This is the fourth and the last of the forensics challenge in the CSAW CTF 2014 competition. It was much harder than the three before, but it was also much more interesting.
The challenge starts with the following text:
OH NO WE'VE BEEN HACKED!!!!!! -- said the Eye Heart Fluffy ...
It looked like a fun CTF, but I did not have the chance to play for too long. I managed to solve a few problems in the morning and the solutions are below.
The challenge starts with:
A terrorist has changed his picture in a social network. What ...
This is the first exploitation problem and it starts with the following text:
I trust people on the Internet all the time, do you?
Written by ColdHeat
Unzipping and Analyzing the Files
Let’s unzip the provided zip file:
$ unzip eggshells-master.zip
This creates a directory called eggshells-master ...more ...
This is the only networking problem, and it is only 100 points, so it turned out to be very easy.
The problem starts with the following text:
Something, something, data, something, something, big
Written by HockeyInJune
Inspecting the Wireshark File
The file extension .pcapng correspond to files for ...more ...
The third forensics challenge starts with the following text:
see or do not see
Written by marc
Hacking PDFs, what fun!
In general, when dealing with reverse-engineering malicious documents, we follow these steps: