Hackover CTF 2016 - thecard writeup

Posted at — Oct 10, 2016

Okay, this has been a simple one, but worth describing nevertheless.

We’ve got presumably an SD card image, thecard.img, which isn’t readily mountable or susceptible to binwalk, so let’s strings it and see what’s in there:

(ctf)tr@karabut.com:~/work/hackover16/thecard$ strings thecard.img | head 
htree_dirblock_to_tree
htree_dirblock_to_tree
lost+found
............
        Af      Af
        |U      |U
G%      G%      8
H       pT      pT      i
+       G%      G%
        =:      =:

Hmm, what does it remind me of?.. Let’s google tree_dirblock_to_tree:

Alright, so it’s probably a broken ext4 image. Soooo let’s just fix it:

(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo fsck.ext4 thecard.img
e2fsck 1.42.9 (4-Feb-2014)
thecard.img: recovering journal
thecard.img contains a file system with errors, check forced.
Pass 1: Checking inodes, blocks, and sizes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Unattached inode 13
Connect to /lost+found<y>? yes
Inode 13 ref count is 2, should be 1.  Fix<y>? yes
Unattached inode 14
Connect to /lost+found<y>? yes
Inode 14 ref count is 2, should be 1.  Fix<y>? yes
Unattached inode 15
Connect to /lost+found<y>? yes
Inode 15 ref count is 2, should be 1.  Fix<y>? yes
Unattached inode 16
Connect to /lost+found<y>? yes
Inode 16 ref count is 2, should be 1.  Fix<y>? yes
Pass 5: Checking group summary information

thecard.img: ***** FILE SYSTEM WAS MODIFIED *****
thecard.img: 16/4096 files (0.0% non-contiguous), 14504/16384 blocks

And mount it:

(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo mount -o loop thecard.img /mnt/tmp/

And list it:

(ctf)tr@karabut.com:~/work/hackover16/thecard$ ls /mnt/tmp
lost+found
(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo ls /mnt/tmp/lost+found/
#13  #14  #15  #16
(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo file /mnt/tmp/lost+found/#1{3,4,5,6}
/mnt/tmp/lost+found/#13: RIFF (little-endian) data, WAVE audio, Microsoft PCM, 24 bit, stereo 44100 Hz
/mnt/tmp/lost+found/#14: data
/mnt/tmp/lost+found/#15: data
/mnt/tmp/lost+found/#16: data

The wav file is just some grunts and noises, but what’s in the unidentified files?

(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo hd /mnt/tmp/lost+found/#14 | head
00000000  00 d8 ff e0 00 10 4a 46  49 46 00 01 01 01 00 48  |......JFIF.....H|
00000010  00 48 00 00 ff db 00 43  00 03 02 02 02 02 02 03  |.H.....C........|
00000020  02 02 02 03 03 03 03 04  06 04 04 04 04 04 08 06  |................|
00000030  06 05 06 09 08 0a 0a 09  08 09 09 0a 0c 0f 0c 0a  |................|
00000040  0b 0e 0b 09 09 0d 11 0d  0e 0f 10 10 11 10 0a 0c  |................|
00000050  12 13 12 10 13 0f 10 10  10 ff db 00 43 01 03 03  |............C...|
00000060  03 04 03 04 08 04 04 08  10 0b 09 0b 10 10 10 10  |................|
00000070  10 10 10 10 10 10 10 10  10 10 10 10 10 10 10 10  |................|
*
00000090  10 10 10 10 10 10 10 10  10 10 10 10 10 10 ff c2  |................|
(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo hd /mnt/tmp/lost+found/#15 | head
00000000  00 d8 ff e0 00 10 4a 46  49 46 00 01 01 00 00 01  |......JFIF......|
00000010  00 01 00 00 ff db 00 43  00 03 02 02 02 02 02 03  |.......C........|
00000020  02 02 02 03 03 03 03 04  06 04 04 04 04 04 08 06  |................|
00000030  06 05 06 09 08 0a 0a 09  08 09 09 0a 0c 0f 0c 0a  |................|
00000040  0b 0e 0b 09 09 0d 11 0d  0e 0f 10 10 11 10 0a 0c  |................|
00000050  12 13 12 10 13 0f 10 10  10 ff db 00 43 01 03 03  |............C...|
00000060  03 04 03 04 08 04 04 08  10 0b 09 0b 10 10 10 10  |................|
00000070  10 10 10 10 10 10 10 10  10 10 10 10 10 10 10 10  |................|
*
00000090  10 10 10 10 10 10 10 10  10 10 10 10 10 10 ff c0  |................|
(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo hd /mnt/tmp/lost+found/#16 | head
00000000  00 d8 ff e0 00 10 4a 46  49 46 00 01 01 00 00 01  |......JFIF......|
00000010  00 01 00 00 ff db 00 43  00 03 02 02 02 02 02 03  |.......C........|
00000020  02 02 02 03 03 03 03 04  06 04 04 04 04 04 08 06  |................|
00000030  06 05 06 09 08 0a 0a 09  08 09 09 0a 0c 0f 0c 0a  |................|
00000040  0b 0e 0b 09 09 0d 11 0d  0e 0f 10 10 11 10 0a 0c  |................|
00000050  12 13 12 10 13 0f 10 10  10 ff db 00 43 01 03 03  |............C...|
00000060  03 04 03 04 08 04 04 08  10 0b 09 0b 10 10 10 10  |................|
00000070  10 10 10 10 10 10 10 10  10 10 10 10 10 10 10 10  |................|
*
00000090  10 10 10 10 10 10 10 10  10 10 10 10 10 10 ff c0  |................|

Hmm, so they are jpegs with the first byte nulled over. Let’s fix that now, with bash-fu to show off a bit:

(ctf)tr@karabut.com:~/work/hackover16/thecard$ sudo cp /mnt/tmp/lost+found/#1{4,5,6} .
(ctf)tr@karabut.com:~/work/hackover16/thecard$ rename "s/#(\d\d)/\$1\.jpg/" *
(ctf)tr@karabut.com:~/work/hackover16/thecard$ for i in {14,15,16}; do echo -e -n "\xff" > $i-fixed.jpg; tail -c +2 $i.jpg >> $i-fixed.jpg; done

Hmmm. Okay, we’re done here.

Trickery Index

Hackover CTF 2016 - thecard writeup