CMouse's Blog

CMouse's Blog

Anomaly 23: A Picture Paints a Thousand Bytes

Points: 78

A host on the corporate IT network has been compromised and is using DNS to phone home. This activity has been noticed and the DNS logs have been dumped. Analyze the DNS logs (Anomaly 23.log) and identify what information has been transferred. Hint: binwalk is your friend.

The provided file is a DNS log consisting of entries like these:

1
2
3
4
5
6
7
8
9
[2019-09-18 17:21:14.584856] Request: welt.de. -> 12.144.168.8
[2019-09-18 17:21:16.588879] Request: theguardian.com. -> 19.125.142.118
[2019-09-18 17:21:18.593032] Request: billboard.com. -> 0.186.146.168
[2019-09-18 17:21:22.599159] Request: maps.google.com. -> 226.121.198.156
[2019-09-18 17:21:26.604910] Request: ggpht.com. -> 81.252.207.181
[2019-09-18 17:21:30.610876] Request: ipv4.google.nl. -> 33.182.243.182
[2019-09-18 17:21:33.615910] Request: asus.com. -> 236.91.244.113
[2019-09-18 17:21:35.619530] Request: disney.go.com. -> 14.194.152.155
[2019-09-18 17:21:37.623749] Request: webdisk.hatena.ne.jp. -> 26.56.120.179

If we scroll down a bit, we notice something suspicious:

1
[2019-09-18 17:22:49.627109] Request: 89504e470d0a1a0a0000000d49484452000000780000007808030000000eba.evil.com. -> 19.198.132.97

We notice that: 1) all the characters in the subdomain are either digits or letters within the range ‘a’ to ‘f’, so it’s straightforward to think that they are bytes and 2) the bytes 89 50 4e 47 0d 0a 1a 0a mark the beginning of a PNG file. It makes sense, because the challenge is titles as “a picture paints a thousand bytes”!

We can easily grep all the entries with the word “evil” and obtained a filtered version of the log file:

1
$ cat Anomaly\ 23.log | grep evil > anomaly_23.log.filtered

We can then strip the image data from the log entries and recover our PNG file with a script like this:

1
2
3
4
5
6
7
8
9
10
11
12
data_list = []

with open('anomaly_23.log.filtered', 'r') as f:
    lines = f.readlines()
    for line in lines:
        tokens = line.split()
        data = tokens[3].split('.')[0]
        data_list.append(bytes.fromhex(data))

with open('anomaly_23.png', 'wb') as f:
    for data in data_list:
        f.write(data)

We’ve recovered our PNG file!

anomaly\_23.png

But wait… Doge doesn’t give us anything! How about running binwalk on the PNG file?

1
2
3
4
5
DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             PNG image, 120 x 120, 8-bit colormap, non-interlaced
5960          0x1748          Zip archive data, encrypted compressed size: 59, uncompressed size: 39, name: secret.txt
6173          0x181D          End of Zip archive, footer length: 22

Turns out there’s Zip archive data hidden in the PNG. We extract the PNG, but bad luck for us - it requires a password!

This was really a bad moment for me during the competition. I was so proud at myself for figuring out the PNG thing, and I couldn’t believe I was going to give up this challenge because of this. I tried brute-forcing the password to no avail, and then I realized the password might also be hidden in the log file.

I was right!

1
$ cat Anomaly\ 23.log | grep secret
1
[2019-09-18 17:27:09.365396] Request: bGF3cmVuY2VsaXZlcm1vcmUK.password.secret.com. -> 164.230.184.73

Using the password “bGF3cmVuY2VsaXZlcm1vcmUK”, we were able to successfully extract the secret file, which contains the flag.

References:

https://www.garykessler.net/library/file\_sigs.html

Expand all Back to top Go to bottom