Longbottoms Locker - Hack The Box Challenge
Pre-start
Once extracted you’ll see 3 files:
Opening the index.html file, we’ll see a webpage which ask for a password.
We are going to inspect the jpg and gif files to see if we find anything
Steganography
Using binwalk we can see what is hidden in the jpg and in the process extract it (if it does not have a password)
binwalk neville.gif
Output:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 GIF image data, version "89a", 244 x 244
neville.gif
it’s a simple gif file.
binwalk -e socute.jpg
Output:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 JPEG image data, JFIF standard 1.01
97465 0x17CB9 Zip archive data, at least v2.0 to extract, name: donotshare
99087 0x1830F Zip archive data, at least v1.0 to extract, name: __MACOSX/
99142 0x18346 Zip archive data, at least v2.0 to extract, name: __MACOSX/._donotshare
99574 0x184F6 End of Zip archive, footer length: 22
Nice, We see there’s a zip file on it, extracted it show donotshare
file, and a ._donotshare
file inside of _MACOSX
directory
└─# ls -lRa
.:
total 24
drwxr-xr-x 3 root root 4096 abr 14 01:51 .
drwxr-xr-x 3 shockz shockz 4096 abr 14 01:51 ..
-rw-r--r-- 1 root root 2131 abr 14 01:51 17CB9.zip
-rw-r--r-- 1 root root 7787 jun 14 2018 donotshare
drwxrwxr-x 2 root root 4096 jul 7 2018 __MACOSX
./__MACOSX:
total 12
drwxrwxr-x 2 root root 4096 jul 7 2018 .
drwxr-xr-x 3 root root 4096 abr 14 01:51 ..
-rw-r--r-- 1 root root 212 jun 14 2018 ._donotshare
Well, the next step is to analyze those two donotshare
files
._donotshare
:
strings ._donotshare
Output:
Mac OS X
ATTR
com.apple.quarantine
q/0081;5b4065ff;Chrome;85F952B7-6DAB-46A2-8DCE-1AAA047401B0
Well it seems that it is a Mac OS application.
Let’s see what is the donotshare
file:
strings donotshare | head -10
Output:
(lp1
(lp2
(S' '
I163
aa(lp4
(S' '
a(S'.'
a(S'd'
a(S'8'
a(S'b'
Unpicking
After seeing a pattern in the strings and searching the internet, I got a clue from someone saying “unpickle the data”, so i made a script to unpicke the data from the file
#!/usr/bin/env python3
import pickle
f = open('donotshare', 'rb')
mydict = pickle.load(f)
f.close()
for i in mydict:
b=[]
for x in i:
b.append(x[0] * x[1])
print(''.join(b))
Executing the script and zooming out we can see the password to the intial webpage
└─# ./unpicke.py
.d8888b. d888 888 .d8888b. d8888 888b 888 8888888b. .d8888b. 888888888 888888888 888 888
d88P Y88b d8888 888 d88P Y88b d8P888 8888b 888 888 Y88b d88P Y88b 888 888 888 888
888 888 888 888 888 888 d8P 888 88888b 888 888 888 888 888 888 888 888 888
888 888 888 888 .d88888 888 888 888 888 d8P 888 888Y88b 888 888 d88P 888 888 8888888b. 8888888b. 888 888 88888b.d88b.
888 88888 888 888 888 d88" 888 888 888 888 888 d88 888 888 Y88b888 8888888P" 888 888 "Y88b "Y88b 888 888 888 "888 "88b
888 888 888 888 888 888 888 888 888 888888 Y88 88P 8888888888 888 Y88888 888888 888 T88b 888 888 888 888 888 888 888 888 888
Y88b d88P Y88b 888 888 Y88b 888 Y88b d88P Y8bd8P 888 888 Y8888 888 T88b Y88b d88P Y88b d88P Y88b d88P Y88b. .d88P 888 888 888
"Y8888P88 "Y88888 8888888 "Y88888 "Y8888P" Y88P 888 888 Y888 888 T88b "Y8888P" "Y8888P" "Y8888P" "Y88888P" 888 888 888
Now just enter the password in the password box and u’ll get the flag