Solution de prae_gitlab pour Dérèglement

intro forensics windows

3 décembre 2024

Table des matières

Pre-analyse

Le fichier .docx est un fichier ZIP contenant une structure de fichiers interprétés par Word.

Le header est 0x50 0x4B (PK) ce qui correspond à un ZIP :

$ xxd -l 4 2021-fcsc-reglement_de_participation.docx
00000000: 504b 0304                                PK..

Pour l’ouvrir, il suffit d’utiliser un utilitaire ZIP :

$ zipinfo 2021-fcsc-reglement_de_participation.docx
Archive:  2021-fcsc-reglement_de_participation.docx
Zip file size: 93740 bytes, number of entries: 16
-rw-r--r--  2.0 unx     1417 bX defN 21-Apr-10 14:05 [Content_Types].xml
drwx------  2.0 unx        0 bx stor 21-Apr-10 13:36 docProps/
-rw-r--r--  2.0 unx      517 bX defN 21-Apr-10 11:36 docProps/app.xml
-rw-r--r--  2.0 unx      652 bX defN 21-Apr-10 13:54 docProps/core.xml
drwx------  2.0 unx        0 bx stor 21-Apr-10 13:36 _rels/
-rw-r--r--  2.0 unx      573 bX defN 21-Apr-10 11:36 _rels/.rels
drwx------  2.0 unx        0 bx stor 21-Apr-10 13:36 word/
drwx------  2.0 unx        0 bx stor 21-Apr-10 13:36 word/_rels/
-rw-r--r--  2.0 unx      981 bX defN 21-Apr-10 11:36 word/_rels/document.xml.rels
-rw-r--r--  2.0 unx     5956 bX defN 21-Apr-10 14:00 word/document.xml
-rw-r--r--  2.0 unx     3313 bX defN 21-Apr-10 11:36 word/styles.xml
-rw-r--r--  2.0 unx     5321 bX defN 21-Apr-10 11:36 word/numbering.xml
-rw-r--r--  2.0 unx      208 bX defN 21-Apr-10 11:36 word/settings.xml
-rw-r--r--  2.0 unx     1106 bX defN 21-Apr-10 11:36 word/fontTable.xml
drwx------  2.0 unx        0 bx stor 21-Apr-10 13:36 word/media/
-rw-r--r--  2.0 unx   131579 bX defN 21-Apr-10 11:36 word/media/image1.jpeg
16 files, 151623 bytes uncompressed, 90822 bytes compressed:  40.1%

ou d’un binwalk sans option :

$ binwalk 2021-fcsc-reglement_de_participation.docx

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             Zip archive data, at least v2.0 to extract, uncompressed size: 1417, name: [Content_Types].xml
389           0x185           Zip archive data, at least v2.0 to extract, name: docProps/
460           0x1CC           Zip archive data, at least v2.0 to extract, uncompressed size: 517, name: docProps/app.xml
850           0x352           Zip archive data, at least v2.0 to extract, uncompressed size: 652, name: docProps/core.xml
1287          0x507           Zip archive data, at least v2.0 to extract, name: _rels/
1355          0x54B           Zip archive data, at least v2.0 to extract, uncompressed size: 573, name: _rels/.rels
1661          0x67D           Zip archive data, at least v2.0 to extract, name: word/
1728          0x6C0           Zip archive data, at least v2.0 to extract, name: word/_rels/
1801          0x709           Zip archive data, at least v2.0 to extract, uncompressed size: 981, name: word/_rels/document.xml.rels
2198          0x896           Zip archive data, at least v2.0 to extract, uncompressed size: 5956, name: word/document.xml
4212          0x1074          Zip archive data, at least v2.0 to extract, uncompressed size: 3313, name: word/styles.xml
5084          0x13DC          Zip archive data, at least v2.0 to extract, uncompressed size: 5321, name: word/numbering.xml
5776          0x1690          Zip archive data, at least v2.0 to extract, uncompressed size: 208, name: word/settings.xml
6036          0x1794          Zip archive data, at least v2.0 to extract, uncompressed size: 1106, name: word/fontTable.xml
6454          0x1936          Zip archive data, at least v2.0 to extract, name: word/media/
6527          0x197F          Zip archive data, at least v2.0 to extract, uncompressed size: 131579, name: word/media/image1.jpeg
93718         0x16E16         End of Zip archive, footer length: 22

On pourrait analyser chaque fichier en ouvrant un par un (peut-être que le flag se trouve dans une image ? :)

Finalement, on va opter pour une méthode rapide, le zipgrep des familles :

$ zipgrep -oE "FCSC{[a-zA-Z0-9]+}" 2021-fcsc-reglement_de_participation.docx 2> /dev/null
word/document.xml:FCSC{9bc5a6d51022ac}

Voila !

Méthode à-la-Python

Si on veut s’amuser, on peut aussi coder un petit outil rapidement qui va se charger de parser chaque fichier XML d’un fichier ZIP et essayer de trouver le flag :

Le code source :

#!/usr/bin/env python3

import re
import sys
import zipfile

with zipfile.ZipFile(sys.argv[1]) as handler:
  for entry in handler.infolist():
    if entry.filename.endswith(".xml"):
       with handler.open(entry.filename) as f:
         if match := re.search("FCSC{([a-zA-Z0-9]+)}", str(f.read())):
           print(match.group())

Son exécution :

$ ./zipfinder.py 2021-fcsc-reglement_de_participation.docx
FCSC{9bc5a6d51022ac}