local/mycon.zip
It was password protect like a lot of the others found so I figured I might as well run Passware against it with the prior two Dictionary lists to see if anything comes up. Sure enough, it was cracked almost instantly with the password being "1257", which if you recall was the secret pin seen earlier.
Inside the "mycon.zip" was another file called "Connections.zip", luckily this one wasn't password protect. Inside was a file called "Sheet1.html" which was a full list of names and email addresses. Since we knew Tux was the probably the culprit, I did a quick text search.
Figure 22: Sheet1.html contents
We can see the kidnapper was "0x Tux, wixelig493@keagenan.com".
Big thanks to the Belkasoft team for continually putting these out and giving the community a great challenge!