• Home
• Research and Publications
• Projects
• Writings
• Classes
• Python

Scott Wolchok

Forensics 500

Summary

Question

Find the key

Files

Torrent

Summary

Have you heard of these new RAID and strings technologies?

Flag

!!d0nTH4$$L3theH0ff!!

Walkthrough

The download is a .tar.gz that contains two 8 GB images called frontdrive.dd and backdrive.dd. If you try to mount them, mount complains that it's never heard of the "silicon_medley_raid_member" filesystem, so it looks like this is a RAID. Google says that Silicon Image Medley is a RAID controller, but one of the ones that just provides mild assistance for software RAID, so we should be able to mount this with dmraid. I converted the .dd images to VDIs, loaded them into a VirtualBox, and booted off SystemRescueCd so I could extract the drive's contents (with help from a Linux Questions post):

 # ls /dev/mapper
control sil_ajagaeaabbfh silajagaeaabbfg1
# mount /dev/mapper/*1 /mnt
# tar czf f500contents.tar.gz /mnt
# scp f500contents.tar.gz somewhereelse
# shutdown -h now

[continuing on somewhereelse as sysrescd isn't ideal working environment:]

$ ls f500contents/*
f500contents/chatlogs:
skype
xchatlogs

f500contents/pix:
1_001.jpg
1_002.jpg
1_003.jpg
1_004.jpg
1_005.jpg
1_006.jpg
1_007.jpg
1_008.jpg
1_009.jpg
1_010.jpg
1_011.jpg
1_012.jpg
1_013.jpg
1_014.jpg
...
ads
advertisments.rar
ahhhhh!
carz
contests
forKostya.rar
funny
Graduation
In_Mother_Russia.ashx.jpg
melikemud
missAtom.rar
outandabout
projects
travel
vlad-ha!
WEDDING
WEDDING.rar

f500contents/$RECYCLE.BIN:
S-1-5-21-2314189294-3544773346-1399894529-1001

f500contents/System Volume Information:
tracking.log

Lots of pics and crap. Poke around in the pics and you'll find nothing of apparent interest, except that a few of the RARs have passwords and advertisements.rar has less files than in the corresponding ads directory. Not too promising, so let's check out the chatlogs:

 $ cd chatlogs/xchatlogs
$ ls
EFnet-#0dayxxxpasswords.log
EFnet-a_m_b_e_r_4_e_v_e_r.log
EFnet-BritneySpears14.log
EFnet-DirtryKate.log
EFnet-#hacking.txt
EFnet-j_gurli3.log
EFnet-Katie_007.log
EFnet-#l33th4x0rs.txt
EFnet-.log
EFnet-Partner6.txt
EFnet-Sarah19fca.log
EFnet-sweet17.log
EFnet-Sweetheart.log
EFnet-VictimX_27.log
EFnet-#wii.log
RusNet-.log
RusNet-#m1d.tm.log
RusNet-RusNet.log
RusNet-server.log

Lots of the EFnet logs are bloodninja, and some of the chatlogs contain 2009 but none contain 2010, so let's try moving on to skype:

 $ cd skype
$ ls
a31337h4x0r  My Skype Received Files  shared.xml
$ ls My\ Skype\ Received\ Files
theHoff.rar
$ unrar l !$/theHoff.rar
unrar l My\ Skype\ Received\ Files//theHoff.rar

UNRAR 3.90 beta 2 freeware      Copyright (c) 1993-2009 Alexander Roshal

Enter password (will not be echoed) for theHoff.rar:

Hmm.

$ cd ../a31337h4x0r
$ ls
chatsync config.lck config.xml dc.db httpfe main.db voicemail
$ cd chatsync
$ ls
7f 86
$ ls 7f
7f811b0f9c4f4d16.dat
$ strings 7f/7f811b0f9c4f4d16 | manually_filter_out_the_binary_crap
#petya30001/$a31337h4x0r;a3962d167ca93839
petya30001
a31337h4x0r
waaup h4x0r?!
petya30001
just working on my latest hack
anything 133t
it will totally r0x0r micro$oft
r u going to see the hoff with seryozha?
serge is gay
yeah, but the hoff!
i'm more into plastid and aria right now
i've got some stuff you might be intersted in though
sent file "theHoff.rar"<files alt=""><file size="20173564" index="0">theHoff.rar</file></files>
there
tight, that'll take a while, i'm on crappy wireless
is that for the h4ck?
you'll see
dude.  http://www.thecontrarianmedia.com/2009/05/ridiculouskickass-russian-metal-vid/
you think thats hawt?! check this out:  http://www.youtube.com/watch?v=3mOFWV0x6ek
i got plenty where that came from, heh

http://www.youtube.com/watch?v=7mZKjONV5cU
http://www.youtube.com/watch?v=fNy4tfx8XYo
http://www.youtube.com/watch?v=KbMmHNk1LbU
http://www.youtube.com/watch?v=qtAMu36IoPU
http://www.youtube.com/watch?v=7-FCQcg-nqI

http://www.youtube.com/watch?v=GfJngr-mhpo
http://www.youtube.com/watch?v=fq8OFqWH_6o
http://www.youtube.com/watch?v=Sfa2ptxw
http://www.youtube.com/watch?v=ANG7JmkJxHw

http://www.youtube.com/watch?v=bSlIWA94AgA
http://www.youtube.com/watch?v=QH3JAp7vMuo
http://www.youtube.com/watch?v=ykSzwYQV6PU
http://www.youtube.com/watch?v=PCZjAYvrk-w
http://www.youtube.com/watch?v=gcDvRa7zdoU

http://www.youtube.com/watch?v=1E32QYXs
http://www.youtube.com/watch?v=HKh2CI6T_c0
http://www.youtube.com/watch?v=2ot_katYYiU
http://www.youtube.com/watch?v=e9lsnYd3n-I
ok filez done
wtf?
remember?
what?
bad links.
doh, my bad.
idiot.
ok I got it open.
hot huh?
yeah!
a31337h4x0r
petya30001
petya30001
a31337h4x0r
petya30001
petya30001
a31337h4x0r petya30001
a31337h4x0r petya30001
a31337h4x0r petya30001
a31337h4x0r

Well, that was an enlightening little chat. The first thing I did was to actually visit all those YouTube URLs and mark all the ones that didn't return a video, then try concatenating all the v parameters. No dice, ditto trying each v parameter individually as well as the same idea with the whole URLs. I thought about it for a little more, and then realized that two of the v parameters were too short. Concatenating those in the order given gives "Sfa2ptxw1E32QYXs" (and takes our a31337h4x0r friend a lot less time than visiting all those links).

 $ unrar l theHoff.rar -pSfa2ptxw1E32QYXs
...
*th1si$thek3yf1L3.txt       21       48 228% 02-06-09 22:40  .....A. CE4F3F4D m3b 2.9
...
$ unrar x theHoff.rar 'th1si$thek3yf1L3.txt' -pSfa2ptxw1E32QYXs

UNRAR 3.90 beta 2 freeware      Copyright (c) 1993-2009 Alexander Roshal


Extracting from theHoff.rar

Extracting  th1si$thek3yf1L3.txt                                      OK 
All OK
$ $ cat th1si\$thek3yf1L3.txt 
!!d0nTH4$$L3theH0ff!!$

So !!d0nTH4$$L3theH0ff!! is the key.

Content © 2009-2010 Scott Wolchok | Original Design By: Jason Murray Cole | Open Designs | Xhtml | Css