Many forensic blogs suggest doing XOR to obtain the binary, but in most cases the binaries are also split into 4k chunks with data structures starting with 0x09 followed by 4 bytes indicating the size of the chunk. I think Hexacorn blog(1) was the frst to point out the existence of such "chunk separators", but Shane King(2) was the one that figured out that the 4 bytes there stand for the size of the chunk. Having a file peppered with such chunks might ruin your day if you are going to do anything serious with the extracted file. Since, I didn't want to limit the extraction to just PE binaries, I had to try to figure out some of these structures across a set of samples that I had available.
The other day, I was almost done with the extraction piece, when one of the more anomalous .VBN files turned out to contain two payloads. Luckily, it turned out to be the exactly the same binary as the first one, well at least the size and MD5 did match.
So the code is available on github:
And you can either use it in CRITs or just import it into your little script, and save the payload the way you like.
The original Buffalo firmware, while nice, was a major PITA straight from the 90s; almost any config change required a reboot. Turns out that Buffalo has WZR-1750DHPD, which essentially is the same thing with a nicely done DD-WRT firmware. It turns out that it's relatively easy to flash the Buffalo-supported DD-WRT firmware onto WZR-1750DHP.
After loading Buffalo-supported version, the router turns into a far superior device than almost anything I had before. The only con is lack of the external antennas for extended range.
I've been working on improving my Central Quarantine extractor script lately. One of the snags I hit was a stupid bug in zipfile module in Python 2.x-3.4.
It has to do with archive names not matching between two different places. When such mismatch occurs zipfile simply raises an exception and refuses to extract the files.
This mismatch thing is actually a feature in Zip format that allows the files to be effortlessly renamed without any need to re-pack the various files stored inside the ZIP file.
Since I was making sure that my code runs fine on both Python 2.7.6 and 3.4 the only point of contention was the bastardized zipfile module. The one from 2.7.6 would error out with Python 3.4 and the one from 3.4 would do the same whe running on 2.7.6... I've added a conditional importing, but I've not tested it with other versions of Python...
After jumping through the hoops to ensure that my code runs properly on Python 3.4, I feel much better now that it also works perfectly well with 2.7.6.
I hope you'll enjoy the write-ups as much as I've enjoyed solving the challenges.
Instructions: I read about this once... -- Submit in all lowercase no spaces
$ file ./f3d0c9e33f9479a5109445d6c00f12559ea21e75.txt
./f3d0c9e33f9479a5109445d6c00f12559ea21e75.txt: gzip compressed data, from Unix, last modified: Fri Mar 23 13:06:29 2012
$ cat ./f3d0c9e33f9479a5109445d6c00f12559ea21e75.txt | tar -tzvf -
-rw-r--r-- jdm/jdm 76 2012-03-23 13:04 86d13ae80f15bda5818552afb669f86bb02af9a0
$ cat ./f3d0c9e33f9479a5109445d6c00f12559ea21e75.txt | tar -zxvf -
$ cat 86d13ae80f15bda5818552afb669f86bb02af9a0
DOHA JPWOLY'Z HSALYUHAL UHTL OPKLZ AOL MHJA AOHA PA PUCVSCLZ WSHFPUN JHYKZ?
Running it through Caesar cipher with offset of 7 it turns it into the following question:
WHAT CIPHER'S ALTERNATE NAME HIDES THE FACT THAT IT INVOLVES PLAYING CARDS?
Quick googling session reveals the answer.
Instructions: We got the password hashes from a system but don't know what to do with them. -- Crack the passwords and concatenate them alphabetically for the key. Submit in all uppercase, no spaces.
$ file ./2d2cda7a3f0b8f0b292c646f94bf9836073e94db.txt
./2d2cda7a3f0b8f0b292c646f94bf9836073e94db.txt: gzip compressed data, from Unix, last modified: Sat May 5 17:07:27 2012
$ cat 2d2cda7a3f0b8f0b292c646f94bf9836073e94db.txt | tar -zxvf -
$ file 10896c1cb3d61b1c2d65690dc7c0d05e
10896c1cb3d61b1c2d65690dc7c0d05e: ASCII text
$ cat 10896c1cb3d61b1c2d65690dc7c0d05e
Using invaluable http://www.objectif-securite.ch/en/products.php we can crack the lm hashes in seconds:
Instructions: Crack the cipher, get the key ------------ The key to the cipher is the answer. Submit the key in all lower case, no spaces
$ file ./17ca6426ac08cef3641a5695667c921af89edb82./17ca6426ac08cef3641a5695667c921af89edb82: BinHex binary text, version 4.0
$ cat 17ca6426ac08cef3641a5695667c921af89edb82 | hexbin -l
This file is in "hqx" format.
name="809f9232ac55c50317c93753b6099a1d", type= , author= , 1 excess bytes ignored
$ hexbin -s 17ca6426ac08cef3641a5695667c921af89edb82 -u
$ cat 809f9232ac55c50317c93753b6099a1d.text | xxd -r -p
Plugging that into http://smurfoncrack.com/pygenere/pygenere.php and expanding the length of codewords to try to 20 yelds just slightly misspelled answer"INDECIPHERLBLECIPHER"
With the proper key it decodes to:
Instructions: Decrypt for the key ---------------------------- answer format is strupr(full unencrypted string)
One can decode using the enigma machinesimulator: http://startpad.googlecode.com/hg/labs/js/enigma/enigma-sim.html , then
after plugging the ciphertext into the enigma machine with the following settings:
Rotor Start: AAA
Plugboard: AH CK
4d 61 63 68 30 4d 34 6e 20 73 41 89 35 20 3030 6f 48 20 59 33 61 68
into http://www.sudokuwiki.org/sudoku.htm and clicking on "Solution Count" button gives the flag.
Number one objective is to have a power efficient device, since these things will most of the time sit there and contribute to your monthly electricity bill.
Couple of years ago I've decided to try Thecus N2100, it seemed nice and hackable and it had two GigE ports, but it had a really IO subsystem making it really slow. I was hoping that the bugs could be worked out, but it didn't happen. So, I've popped two WD green drives (1TB), replaced the internal fan with a quieter one, upgraded the memory to 512MB. The transfers are still really slow and the included version of BusyBox is pretty outdated and buggy. If you have filenames with some bad characters in them, or lots of files in the folders some services such as the Mediabolic media server would just crash. It's real legacy hardware now, the CPU on the unit is plagued with some serious bugs and the original kernel seems to be much better than most other available. I've tried different things with it, but I wanted to keep it fairly stock, so adding the extra modules was the way to go. But eventually I got tired of it, and I've decided to retire it, after running it for a few months 24/7. I needed a device with an ftp server, and enough storage to be able to serve some content through DLNA and DAAP (iTunes-like).
One of the days I was looking for Raspberry Pi (still waiting for my order to arrive) specs and I've noticed a pink Pogoplug on sale for $25. Once I found out that it has a SATA port on the inside, I thought that I could use this thing to replace functionality of my other NAS. In a way this would be a downgrade, from two SATA ports to one, but on the other hand 4 USB ports and less power hungry device with support for optware seems like a perfect match. Not to mention the initial investment part. So, I've chopped off a little sliver of the back cover to run the 90-degrees-angled SATA to e-sata cable, and it's almost ready. All I need now is a decent e-SATA drive dock or an enclosure and it's ready.
One of the big selling points for me was the 5GB of free cloud storage, that shows up up in the management screen as another drive. I'm trying to keep my ISP costs down, so my link is seriously limited in upstream bandwidth, so I was able to use that to host my pictures for my family members.
Another great feature is the built-in DLNA media server. It's been pretty stable, one of short comings was that it wouldn't index my small 80GB drive for the movies, but then luckily I was able to find the 5GB of the ShmooCon 2012 videos by browsing through folders.
It goes without saying that the thing allows one to turn on the built in ssh server, and mount optware from the USB drive
My final solution to the problem became much simpler than ones listed the above, and it entails a relatively beefy broadband router with an USB port, a few tiny 32GB flash drives, an USB hub, and OpenWRT. It is still having some little issues that I'll have to take time to iron out, but at least it serves a multitude of tasks. So, I have there an VPN server, an ftp server, a samba share, DLNA media server, DAAP (iTunes compatible) server, and I couldn't be happier with it. It allows me to use Wake-on-LAN to turn on my beefier media server based on HP N40L microserver and OpenMediaVault when needed, where I have much more space for my git repositories, family albums, as well as vacation pictures and videos.