Deadnas - CodiSec CodiSec

7 September 2016 Jakub Luczyński — No Comments

Link: https://score.ctf.westerns.tokyo/problems/5 (only for logged in users)
Points: 50
Category: forensic, warmup

Description

Today, our 3-disk NAS has failed. Please recover flag.
deadnas.7z

Hint 1: The NAS used RAID.
Hint 2: RAID-5

Solution

$file disk*

disk0: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, root entries 512, sectors 2048 (volumes <=32 MB) , Media descriptor 0xf8, sectors/FAT 2, sectors/track 32, heads 64, reserved 0x1, serial number 0x867314a9, unlabeled, FAT (12 bit)

disk1: ASCII text

disk2: data

$ ls -lh

512K disk0

12 disk1

512K disk2

$ cat disk1

crashed :-(

From above output we know that disk1 is missing. We also know that RAID was used. The most probable version of RAID allowing 1 out of 3 disk loss is the one where every disk can be obtained by XOR-ing 2 other disks. We XOR-ed disk0 and disk2 to get disk1 using some python:

from pwn import *

with open("disk0", "rb") as f1:

with open("disk2", "rb") as f2:

with open("disk1", "wb") as f3:

x = f1.read()

y = f2.read()

f3.write(xor(x,y))

Now, to get the full NAS content, we had to determine the block distribution (the second hint had not been revealed yet). After few minutes of analyzing the disks content and with some knowledge of FAT12 structure) we have determined that parity block (BP) is on different disk in each row so we have distribution:

D0 | D1 | D2

---|----|---

B0 | B1 | BP

B2 | BP | B3

BP | B4 | B5

B6 | B7 | BP

...

Simple python code to piece together all data blocks:

n = 1024

k = 512 # block size

with open("disk0", "rb") as f1:

with open("disk1", "rb") as f2:

with open("disk2", "rb") as f3:

with open("disk_out", "wb") as f_out:

x = 2

for _ in xrange(n):

blocks = (f1.read(k), f2.read(k), f3.read(k))

data_blocks = [b for i, b in enumerate(blocks) if i != x]

x = (x - 1) % 3

f_out.write("".join(data_blocks))

Now to check the content we can mount the resulting disk image:

$ sudo mount disk_out /mnt/img/

$ ls /mnt/img

flag.jpg which-2.21

Description

Solution

Leave a Reply Cancel reply

Cookies