{"id":13288,"date":"2016-09-07T17:33:30","date_gmt":"2016-09-07T15:33:30","guid":{"rendered":"http:\/\/www.codilime.com\/?p=13288"},"modified":"2017-12-20T14:31:11","modified_gmt":"2017-12-20T13:31:11","slug":"tw-mma-2-2016-deadnas","status":"publish","type":"post","link":"https:\/\/codisec.com\/tw-mma-2-2016-deadnas\/","title":{"rendered":"Deadnas"},"content":{"rendered":"

Link: https:\/\/score.ctf.westerns.tokyo\/problems\/5 (only for logged in users)
\nPoints:\u00a050
\nCategory: forensic,\u00a0warmup<\/p>\n

Description<\/h2>\n

Today, our 3-disk NAS has failed. Please recover flag.
\ndeadnas.7z<\/a><\/p>\n

Hint 1: The NAS used RAID.
\nHint 2: RAID-5<\/a><\/p><\/blockquote>\n

Solution<\/h2>\n
$file disk*\r\ndisk0:    DOS\/MBR boot sector, code offset 0x3c+2, OEM-ID \"mkfs.fat\", sectors\/cluster 4, root entries 512, sectors 2048 (volumes &lt;=32 MB) , Media descriptor 0xf8, sectors\/FAT 2, sectors\/track 32, heads 64, reserved 0x1, serial number 0x867314a9, unlabeled, FAT (12 bit)\r\ndisk1:    ASCII text\r\ndisk2:    data\r\n\r\n$ ls -lh                \r\n512K  disk0\r\n12    disk1\r\n512K  disk2\r\n\r\n$ cat disk1             \r\ncrashed :-(<\/pre>\n
From above output\u00a0we know that disk1 is missing. We also know that RAID was used. The most probable version of RAID allowing 1 out of 3 disk loss is\u00a0the one where every disk can be obtained by XOR-ing 2 other disks.\u00a0We XOR-ed disk0 and disk2 to get disk1 using some python:<\/p>\n
from pwn import *\r\nwith open(\"disk0\", \"rb\") as f1:\r\n    with open(\"disk2\", \"rb\") as f2:\r\n        with open(\"disk1\", \"wb\") as f3:\r\n            x = f1.read()\r\n            y = f2.read()\r\n            f3.write(xor(x,y))\r\n\r\n<\/pre>\n
Now, to get the full NAS\u00a0content, we had to determine the block distribution (the second hint had not been revealed yet). After few minutes of analyzing the disks content and with some knowledge of FAT12 structure<\/a>) we have determined that parity block (BP) is on different disk in each row so we have distribution:<\/p>\n
D0 | D1 | D2\r\n---|----|---\r\nB0 | B1 | BP  \r\nB2 | BP | B3\r\nBP | B4 | B5\r\nB6 | B7 | BP\r\n...<\/pre>\n
Simple python code to\u00a0piece together all\u00a0data\u00a0blocks:<\/p>\n
n = 1024\r\nk = 512    # block size\r\n\r\nwith open(\"disk0\", \"rb\") as f1:\r\n    with open(\"disk1\", \"rb\") as f2:\r\n        with open(\"disk2\", \"rb\") as f3:\r\n            with open(\"disk_out\", \"wb\") as f_out:\r\n                x = 2\r\n                for _ in xrange(n):\r\n                    blocks = (f1.read(k), f2.read(k), f3.read(k))\r\n                    data_blocks = [b for i, b in enumerate(blocks) if i != x]\r\n                    x = (x - 1) % 3\r\n                    f_out.write(\"\".join(data_blocks))\r\n\r\n<\/pre>\n
Now to check\u00a0the content we can mount the resulting disk image:<\/p>\n
$ sudo mount disk_out  \/mnt\/img\/\r\n\r\n$ ls \/mnt\/img  \r\nflag.jpg  which-2.21\r\n\r\n<\/pre>\n
\"flag\"<\/p>\n","protected":false},"excerpt":{"rendered":"
Link: https:\/\/score.ctf.westerns.tokyo\/problems\/5 (only for logged in users) Points:\u00a050 Category: forensic,\u00a0warmup Description Today, our 3-disk NAS has failed. Please recover flag. deadnas.7z Hint 1: The NAS used RAID. Hint 2: RAID-5 Solution $file disk* disk0: DOS\/MBR boot sector, code offset 0x3c+2,…<\/span> <\/p>\n
Read more ›<\/div>\n
<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3,6],"tags":[4,5],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n