Previous (Android): Week 1 | Week 2 | Week 3 | Week 4
Previous (Linux): Week 5 | Week 6 | Week 7 | Week 8
Previous (Memory): Week 9 | Week 10 | Week 11 | Week 12
Early last week, the final results for the Magnet Weekly CTF were revealed on a Zoom call, and by pure luck I leapt to the top of the list. I guess those 6 custom artifacts helped a bit in the last few days of 2020. Sidenote, the Custom Artifact challenge just recently started, so partake if you can!
A big shout out to all the competitors that battled for 12 weeks across many different OS platforms, it was truly a great learning experience. And it came with some awesome first place swag too, check it out!
As a grand prize gesture, the fine folks at Magnet had one last challenge up their sleeve for me. One of the prizes was a cryptex. If you've never seen one it was prominently feature in the Tom Hank's movie The Da Vinci Code.
With 6 characters comprising the unlock codeword, I had to try "MAGNET", and voilà, it opened to reveal... a Sandisk flash drive. Let's plug this sucker in and see what we have. It contained pictures of memes... memes everywhere!
I went ahead and imaged the flash drive for preservation sake (and for best practice) in case something went awry. While it was finishing up a few things jumped out to me instantly:
- "what-do-you-think.jpg" file didn't have a preview and wouldn't open in a regular image viewer
- "One Last Step" file didn't have an extension and was 500 MB large, much bigger than everything else on the drive
I fired up Autopsy to see what could be analyzed further. Looking at the folder structure we see two entries for the "what-do-you-think.jpg" file, one viewable and the other unallocated. Interestingly, the mime-type is listed as an image done in Photoshop.
Using ExifTool we can see that there was a text layer added, as found in the XMP metadata for the picture:
That seems like something to note for later (looks familiar to a heading of the last paragraph
here also). No further evidence was found in any of the other pictures. The only other file that we have is the "One Last Step" one. It was modified after the Nick Cage photo was.
Looking at the hex of the 500 MB file, it seems to be filled with no readable content but consistently has no null bytes, does that seem odd? That's because it's actually a container! In previous CTF's I've came across large files such as this. When creating a Veracrypt container, typically the size is a multiple of 512 bytes. This file fits the bill.
A second method for detection of encrypted containers is entropy. Running the "Encryption Detection" module in Autopsy we see a hit for the "One Last Step" file.
So let's mount the file using VeraCrypt. We can see it does prompt for a password when mounting, so the obvious choice was to try our text layer text from Nick Cage:
WinnerWinnerChickenDinner
VeraCrypt took it and mounted it to the K: Drive. As we can see it does indeed have AES encryption on it.
Only one file was inside the container, a PDF:
Opening the PDF unveiled the final prize, an Amazon giftcard!
What a thrilling finale to an epic run of challenges. I want to give my thanks again to
Trey,
Tarah,
Jessica and the whole Magnet Forensics team for putting this CTF on. Looking forward to more future challenges!