Metaspike CTF, Week 2

ctf, digital forensics

Question 3

2022-02-16_21-12-18.png

Womp womp. This is an area have I no familiarity with and exhausted my attempts. As time permits, I’d like to revisit this and dig more into the Messaging Application Programing Interface (MAPI) API.

While I wasn’t able to get any points for this question, I took the opportunity to take few additional (unlimited) guesses during week 3.

Using MFCMAPI.x64.exe, I can preview the properties the .msg file.

I entered 0x0e07 and 0e07 as my guesses, thinking that it was a formatting issue (it wasn’t). I don’t remember what I threw away my third attempt on.

After a handful of guesses, 0x001A for PR_MESSAGE_CLASS, is the correct answer. But why?

MAPI Message Classes

That’s nice to know, but what causes the envelope to show up? Google: “pr_message_class envelope”

I came across this. It suggests that there’s something wrong with PR_MESSAGE_CLASS. Maybe the value, “IPM.Note.Std”, is wrong? It’s not listed as a message class, so perhaps there’s something to it.

With Outlook open and OutlookSpy installed, I open the email to check it out and edit it. OutlookSpy | IMessage | GetProps.

After I edited the property to a known value, “IPM.Note,” the envelope disappears.

I’m not clear what would cause that in a typical environment. I gather that the key here is if you recognize what is “normal”, you’d be able to see that value standout as an anomaly.

Question 4

I hashed the contents of the decompressed .pdf for my first attempt. That was wrong.

After reading the contents of the email, I find there’s an apparent problem with the .zip file. The comment about the file’s first 24 bytes appeared to be a hint. When decompressing the file, the .pdf is not readable. Ah, okay. I’m tracking now.

I started with comparing the corrupt .zip file, and a known good .zip file. I looked for 0x00 values within the first 24 bytes. For simplicity, I used the evidence object already provided. I selected View | Synchronize & Compare in X-Ways Forensics. I noted that the offsets 18-21 might be different.

What sort of structure does a .zip typical have? Florian Buchholz has documentation on that, which notes that offsets 18-21 represent the compressed size of the file in little-endian.

GOAT.zip is 369,547 bytes. What’s that in hex (little-endian)? Using the programmer calculator, it’s 0x8BA305. I’ll need to try it by editing the file with a hex editor.

I already have the original evidence object saved locally to open it in WinHex. But if I didn’t, I would I select Recovery/Copy from the Directory Browser.

With GOAT.zip open in WinHex, I make the change to offsets 18 and 19.

After adding the edited file back into XWF, I’m now able to preview the file, GOAT.pdf.

Knowing that I’m able to preview it, I just have to hash the file.

From the Directory Browser, I can use the context menu to take a refined volume snapshot to compute the MD5 hash.

MD5: 46FD54DA3D27F563CDB834A16FB23276

After a quick hash calculation, I can now copy it from the context menu.

Advertisement

Published by Derek Eiri

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.