Shakti CTF 2024 Writeup: Forensic and OSINT
It was tiring but rewarding. Me and my duo Chovid99 won the 1st place at the shakti CTF 2024, playing as Fidethus. We managed to solve all challenges in Crypto, Web, pwn, reverse, and OSINT category. Competing as a team of two in a competition with no limit on the number of group members is always challenging. Although the prize only goes to the top all-woman team, we are very appreciative to the organizers for this unique CTF. That is why, we would like to also give back, by writing beginner-friendly and easy-to-understand writeup for some of the challenges we solved.
Forensic
Machiavellian
Recovering Skype Chat History from an AD1 File
We were given an .ad1 file, which you can download here. The context was that Freddy Mileman, who is working on his research paper is contacted by someone who claims to be the his professor’s associate. After opening a file from sent by that someone, Freddy’s computer starts to show signs of getting hacked.
Help find the following:
The name of the person that Freddy is trying to contact in regards of his research paper.
The submisssion date of Freddy's Research paper that he had specifically noted on his desktop.
The name of the downloaded file that looked suspicious.
Flag Format : shaktictf{fullname_no_space_all_in_small_case:date/month/year/hour/minutes:name_of_the_file_with_extension}
We need to use FTK Imager, can be downloaded here to open an .ad1 file. To open chal.ad1 in FTK Imager, click File > Add Evidence Item > Image File > Browse > choose the location where you store the chal.ad1 file > Finish
Expanding the Evidence Tree, we can browse this chal.ad1 just like a copy of Freddy’s computer disk. The logic here is to explore Freddy’s personal file to find interesing lead. Looking at the Users folder, there is the non-default folder named mayyoo, which should be Freddy’s user folder. What makes this challenge tricky is that, some of Freddy’s personal file and folders, such as Desktop and Downloads, are deleted. So we have to find the information through some other means.
There is an interesting screenshot image file located at:
\Users\mayyoo\OneDrive\Pictures\Screenshots\2024-02-08.png
The image is actually a screenshot of Freddy’s Desktop, and we can see his sticky notes that serves as a reminder for submission date of his Research paper.
Great! so we now have the 2nd part of the flag, which is 12/03/2024/12/45
However aside from this, there are some clue that we can infer from this Desktop screenshot. There is a Skype icon on Freddy’s Desktop. So it is likely that Freddy was communicating with that someone via Skype.
Additionally, we can see from \Users\mayyoo\AppData\Roaming\Microsoft\Windows\Recent, which shows files that are recently used, there is a shortcut file to a Skype thread chat skypechat&threadId=19ce0b83be831145b0a4c9667d6e4b5ca1@thread.skype&correlationId=57e16fa5-c674-4204-b873-13facbcd120b&origin=launcher.
From these 2 findings, we can focus our effort investigating Freddy’s Skype chat history, which is located at:
Users\mayyoo\AppData\Local\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\LocalState\s4l-live%003a.cid.70fc9949a8a59d33.db
To extract the file from FTK Imager, right click on the file > Export Files... > choose destination folder.
The proper way to open it is by using SQLite Database Browser, such as this one. However, opening it with just a text editor like Visual Code is also fine, since we only need to find text-based information.
Inside the text editor, we can start with using the search function for the word “Freddy”. We can see a conversation flow between Freddy and someone. When searching using Freddy’s last name “Mileman”, we found this key message:
"Hello.Mr Mileman I am an associate of Prof. Simon Clarke I was told to give u some suggestions on your report .I shall sent you the corrections in a document please go through it and make the required changes."
It looks like this message was sent by that someone who pretends to be Freddy’s Professor, and then sends malware disguised as documents file, likely via Skype as well.
So, if we try to follow Freddy’s conversation and piece everything together, it seems like Freddy tried to contact his Professor, but then, he encountered someone who he is not familiar with. Since the name of Freddy’s Professor is revealed in the message above, we got the 1st part of the flag, which is simonclarke.
Since we saw earlier in \Users\mayyoo\AppData\Roaming\Microsoft\Windows\Recent, there were a few Microsoft Word file, we can assume that the corrections document sent by this someone is also using similar extension. When searching for ".doc", we found this file name:
Corrections.docm
This is the suspicious file that has infected Freddy’s computer. It make senses because .docm is document file type that can contain Macro which is perfect for sneaking in malware.
FLAG: shaktictf{simonclarke:12/03/2024/12/45:corrections.docm}
Aqua Gaze
Steganography and LSB on JPEG file
We were given a zip file, that gives this image file when extracted:
First observation, the image size of ~800 KB for a 1920x1080 JPEG seems on the bigger side. This might be an indication that there are some hidden files embedded inside this sea.jpeg. We can use binwalk to make sure and extract the hidden files.
binwalk -e sea.jpeg
Turns out, hidden inside there is 7D353.zip which contains artofeye.jpg. The zip file is password protected, but it can be cracked using John the Ripper, as follow:
zip2john 7D353.zip > zip.hash
john zip.hash
The zip cracking finished quickly and the password was found to be angel1.
Upon unzipping, there is another image file, artofeye.jpg
Looking at the size, ~300 KB for 1470x980 JPEG seems about right. Checking with Exiftool and inspecting the file in a Hex Editor, nothing seems to be out of place. So, it is time to move on to the next step of checking in steganography, which is LSB. The Least Significant Bit (LSB) method hides the message by inserting the message at the lower or rightmost bits in the cover work file as a medium to hide the message. Since this is a JPEG file, we can use jsteg to try to extract hidden information in artofeye.jpg.
jsteg installation
sudo wget -O /usr/bin/jsteg https://github.com/lukechampine/jsteg/releases/download/v0.1.0/jsteg-linux-amd64
sudo chmod +x /usr/bin/jsteg
sudo wget -O /usr/bin/slink https://github.com/lukechampine/jsteg/releases/download/v0.2.0/slink-linux-amd64
sudo chmod +x /usr/bin/slink
Using jsteg
jsteg reveal artofeye.jpg
Bingo! The output is a lengthy, readable story about the art of eye, but none of the story is needed to find the flag. Looking carefully at the paragraph, there is a base64-encoded text:
c2hha3RpY3Rme3RoM19yM2RfczM0XzRuZF90aDNfNHJ0X29mXzN5M18xc19sb29rMW5nX2cwMGR9
After base64-decoding it, we got the flag.
FLAG: shaktictf{th3_r3d_s34_4nd_th3_4rt_of_3y3_1s_look1ng_g00d}
OSINT
Ocean_Enigma
Tricks in Gemini to get accurate answers quickly for OSINT
In this OSINT challenge, I want to demonstrate that the Gemini Advanced might actually be pretty good to solve image-based OSINT challenges (probably due to its Google Image Search Integration). We were given this image, and need to find some information, namely:
- Who is the individual from crew has previously sailed with the captain of the ship?
- What was the name of Captain’s close friend from the crew that found the abandoned ship?
- In the logbook, the captain noted the sighting of land, describing it as an island.What is the name of this enigmatic island?
- What was the original name of the ship shown in the image?
Using Gemini Advanced, we were able to shorten the amount of time needed to solve this OSINT challenge.
1st Prompt - Identifying the image
what is this image all about
[upload the ship.jpg to Gemini Advanced chat]
2nd Prompt - Asking the CTF questions
these questions are from CTF OSINT challenge
1)Who is the individual from crew has previously sailed with the captain of the ship?
2)What was the name of Captain's close friend from the crew that found the abandoned ship?
3)In the logbook, the captain noted the sighting of land, describing it as an island.What is the name of this enigmatic island?
4)What was the original name of the ship shown in the image?
it is about the Mary Celeste
The response was followed with some guideline from Gemini on how to research the answer ourself. We can see that Gemini is reluctant to give answers, because it is not sure with the validity of the answers. To extract the answers from Gemini, the trick is to ask for possible answers to it, instead of asking for the absolute answers right away.
3rd Prompt - Rewording the request
give me a few possible answers for each question that you are in doubt
However, the flag crafted from Gemini’s answer is still wrong. So some of the answers might not be correct.
4th Prompt - Identifying Gemini’s Misunderstanding
Looking at answers and the reasoning from question 1,2,3,4, we can immediately identify that Gemini’s answer for the 2nd questions indicates that it might misunderstood the question.
2) What was the name of Captain's close friend from the crew that found the abandoned ship?
Oliver Deveau: Deveau was the first mate on the Dei Gratia, the ship that discovered the Mary Celeste. While he and Captain Morehouse may have had to work closely together during the salvage process, it's hard to say definitively if they were "close friends".
It seems that Gemini mistakenly thought that we were asking, who is the close friend of the Captain of the crew that found Mary Celeste. This is partly due to the ambiguous wording from the 2nd questions from the CTF challenge. A better phrasing would be who is the Captain of Mary Celeste's close friend, who is also from the crew who found the abandoned ship?. Since we know that the crew who found the abandoned ship is Dei Gratia, to get the answer we needed, we can try this prompt:
Out of the crew of Dei Gratia, who is the most likely to be close friend with the captain of Mary Celeste?
So, here is the final answer:
1)Who is the individual from crew has previously sailed with the captain of the ship?
Albert G. Richardson
2)What was the name of Captain's close friend from the crew that found the abandoned ship?
David Morehouse
3)In the logbook, the captain noted the sighting of land, describing it as an island.What is the name of this enigmatic island?
Santa Maria
4)What was the original name of the ship shown in the image?
Amazon
Do note that you might get different answers / behavior from Gemini, due to the nature of LLM.
FLAG: shaktictf{Albert_G_Richardson:David_Morehouse:Santa_Maria:Amazon}