challenges
Game 32
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 You got a USB image of terrorist from the National Police Agency. A beginner made a USB image wrong, So your PC couldn't recognize it. You should fix a USB image and prevent next terror. Q1 : What is modified date/time of the file which contains next terror plan. (UTC+9) Q2 : Where is the next terror target. Auth Key = lowercase(MD5(YYYY-MM-DD_HH:MM:SS_place) example) lowercase(MD5(2016-03-28_13:00:00_Pink Lake) 您从国家警察厅收到了一份恐怖分子的U盘镜像。 由于新手制作的U盘镜像有误,您的电脑无法识别。 您需要修复U盘镜像,以防止下一次恐怖袭击。 问题1:包含下一次恐怖袭击计划的文件的修改日期/时间是什么?(UTC+9) 问题2:下一次恐怖袭击的目标地点在哪里? 授权密钥 = lowercase(MD5(YYYY-MM-DD_HH:MM:SS_place) 示例) lowercase(MD5(2016-03-28_13:00:00_Pink Lake)
1 2 3 4 5 6 7 ❯ file 'USB_Image(SuNiNaTaS)' USB_Image(SuNiNaTaS): DOS/MBR boot sector, code offset 0x58+2, OEM-ID "MSDOS5.0" , sectors/cluster 8, reserved sectors 4480, Media descriptor 0xf8, sectors/track 63, heads 255, hidden sectors 2, sectors 1908096 (volumes > 32 MB), FAT (32 bit), sectors/FAT 1856, serial number 0xde96e00a, unlabeled ❯ fsstat -f fat32 usb Invalid magic value (Error: sector size (4352) is not a multiple of device size (512) Do you have a disk image instead of a partition image?)
info from forensics.wiki
FAT32 FSInfo
扇区结构 (FSInfo Sector Structure)
字段名称 (Name)
偏移量 (Offset)
大小 (Size)
描述 (Description)
FSI_LeadSig 0
4 Bytes
引导签名 :固定值
0x41615252。用于校验这确实是一个 FSInfo 扇区。
FSI_Reserved1 4
480 Bytes
保留字段 1 :为未来扩展预留。格式化时应初始化为
0。目前绝对不准使用。
FSI_StrucSig 484
4 Bytes
结构签名 :固定值
0x61417272。更靠近实际数据字段的局部校验签名。
FSI_Free_Count 488
4 Bytes
空闲簇计数 :记录卷上最后一次已知的空闲簇数量。若为
0xFFFFFFFF,表示未知,必须重新计算。
FSI_Nxt_Free 492
4 Bytes
下个空闲簇提示 :驱动程序寻找空闲簇的起始位置。若为
0xFFFFFFFF,驱动应从 Cluster 2 开始搜索。
FSI_Reserved2 496
12 Bytes
保留字段 2 :同样为扩展预留,初始化必须为 0。
FSI_TrailSig 508
4 Bytes
尾部签名 :固定值 0xAA550000。注意高 2
字节(偏移 510-511)与扇区 0 的签名一致。
remember the little endian
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 ~/Downloads ❯ xxd usb | head -n 70 00000000: eb58 904d 5344 4f53 352e 3000 0208 8011 .X.MSDOS5.0..... 00000010: 0200 0000 00f8 0000 3f00 ff00 0200 0000 ........?....... 00000020: 801d 1d00 4007 0000 0000 0000 0200 0000 ....@........... 00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................ 00000040: 8000 290a e096 de4e 4f20 4e41 4d45 2020 ..)....NO NAME 00000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3..... 00000060: 7b8e c18e d9bd 007c 884e 028a 5640 b441 {......|.N..V@.A 00000070: bbaa 55cd 1372 1081 fb55 aa75 0af6 c101 ..U..r...U.u.... 00000080: 7405 fe46 02eb ff81 c300 0266 4049 7594 t..F.......f@Iu. 00000090: c342 4f4f 544d 4752 2020 2020 0000 0000 .BOOTMGR .... 000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000d0: 0000 0000 0d0a 5265 6d6f 7665 2064 6973 ......Remove dis 000000e0: 6b73 206f 7220 6f74 6865 7220 6d65 6469 ks or other medi 000000f0: 612e ff0d 0a44 6973 6b20 6572 726f 72ff a....Disk error. 00000100: 0d0a 5072 6573 7320 616e 7920 6b65 7920 ..Press any key 00000110: 746f 2072 6573 7461 7274 0d0a 0000 0000 to restart...... 00000120: 00ac cbd8 0000 55aa 5252 6141 0000 0000 ......U.RRaA.... ...
use imhex btw
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 insert 0x00 until 0x55AA at 0x1fe - 0x1ff(right menu -> Insert) ❯ xxd USB_Image\(SuNiNaTaS\) | head -n 70 00000000: eb58 904d 5344 4f53 352e 3000 0208 8011 .X.MSDOS5.0..... 00000010: 0200 0000 00f8 0000 3f00 ff00 0200 0000 ........?....... 00000020: 801d 1d00 4007 0000 0000 0000 0200 0000 ....@........... 00000030: 0100 0600 0000 0000 0000 0000 0000 0000 ................ 00000040: 8000 290a e096 de4e 4f20 4e41 4d45 2020 ..)....NO NAME 00000050: 2020 4641 5433 3220 2020 33c9 8ed1 bcf4 FAT32 3..... 00000060: 7b8e c18e d9bd 007c 884e 028a 5640 b441 {......|.N..V@.A 00000070: bbaa 55cd 1372 1081 fb55 aa75 0af6 c101 ..U..r...U.u.... 00000080: 7405 fe46 02eb ff81 c300 0266 4049 7594 t..F.......f@Iu. 00000090: c342 4f4f 544d 4752 2020 2020 0000 0000 .BOOTMGR .... 000000a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000000d0: 0000 0000 0d0a 5265 6d6f 7665 2064 6973 ......Remove dis 000000e0: 6b73 206f 7220 6f74 6865 7220 6d65 6469 ks or other medi 000000f0: 612e ff0d 0a44 6973 6b20 6572 726f 72ff a....Disk error. 00000100: 0d0a 5072 6573 7320 616e 7920 6b65 7920 ..Press any key 00000110: 746f 2072 6573 7461 7274 0d0a 0000 0000 to restart...... 00000120: 00ac cbd8 0000 0000 0000 0000 0000 0000 ................ 00000130: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000140: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000150: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000160: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000170: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000180: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00000190: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001a0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001b0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001c0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 000001f0: 0000 0000 0000 0000 0000 0000 0000 55aa ..............U. 00000200: 5252 6141 0000 0000 0000 0000 0000 0000 RRaA............ ❯ fsstat -f fat32 USB_Image\(SuNiNaTaS\) FILE SYSTEM INFORMATION -------------------------------------------- File System Type: FAT32 OEM Name: MSDOS5.0 Volume ID: 0xde96e00a Volume Label (Boot Sector): NO NAME Volume Label (Root Directory): NO NAME File System Type Label: FAT32 Next Free Sector (FS Info): 17568 Free Sector Count (FS Info): 1890528 ...
fat32 is ok
use sleuthkit btw
1 2 3 4 5 6 7 8 9 10 11 ❯ fls -r -p USB_Image\(SuNiNaTaS\) | grep -v "Orphan" ... r/r 15: Terrorism Report-2013-North Korea.pdf r/r 19: Terrorism Report-2013-South Korea.pdf ... ❯ icat USB_Image\(SuNiNaTaS\) 15 > "Terrorism Report-2013-North Korea.pdf" ❯ icat USB_Image\(SuNiNaTaS\) 19 > "Terrorism Report-2013-South Korea.pdf" ❯ icat USB_Image\(SuNiNaTaS\) 11 > tero.hwp
translate 2차 테러 계획.hwp to r/r 11:第二恐怖分子计划.hwp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 ❯ icat USB_Image\(SuNiNaTaS\) 11 > tero.hwp ❯ istat USB_Image\(SuNiNaTaS\) 11 Directory Entry: 11 Allocated File Attributes: File, Archive Size: 9728 Name: 2^^^^~1.HWP Directory Entry Times: Written: 2016-05-30 02:44:02 (CST) <- Accessed: 2016-05-30 00:00:00 (CST) Created: 2016-05-30 02:50:41 (CST) Sectors: 17368 17369 17370 17371 17372 17373 17374 17375 17368 17369 17370 17371 17372 17373 17374 17375 17376 17377 17378 17379 17380 17381 17382 17383 17384 17385 17386 17387 0 0 0 0
An HWP file (Hangul Word Processor) is a proprietary document format
developed by Hancom Inc. used primarily in South Korea. It is the
standard word processing format for Korean government, academic, and
business documents, akin to Microsoft Word’s .docx but designed for the
Hangul script.
Opening
HWP and HWPX files requires special file readers capable of handling
these formats. Due to their specificity, few Word editors are capable of
doing so. Among them, there are accessible solutions such as ONLYOFFICE
Desktop Editors — with its latest version 8.3, working with these files
has become easier.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 2차 테러 계획 일 자 2016 – 07 – 15 시 간 09 : 00 : 00 장 소 Rose Park # translate 第二份恐怖袭击计划 日期:2016年7月15日 时间:上午9:00 地点:罗斯公园
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 您从国家警察厅收到了一份恐怖分子的U盘镜像。 由于新手制作的U盘镜像有误,您的电脑无法识别。 您需要修复U盘镜像,以防止下一次恐怖袭击。 问题1:包含下一次恐怖袭击计划的文件的修改日期/时间是什么?(UTC+9) 2016-05-30 11:44:02 ??? 问题2:下一次恐怖袭击的目标地点在哪里? Rose Park 授权密钥 = lowercase(MD5(YYYY-MM-DD_HH:MM:SS_place) 示例) lowercase(MD5(2016-03-28_13:00:00_Pink Lake) 2016-05-30_11:44:02_Rose Park
8ce84f2f0568e3c70665167d44e53c2a