Salaheldin

March 14, 2019

Lethal ForensicELFication Cranberry Pi terminal challenge

Hint Challenge @ The 2018 SANS Holiday Hack Challenge [ Kringlecon ]

CTF Writeup

📍 Tangle Coalbox at 2nd floor go right in the corridor at Speaker Unpreparedness Room.
kc18_elves_elf_1.png

Hi, I’m Tangle Coalbox.

Any chance you can help me with an investigation?

Elf Resources assigned me to look into a case, but it seems to require digital forensic skills.

Do you know anything about Linux terminal editors and digital traces they leave behind?

Apparently editors can leave traces of data behind,

but where and how escapes me!

icon-idea

Vim Artifacts > Forensic Relevance of Vim Artifacts

https://tm4n6.com/2017/11/15/forensic-relevance-of-vim-artifacts/


solution-icon.png

1- First let’s try this command from hints link to find any forensic relevance to Vim text-editor:
cat .viminfo

The .viminfo file is a special file used to remember information that would otherwise be lost when exiting vim, you can copy text to notepad for clearer view.

5-terminal-2.jpg

2- As you can see this all information collected from vim editor, by inspecting the results you will find some clues:

  • In Last Substitute Search Pattern there is a name : Elinore
  • In Command Line History the command wq used to save file and exit in :
    %s/Elinore/NEVERMORE/g
    s/God/fates/gc
    %s/studied/looking/g
    %s/sound/tenor/g
  • The poem file location .secrets/her/poem.txt

3- You can view the poem file using this command :

cat .secrets/her/poem.txt

5-terminal-3.jpg

4- All clues lead to elf named Elinore , Let’s enter the name into runtoanswer :

5-terminal-4.jpg


kc18_elves_elf_1.png

Hey, thanks for the help with the investigation, gumshoe.

Have you been able to solve the lock with the funny shapes?

It reminds me of something called “de Bruijn Sequences.”

You can optimize the guesses because there is no start and stop -- each new value is added to the end and the first is removed.

I’ve even seen de Bruijn sequence generators online.

Here the length of the alphabet is 4 (only 4 buttons) and the length of the PIN is 4 as well.

Mathematically this is k=4, n=4 to generate the de Bruijn sequence.

Math is like your notepad and pencil - can’t leave home without it!

I heard Alabaster lost his badge! That’s pretty bad. What do you think someone could do with that?

icon-idea

Opening a Ford Lock Code > Opening a Ford with a Robot and the de Bruijn Sequence:

https://hackaday.com/2018/06/18/opening-a-ford-with-a-robot-and-the-de-bruijn-sequence/

de Bruijn Sequence Generator:

http://www.hakank.org/comb/debruijn.cgi