TYS 0x03 - I fatfinger deleted my cute little puppy!


This TYS (Test Your Skills) is gratefully received from https://mytty.org - check it out. There's a number of these technical challenges to put you through your paces and push you to learn new skills.

Now on with the show..

Bob, who has a very cute little puppy, sends you an email asking for your help. He says that he, by accident, deleted the best picture he had of his cute little puppy from a USB memory stick. He also mentioned that he immediately unplugged the memory stick once he noticed that he deleted the picture by accident. He took an image of the stick with DD and attached it to the email.

His last line in the mail is something like: This is really important to me. I need this picture back asap. I will make up to you if you can deliver within 72 hours!


You heard Bob! Go ahead and figure out if there is a way to recover the picture of his little puppy from the stick image.



First things first, download the xz compressed archive provided by Bob and take a look at what we have to work with using the unxz command.

# unxz usb-stick.img.xz 
# ls -la
total 3640
-rwxrwx--- 1 root root 8388608 Feb 28 15:14 usb-stick.img

Using the file command we can determine additional details on the extracted file.

# file usb-stick.img 
usb-stick.img: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 16383 sectors, extended partition table (last)

Next I used the fdisk command to identify further details of the disk and it's structure.

# fdisk -l usb-stick.img

Disk usb-stick.img: 8 MiB, 8388608 bytes, 16384 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 643B78A5-FFD9-1A41-9955-8EB625DF0212

Next I ran mmls (media management) to display the contents of the volume system. There are a couple of benefits to using mmls. Firstly, it will show which sectors are not being used so that those can be searched for hidden data. And second, It also gives the length value so that it can be plugged into ’dd’ more easily for extracting the partitions.

# mmls usb-stick.img

GUID Partition Table (EFI)
Offset Sector: 0
Units are in 512-byte sectors


I got a bit lazy here and ran Photorec directly on the img file to recover lost data. And while this enabled me to reach my end goal of finding the hidden flag, it isn't clean or satisfying in hindsight. There are definitely other ways to skin a cat (or puppy)

# photorec usb-stick.img








I moved the recovered image file f0007518.jpg to my working folder for further analysis. A quick look at the image shows some kind of corruption or interference.

# ls -la
total 3660
drwxr-xr-x 2 root root 4096 Mar 4 19:12 .
drwxr-xr-x 15 root root 4096 Mar 4 18:57 ..
-rw-r--r-- 1 root root 16384 Mar 4 19:11 f0007518.jpg
-rwxrwx--- 1 root root 8388608 Feb 28 15:14 usb-stick.img

# file f0007518.jpg 
f0007518.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1280x720, frames 3

Every JPEG file has a SOI (Start of image) with binary value of 0xFFD8 and it is terminated by EOI Marker (End of image) which has the binary value of 0xFFD9. Using Hexdump we can view any content that has been appended to the end of this jpeg. You'll also notice at the start of the output is a clue to the hidden file: "7z"

# hexdump -C f0007518.jpg | more +/"ff d9"

000cf680 52 de 13 02 87 a4 44 10 84 84 c7 2e 09 07 ff d9 |R.....D.........|
000cf690 37 7a bc af 27 1c 00 04 4f 95 18 fe c0 00 00 00 |7z..'...O.......|
000cf6a0 00 00 00 00 28 00 00 00 00 00 00 00 8a 0c b9 49 |....(..........I|
000cf6b0 51 63 84 bf bc 78 7d 9c 47 d8 b1 d8 44 ba 61 41 |Qc...x}.G...D.aA|
000cf6c0 d9 60 8d fd ec 89 82 9e 7c 05 1e ee e7 61 79 38 |.`......|....ay8|
000cf6d0 91 68 7b 7f 3d ff ae d1 9e a9 6d 99 18 78 66 2e |.h{.=.....m..xf.|
000cf6e0 78 2b 20 ab 99 25 e2 3b 7b 89 c1 a0 04 0c 84 1b |x+ ..%.;{.......|
000cf6f0 04 5e ae c3 2b 3d 81 41 d2 74 fc fc 48 c5 01 44 |.^..+=.A.t..H..D|
000cf700 89 5e 7f 3d 26 a8 fb 64 d4 9a 05 9c d6 36 7a fa |.^.=&..d.....6z.|
000cf710 b2 af bb a2 a3 15 6a 28 c3 86 47 ab 7a 9b 9e a9 |......j(..G.z...|
000cf720 b8 23 fe 35 4c 4a a8 d4 b7 16 a0 9b da 84 20 51 |.#.5LJ........ Q|
000cf730 4f a1 8b 61 3d bb fb a7 3e 5c 77 34 3a 9b 25 98 |O..a=...>\w4:.%.|
000cf740 82 f2 25 f0 f6 bc 63 0f 82 77 40 2e 32 c4 82 84 |..%...c..w@.2...|
000cf750 56 0d e3 b3 1c fc 62 07 ac 40 a2 15 b2 d1 10 2d |V.....b..@.....-|
000cf760 6a 54 5a 76 a5 f8 85 13 03 b2 a3 64 59 7f c5 c6 |jTZv.......dY...|
000cf770 17 06 30 01 09 80 90 00 07 0b 01 00 01 24 06 f1 |..0..........$..|
000cf780 07 01 0a 53 07 28 b1 23 3a a5 78 0b a6 0c 80 8a |...S.(.#:.x.....|
000cf790 0a 01 b8 74 c1 1e 00 00 00 00 00 00 00 00 00 00 |...t............|
000cf7a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|

Now that we have confirmed that there is something hiding in this image file, we can use binwalk to try and extract the hidden data. I did this in two steps and there may be better ways. First I used the -e switch to load common extraction rules and try to automatically identify the hidden file (result was a corrupted image). I tried again using the --d switch to extract the identified file as shown below. I could have specified .7z but the wild card worked in this case.

#binwalk -e f0007518.jpg
Need to try again and get a clean file
# binwalk --dd=".*" f0007518.jpg

Binwalk will create a new directory containing the extracted files. If we change into this folder and run 'file' against against the extracted file we'll see we now have a 7-zip archive. Bingo!

# cd _f0007518.jpg.extracted/

# file CF690 CF690: 7-zip archive data, version 0.4
# mv CF690 CF690.7z

Now to crack the password.. First extract the hash from the 7z file using 7z2john.py

# python 7z2john.py CF690.7z > hash.txt
# cat hash.txt


Next, we can use John to crack the hash using the standard rockyou wordlist. And very quickly we're presented with the password 'a1b2c3'

# john --wordlist=/root/Desktop/rockyou.txt hash.txt
# john --wordlist=/root/Desktop/rockyou.txt hash.txt 

Using default input encoding: UTF-8
Loaded 1 password hash (7z, 7-Zip [SHA256 AES 32/64])
Note: This format may emit false positives, so it will keep trying even afterfinding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
a1b2c3 (CF690.7z)``

We're getting close i'm confident we can start warming the pizza. Using the cracked password we try to open the file using 7za

# 7za x CF690.7z

7-Zip (a) [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,3 CPUs Intel(R) Core(TM) i7-7820HQ CPU @ 2.90GHz (906E9),ASM,AES-NI)

Scanning the drive for archives:1 file, 2416 bytes (3 KiB)

Extracting archive: CF690.7z

Enter password (will not be echoed):

There are data after the end of archive
Path = CF690.7z
Type = 7z

WARNINGS:There are data after the end of archive
Physical Size = 264
Tail Size = 2152
Headers Size = 216
Method = LZMA2:12 7zAES
Solid = -Blocks = 1
Everything is Ok
Archives with Warnings: 1
Warnings: 1
Size: 37
Compressed: 2416

Now if we list the current files we see see the extracted 'secret_information.txt'

# ls -la
-rw-r--r-- 1 root root 37 Feb 27 05:04 secret_information.txt

And last but not least.. take a quick look inside to claim the prize!

# cat secret_information.txt 

you shall not talk about the s3cr3ts!

Commands and tool used