| 일 | 월 | 화 | 수 | 목 | 금 | 토 |
|---|---|---|---|---|---|---|
| 1 | 2 | |||||
| 3 | 4 | 5 | 6 | 7 | 8 | 9 |
| 10 | 11 | 12 | 13 | 14 | 15 | 16 |
| 17 | 18 | 19 | 20 | 21 | 22 | 23 |
| 24 | 25 | 26 | 27 | 28 | 29 | 30 |
- shapeArea
- 2015 봄학기 알고리즘
- C++
- codesingal
- almostIncreasingSequence
- Python
- data_structure
- 파이썬머신러닝완벽가이드
- centuryFromYear
- codesignal
- markdown
- All Longest Strings
- Daily Commit
- recursion
- 수 정렬하기
- til
- baekjun
- 파이썬 포렌식
- 10953
- cpp
- flask
- Counting cells in a blob
- Sequential Search
- 백준
- adjacentElementsProduct
- 2750
- collections.deque
- Numpy
- 피보나치 수
- matrixElementsSum
- Today
- Total
Introfor
[2015]Forensic_Mandiant 본문
pdf file이 있다. 이 파일을 pdf-parser로 분석
root@kali:~/Desktop# pdf-parser --stat mandiant.pdf
Comment: 3
XREF: 1
Trailer: 1
StartXref: 1
Indirect object: 734
355: 2, 1, 5, 16, 14, 48, 50, 9, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 64, 66, 68, 72, 71, 75, 79, 82, 87, 86, 94, 95, 96, 97, 98, 100, 104, 113, 112, 117, 118, 119, 122, 123, 124, 125, 128, 129, 107, 116, 137, 135, 143, 144, 145, 146, 152, 151, 155, 158, 157, 165, 166, 167, 168, 169, 172, 177, 182, 187, 192, 191, 197, 198, 199, 202, 205, 208, 216, 215, 212, 219, 225, 224, 222, 229, 230, 244, 243, 250, 237, 253, 254, 255, 236, 256, 257, 258, 259, 260, 261, 262, 235, 264, 265, 266, 234, 248, 249, 273, 268, 282, 280, 277, 286, 287, 292, 290, 297, 296, 303, 304, 305, 306, 310, 308, 316, 323, 326, 320, 334, 336, 330, 340, 346, 343, 350, 353, 357, 360, 366, 365, 370, 363, 369, 374, 378, 377, 383, 389, 387, 392, 393, 386, 395, 401, 398, 411, 414, 405, 421, 418, 425, 429, 432, 435, 439, 443, 442, 449, 451, 453, 457, 462, 460, 469, 472, 476, 479, 484, 482, 487, 489, 492, 495, 498, 501, 505, 508, 511, 514, 517, 522, 524, 526, 528, 532, 534, 536, 539, 56, 54, 544, 548, 550, 551, 263, 552, 555, 557, 556, 561, 562, 559, 58, 563, 566, 569, 59, 571, 574, 575, 577, 70, 579, 578, 583, 584, 581, 586, 585, 590, 591, 588, 133, 592, 593, 595, 597, 599, 600, 233, 603, 604, 606, 608, 607, 612, 613, 610, 319, 614, 615, 617, 619, 620, 622, 624, 625, 628, 629, 630, 631, 632, 633, 634, 635, 636, 637, 638, 639, 640, 641, 642, 643, 644, 645, 646, 647, 648, 649, 650, 651, 652, 653, 654, 655, 656, 657, 658, 659, 660, 661, 662, 663, 664, 665, 666, 667, 668, 669, 670, 671, 672, 673, 674, 675, 676, 677, 678, 679, 680, 681, 682, 683, 684, 685, 686, 687, 688, 627, 689, 626, 690, 691, 692, 693, 700, 713, 718, 719, 722, 701, 704, 705, 706, 707, 708, 709, 710, 55, 711, 724, 715, 726, 730, 727, 703, 732, 733, 702, 734
/Annot 48: 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 74, 89, 90, 91, 92, 93, 115, 139, 140, 141, 142, 154, 160, 161, 162, 163, 164, 194, 195, 196, 218, 227, 228, 246, 247, 284, 285, 299, 300, 301, 302, 368, 486
/Catalog 1: 699
/Embeddedfile 1: 3
/Encoding 4: 553, 572, 716, 725
/ExtGState 11: 149, 546, 543, 51, 52, 8, 565, 148, 53, 7, 729
/F 1: 4
/Font 59: 121, 127, 10, 12, 13, 558, 60, 61, 63, 77, 580, 78, 587, 111, 108, 109, 110, 213, 214, 223, 240, 241, 242, 238, 239, 269, 270, 271, 272, 278, 279, 291, 309, 315, 314, 609, 321, 322, 332, 333, 344, 345, 364, 388, 399, 400, 406, 407, 408, 409, 410, 419, 420, 448, 468, 521, 531, 62, 11
/FontDescriptor 30: 49, 67, 120, 126, 130, 251, 327, 337, 371, 415, 452, 525, 554, 560, 573, 576, 582, 589, 594, 596, 598, 601, 602, 605, 611, 616, 618, 621, 714, 723
/Group 85: 17, 65, 73, 80, 84, 88, 101, 105, 114, 138, 153, 159, 173, 178, 184, 188, 193, 203, 206, 210, 217, 226, 245, 274, 283, 293, 298, 311, 317, 325, 335, 341, 347, 351, 355, 358, 361, 367, 375, 380, 384, 390, 396, 402, 413, 422, 426, 430, 433, 437, 440, 444, 450, 458, 464, 470, 473, 477, 480, 485, 490, 493, 496, 499, 503, 506, 509, 512, 515, 519, 523, 529, 533, 537, 540, 541, 545, 549, 542, 567, 570, 564, 720, 728, 712
/Mask 3: 547, 568, 717
/Metadata 24: 131, 174, 179, 220, 231, 252, 275, 288, 294, 312, 328, 338, 348, 372, 381, 391, 403, 416, 423, 445, 454, 465, 698, 731
/Outlines 1: 623
/Page 76: 6, 57, 69, 76, 81, 85, 99, 102, 106, 132, 147, 156, 170, 175, 180, 185, 190, 200, 204, 207, 211, 221, 232, 267, 276, 289, 295, 307, 313, 318, 329, 339, 342, 349, 352, 356, 359, 362, 373, 376, 382, 385, 394, 397, 404, 417, 424, 427, 431, 434, 438, 441, 446, 455, 459, 466, 471, 474, 478, 481, 488, 491, 494, 497, 500, 504, 507, 510, 513, 516, 520, 527, 530, 535, 538, 697
/Pages 18: 694, 695, 15, 83, 136, 183, 209, 696, 281, 324, 354, 379, 412, 436, 463, 483, 502, 518
/XObject 17: 103, 134, 150, 171, 176, 181, 189, 186, 201, 331, 428, 447, 456, 461, 467, 475, 721
pdf file은 object로 구성되어있다. 이 object 중에서 눈에 띄는 것은 Embeddefile 1이다.
Embeddefile은 pdf 문서에 포함된 파일 항목을 나타내는 object이다.
이 부분을 추출해보았다.
root@kali:~/Desktop# pdf-parser --object 3 --raw --filter mandiant.pdf > out
root@kali:~/Desktop# cat out
obj 3 0
Type: /Embeddedfile
Referencing: 2 0 R, 1 0 R
Contains stream
<<
/Filter /FlateDecode
/Length 2 0 R
/Params 1 0 R
/Type /Embeddedfile
>>
iVBORw0KGgoAAAANSUhEUgAAAmIAAAHTCAYAAACEKHSrAAAgAElEQVR4XuxdB3hTVRtk7RJV7on
HRQou2UVyt57yhJEHAgOwL3Brb/83fjBLeIqOyNbBApe28KpUD33m2S/s97wi2hNslNSbFgvsfY
0tx77jnfOfd87/mmArcWwEHOTjg4ICDAw4OODjg4ICDAw4OXHcOKBxA7Lrz3PFABwccHHBwwMEB
BwccHHBwQHDgChDbsxrITaWLQoooFAqxHcVFRXiw78plUpU4LJCzeQHv4f0dzOM5v38z3itdeKz
DAaD9QsdV1jkQEhwCHz9fCuvGT9PPz9/f92T8KZBGTnZDu4aQMHQkNDERwcbMMdjksdHHBw4N/O
gYyMDMyfP7SDa1iWqF7j7/drbc9ONPyMzH/zYergLENvwEZF782AVCgX4UavV4rvy8nIBiAi
...
...
...
/Z8yZMjn6WgduGKzTl/gPR2x/W2iR4/t4lmb147sChZ/sXRZq8OM4k8RDPG3QlKa/UqOVoRb5W
TdkVgP3DsnHQ9oPv3sb9K6KT36aCfR7ozn2kZYDkgaomC/OAnD8nBec0OnfijTJ58BkxGwM0QtO
Yr9unQ30UKsxIwpS0tPq4Rylt4RaKM43Zg9BKB46IRfgakbWbUBiz8QK6thmtCkffNuI1BdqM9lI
2IKyJpLjkcjY8RevZaBOz8lkkGpncCCODvOSw5zWOf2LGQABBAYAAQnAx6oABwsBAAEhIQEIDMAH
5AAICgGHU/ArAAAFARkIAAAAAAAAAAARFwBzAGUAYwByAGUAdAAuAHQAeAB0AAAAGQQAAAAAFAoB
AABLSvHvFdEBFQYBACAAAAAAAA==
추출된 데이터에는 3번 object관련 텍스트와 base64로 암호화된 문장을 볼 수 있습니다.
oot@kali:~/Desktop# base64 -d < out > out2
root@kali:~/Desktop# file out2
out2: PNG image data, 610 x 467, 8-bit/color RGBA, non-interlaced
root@kali:~/Desktop# mv out2 pic1.png
복호화한 데이터는 PNG file입니다.
flag 값이 없어서 이 pic1.png file을 hex 분석했다.
root@kali:~/Desktop# tail pic1.png |xxd
00000000: 86fb de2a 0fef d0f2 617c 7c03 7f3e 4fa5 ...*....a||..>O.
00000010: 1118 1031 61a1 0947 3762 77f7 7a1a 2154 ...1a..G7bw.z.!T
00000020: 2bee e8e1 af5f 4fcf 09d9 21a3 2eb9 cb65 +...._O...!....e
00000030: 0816 71a1 7e25 bdc1 83bc bb1e f96b cf17 ..q.~%.......k..
00000040: 23e6 4f67 b395 6245 74f3 e5c6 0b52 6f65 #.Og..bEt....Roe
00000050: 8bfd a6c5 00b3 8c14 2f3e 6bbb 3166 9a58 ......../>k.1f.X
00000060: b1d0 085b 74ce eaba a57b 1199 8b2a 57eb ...[t....{...*W.
00000070: 7116 da21 75d2 b26c 1b7c 46e7 a96b 745a q..!u..l.|F..ktZ
00000080: ce14 0ea5 5175 7995 3d13 b50e 25d3 af35 ....Quy.=...%..5
00000090: e398 026d 4f0b 1d89 60c0 91b3 447e 32c8 ...mO...`...D~2.
000000a0: ea35 be0d fdbe fe0a beb6 89bd 0f44 a2e4 .5...........D..
000000b0: ad47 da56 22f8 fef1 822f aca2 948c 9013 .G.V"..../......
000000c0: dfa7 f47d db7d 0a3e bafd 7195 6987 0ea8 ...}.}.>..q.i...
000000d0: eff7 5c71 95d3 e01a 0201 a6e4 70a3 4f1f ..\q........p.O.
000000e0: f40a afe4 dd19 1143 3603 e678 dae1 54a1 .......C6..x..T.
000000f0: 6032 c54d c23d dae4 ebf4 d898 cafc e112 `2.M.=..........
00000100: e5d5 73d5 dfde 59a8 af65 ab45 dd27 ab48 ..s...Y..e.E.'.H
00000110: 74d8 1b8d 3e21 d083 f2fc 8db6 bf2b 9056 t...>!.......+.V
00000120: 3782 e505 0b25 2405 91b0 6757 ef25 a8a2 7....%$...gW.%..
00000130: e490 f381 a8ec 762d bb97 9992 9462 e4de ......v-.....b..
00000140: 2569 6a5c 17b3 64b0 2bd2 27bd 1ecb a38d %ij\..d.+.'.....
00000150: 545f 9f05 c3fd 086b 34af 60f9 debb 098c T_.....k4.`.....
00000160: 8390 ec4b 9f60 b4a7 9ddb 266c bebe 2728 ...K.`....&l..'(
00000170: c694 b557 de2a 6ff6 a330 bcb0 f22f fdf0 ...W.*o..0.../..
00000180: 40dd 9398 cbc2 6439 1df5 ec4b e3b9 490b @.....d9...K..I.
00000190: 8803 8b80 d92c ccd3 cf77 5bdd de82 92e3 .....,...w[.....
000001a0: 9d88 ed36 fdf2 a56e 7c57 7b6c 7638 b085 ...6...n|W{lv8..
000001b0: d795 38f9 40fe ee7f f7ce d00b bef6 cbf8 ..8.@...........
000001c0: 7aa6 a139 2f4a 997d ab64 27d4 2af0 2e37 z..9/J.}.d'.*..7
000001d0: a215 903b 2469 f902 9907 e72f 4476 fbe3 ...;$i...../Dv..
000001e0: e010 91fd 4e18 d78e 2501 4d11 7c1c 9dbb ....N...%.M.|...
000001f0: 8497 42f6 e8f9 adc6 e6be dfca c292 d642 ..B............B
00000200: abed 945a 5b17 a373 8f30 fe20 6f11 0a27 ...Z[..s.0. o..'
00000210: 2fcd b22b 5e65 469b 081c 3c5b 8686 2eb2 /..+^eF...<[....
00000220: e33c 9a1f 44e5 be51 30e4 ea9b d836 8367 .<..D..Q0....6.g
00000230: 9e68 7a4f b96c 944b 0f98 2fc4 5faf 5c5c .hzO.l.K../._.\\
00000240: 3c6a 40da b7ce af3d b1b5 a5f0 d0a2 304c <j@....=......0L
00000250: cc48 5884 8cfb 8265 3063 60bf b45e 5942 .HX....e0c`..^YB
00000260: 145d 10c7 8b08 f1d3 3248 1cb6 5c43 6799 .]......2H..\Cg.
00000270: 011d 3c84 713c 8f3f 4686 a039 0b7e 011d ..<.q<.?F..9.~..
00000280: 3895 48b3 0a14 1188 ecca ed87 52ef 340b 8.H.........R.4.
00000290: b7ef 3d6f 6e65 d857 9496 b1b6 fd9f 3264 ..=one.W......2d
000002a0: c8e7 e968 1db8 62b3 4e5f e03d 1db1 fd6d ...h..b.N_.=...m
000002b0: a247 8fed e3e9 666f 5e3b b028 59fe c5d1 .G....fo^;.(Y...
000002c0: 66af 0e33 893e f110 cf1b 7425 29af d4a8 f..3.>....t%)...
000002d0: e568 45be 564d d915 80fd c3b2 71d0 f683 .hE.VM......q...
000002e0: efde c6fd 2ba2 93df a682 7d1e e8ce 7da4 ....+.....}...}.
000002f0: 6580 e481 aa26 0bf3 809c 3f27 05e7 343a e....&....?'..4:
00000300: 77e2 8d32 79f0 1931 1b03 3442 d3be 62bf w..2y..1..4B..b.
00000310: 6e9d 0df4 50ab 3123 0a52 d2d3 eae1 1ca5 n...P.1#.R......
00000320: b784 5a28 ce37 660f 4128 1e3a 2117 e06a ..Z(.7f.A(.:!..j
00000330: 46d6 6d40 62cf c40a ead8 66b4 291f 7cdb F.m@b.....f.).|.
00000340: 88d4 176a 33d9 48d8 82b2 2692 e391 c8d8 ...j3.H...&.....
00000350: f117 af65 a04e cfc9 6490 6a67 7020 8e0e ...e.N..d.jgp ..
00000360: f392 c39c d639 fd8b 1900 0104 0600 0109 .....9..........
00000370: c0c7 aa00 070b 0100 0121 2101 080c c007 .........!!.....
00000380: e400 080a 0187 53f0 2b00 0005 0119 0800 ......S.+.......
00000390: 0000 0000 0000 0011 1700 7300 6500 6300 ..........s.e.c.
000003a0: 7200 6500 7400 2e00 7400 7800 7400 0000 r.e.t...t.x.t...
000003b0: 1904 0000 0000 140a 0100 004b 4af1 ef15 ...........KJ...
000003c0: d101 1506 0100 2000 0000 0000 ...... .....
마지막 부분을 보면 secret.txt가 있는 것을 확인할 수 있는데 binwalk로 좀 더 알아보았다.
binwalk는 파일 시그니처를 이용하여 어떤 데이터가 들어 있는지 확인하는 도구이다.
root@kali:~/Desktop# binwalk pic1.png
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 PNG image, 610 x 467, 8-bit/color RGBA, non-interlaced
41 0x29 Zlib compressed data, compressed
160173 0x271AD 7-zip archive data, version 0.4
7zip archive data가 있는 것을 확인할 수 있다.
그럼 이 7zip 파일의 내용을 추출하겠다.
root@kali:~/Desktop# p7zip -d secret.7z
7-Zip (A) [64] 9.20 Copyright (c) 1999-2010 Igor Pavlov 2010-11-18
p7zip Version 9.20 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,2 CPUs)
Processing archive: secret.7z
Extracting secret.txt
Everything is Ok
Size: 58375
Compressed: 204022
root@kali:~/Desktop# cat secret.txt
/9j/2wBDAAMCAgICAgMCAgIDAwMDBAYEBAQEBAgGBgUGCQgKCgkICQkKDA8MCgsOCwkJDRENDg8Q
EBEQCgwSExIQEw8QEBD/2wBDAQMDAwQDBAgEBAgQCwkLEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQ
EBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBD/wgARCAEbAUEDASIAAhEBAxEB/8QAHQAAAAcBAQEA
AAAAAAAAAAAAAAIDBAUGBwEICf/EABkBAAMBAQEAAAAAAAAAAAAAAAABAgMEBf/aAAwDAQACEAMQ
AAABprPTI7y/WpRPStY6uPFUPaFPqPMKvrFDygl7Hx5nm6O9/eMnvCsfdFfvn8Wm+gVZceI1/oN
FB4UN7uIq8Oym9WsryG9y5g58yj1jms6ZbTfoBUk/GiP0PyJryvFe0cQnXMDfQag1n4376M2sXg
Vx7Slwf76wxGHeA8FrboPNhw8/q6oVitehyep0MxoGkehV8qroemvEWp5tl0
...
...
...
bUFEd2h4azdpYkNoVC9uMkJOZ041V3Q1WGFISUlNNk5EVE1ZbkRZeWU2U2JuVjZiSkZEY3hKVUp2
a1lFWDE1dEZWdUplZGNtY1hXZ0tWa0FFMndqbjRwbHJpcGI4ZUxJZ3hkOEVNOXpRVWptWE1BQUhH
UFBxdURELzN3bVIweTBwUTErNzdXemNOSlQ1OVlPWVVTYkJEYm5rc3FxTDRTVnQ2Q3IwVW9Yd25Q
UG9MWEtoVFZrdEVDbVVCNzMzcmRKMlpzWTZqM1hyNWptaFNsZk1TNTZOU3MyeWhPR29KSmxhQUx3
K0U0OQ0K
예상되로 secret.txt file이 추출되었고, 이 파일에는 base64 암호문이 있다.
이것을 또 복호화를 한다.
root@kali:~/Desktop# base64 -d < secret.txt > out2
root@kali:~/Desktop# file out2
out2: JPEG image data, progressive, precision 8, 321x283, frames 3
root@kali:~/Desktop# mv out2 pic2.jpg
이번에는 JPG file이다.
이번에도 flag는 존재하지 않는다.
이 pic2.jpg file을 분석한다.
root@kali:~/Desktop# strings pic2.jpg
xG9
b#o]
Y2EB
V~D
h+Mym
dF=
7aPgy
ec.2
...
...
VVGEC8uGDQuNhhk6FKg0ICF9jVAUS54zurveSzXcwE9MsIHIZPuvP6vrSDgwULy5Kvm/wPe3zxddM4SSPgvWIg==
...
...
ksqqL4SVt6Cr0UoXwnPPoLXKhTVktECmUB733rdJ2ZsY6j3Xr5jmhSlfMS56NSs2yhOGoJJlaALwE49
string으로 활용해서 분석했다.
strings는 바이너리 파일에서 문자열을 추출할 때 사용한다.
이번에는 암호화된 부분이 2개가 있는 것을 확인할 수 있다
각각을 복호화 해보았다.
root@kali:~/Desktop# base64 -d < b1 > o1
root@kali:~/Desktop# file o1
o1: data
root@kali:~/Desktop# xxd o1
00000000: 5551 840b cb86 0d0b 8d86 193a 14a8 3420 UQ.........:..4
00000010: 217d 8d50 144b 9e33 babb de4b 35dc c04f !}.P.K.3...K5..Oroot@kali:~/Desktop# base64 -d < b2 > o2
root@kali:~/Desktop# file o2
o2: data
root@kali:~/Desktop# xxd o2
00000000: 5d03 7a63 a408 a5fa 1f5b 0f39 ee2e 432b ].zc.....[.9..C
00000010: bd55 57e0 0cc3 7aa4 9797 c906 abc4 4e82 .UW...z.......N.
00000020: 55af 33e6 2831 20ac 164e a8fa 8854 546a U.3.(1 ..N...TTj
00000030: 221b 1e06 8ac6 cede 0057 ef40 223a 9fd1 "........W.@":..
00000040: 2c8d e388 df82 549b 3045 f264 c9b1 a507 ,.....T.0E.d....
00000020: 4cb0 81c8 64fb af3f abeb 4838 3050 bcb9 L...d..?..H80P..
00000030: 2af9 bfc0 f7b7 cf17 5d33 8492 3e0b d622 *.......]3..>.."
...
...
00003440: 9b04 36e7 92ca aa2f 8495 b7a0 abd1 4a17 ..6..../......J.
00003450: c273 cfa0 b5ca 8535 64b4 40a6 501e f7de .s.....5d.@.P...
00003460: b749 d99b 18ea 3dd7 af98 e685 295f 312e .I....=.....)_1.
00003470: 7a35 2b36 ca13 86a0 9265 6802 f0f8 4e3d z5+6.....eh...N=
이 2개의 데이터에도 flag를 찾을 수가 없다.
나중에서 알게된 것으로 파일을 암호화하거나 복호화하는 프로그램인
Free File Camouflage으로 pic2.jpg file을 복호화한다.
a.out file이 생겼다.
root@kali:~/Desktop# file a.out
a.out: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.24, BuildID[sha1]=2e4595f77d1c1c460c3e43fd231f82621e035b90, not stripped
root@kali:~/Desktop# ./a.out
hello world, i found this flag under some bit-maps....
[HAVE A FLAG]
flag{s3v3r4l_l4y3r5_d33p_&_2m4ny_l4yers_w1d3
flag : s3v3r4l_l4y3r5_d33p_&_2m4ny_l4yers_w1d3
'Hobby > CTF' 카테고리의 다른 글
| Forensic_Recover-deleted-file (0) | 2016.10.07 |
|---|---|
| [2016]Forensic_Corrupt Transmission-50 (0) | 2016.08.16 |
| [2015]Forensic_Ryan Gooseling (0) | 2016.08.10 |
| [2015]Forensic_Logoventures 2 Reloaded (0) | 2016.08.10 |
| [2015]Forensic_Logoventures (0) | 2016.08.10 |
