Task: coor coor (misc – 400)
Let’s start by identifying the Operating System profile:
Let’s take screenshot to see what the user was doing:
The user was running something inside VirtualBox, let’s keep digging:
The user was basically running a VirtualBox machine (business2.vdi) from an Encrypted TrueCrypt container (secret.tc). That’s why we used psxview to list the system processes before. Note that the lower offsets are used by the Host and the higher ones (after 0x7b760da0) are used by the guest OS. So what was he doing?
The host 18.104.22.168 (yodawg.9447.plumbing) happened to be an IRC server with only one active channel: #9447ctf. We can carve some pidgin logs using foremost:
Private conversations are not logged by default on Pidgin with the OTR extension. We can see a couple of OTR encrypted messages on the memory dump:
Because of Perfect Forward Secrecy, if you lose control of your private keys, no previous conversation is compromised. I just had the long term signature keys (otr.private_key) and these aren’t actually used to encrypt conversations, just to sign the session encryption key. I still needed to retrieve the short term encryption keys from the memory. I got stuck on this phase and spent the whole night trying to figure how to do that.
After some time I decided to get some sleep and keep trying it on the following day. The first thing I did the next day was to re-read the challenge description and I quickly figured it out:
“A 9447 CTF organizer is giving away flags to friends that he trusts.”
Because of the way IRC works, I could easily impersonate testicool69 (the trusted frind), connect to the IRC server (yodawg.9447.plumbing:6667) and message acidburn88 (the CTF Admin) asking for the key. So how do I do that?
Pidgin-OTR creates three files during an encrypted communication: otr.private_key, otr.instance_tags and otr.fingerprints. I searched for the term “prpl-irc” on the memory dump, extracted and replaced those files on my own Pidgin installation (%APPDATA%.purple). There’s a Metasploit post-module to retrieve these keys from a live (hacked) system, by the way…
I managed to forge his fingerprint using the stolen private key and got the secret Flag: