“ RHINO HUNT CTF ”

PROJECT SUBMISSION

TO
`

SILVER OAK UNIVERSITY

&
TECHDEFENCE LABS

BY
PATEL HEMRAJ A.
20013072045
B.Tech - Computer Science & Engineering (Cybersecurity)
Silver Oak College of Engineering & Technology
Ahmedabad - 382481
JUN-2022
 ACKNOWLEDGMENT

I would like to express my gratitude to TechDefence Labs & Silver Oak

University for giving us an opportunity to learn and gain Industrial
Exposure in the domains of Vulnerability Assessment and Penetration
Testing, Security Operation Centre as well as Digital Forensics.
A special thanks to the Cyber Security Faculty team and Industrial
Experts for helping us with the essential Summer Internship where we
learned and implemented various technical skills, including
interpersonal skills through report writing, presentations, and
discussions.

Thanks,
Hemraj Patel

1| P a g e
Index:

TOPIC PAGE NO.

 AIM & ABSTRACT 2

 HOW TO INSTALL AUTOPSY 3

 HOW TO INSTALL WIRESHARK 6

 ADDING DATA IN AUTOPSY 13

 WORK DONE IN AUTOPSY 18

 WORKDONE IN WIRESHARK 20

 WORK IN KALI LINUX 32

 CONCLUSION & RECOVERED PICTURES 36

2| P a g e
Aim & Abstract:

Scenario:
The city of New Orleans passed a law in 2004 making possession of nine or more unique
Rhinoceros images a serious crime. The network administrator at the University of New
Orleans recently alerted police when his instance of RHINOVORE flagged illegal rhino
traffic. Evidence in the case includes a computer and USB key seized from one of the
University’s labs. Unfortunately, the computer had no hard drive. The USB key was
imaged and a copy of the dd image is on the CD-ROM.
In addition to the USB key drive image, three network traces are also available—these
were provided by the network administrator and involve the machine with the missing
hard drive. The suspect is the primary user of this machine, who has been pursuing his
Ph.D. at the University.

To Do:
Recover at least nine rhino pictures from the available evidence and include them in a
brief report.

Tools Used:
 Autopsy
 Wireshark

Pre-Installed Requirements:
 Kali Linux in Virtual Machine

3| P a g e
 Software Installation
Autopsy:
 First download autopsy from official website ( https://www.autopsy.com/download ) ,
by Clicking Download 64-BIT, download will start automatically.

 After download get complete, Run Setup and do following process to install.

4| P a g e
5| P a g e
6| P a g e
WireShark:
 First download autopsy from official website ( https://www.wireshark.org/download.html ) ,
by Clicking Download 64-BIT, download will start automatically.

 After download get complete, Run Setup and do following process to install.

7| P a g e
8| P a g e
9| P a g e
10| P a g e
11| P a g e
12| P a g e
13| P a g e
 Let’s Begin
Inserting Image In Autopsy:

 First open Autopsy and create new case. Then fill case name and destination where
you want to save new case. You can skip optional information if you want.

14| P a g e
 Now add image as data in newly created case.

15| P a g e
 Select path of image file

16| P a g e
 Configure injest is an automated analyst in autopsy which help to analyse data.
Uncheck all highlighted modules, as it is for mobile forensics (android/iOS).

17| P a g e
 After completion of adding data, inject will do it work as you can see in bottom right
corner. When it gets 100% and progress bar won’t be visible then inject is done.

18| P a g e
Searching Rhino Pics in Autopsy:

 After searching through all files and folders, I found only 9 pictures and one dairy. From
which only 4 were rhino picture and other were of alligators. Let’s extract all rhino pictures
from autopsy first.

 Go to [ Images/Videos ] tab below tool bar

 Now select all 4 rhino pictures and right click anywhere. There will be option of
[ extract file(s) ] , select it.

19| P a g e
 Now select destination where to save all rhino pictures and click save

 Its done. All pictures were recovered from image file. There are 2 more rhino picture
in image file which is hidden in face of an alligator with steganography. If you want
more then 9 pictures then you can work on it and do reverse steganography.

 Dairy was not useful in any case other then telling owner’s situation.

20| P a g e
Searching Rhino Pics in Network Trace Using Wireshark:

 We got 3 files of network trace [ rhino, rhino2, rhino3 ]. After grinding through all log files,
we got all remaining pictures. Let’s see how to extract pics from log files.

 Frist right click on [ rhino.log ] file. Select open it with Wireshark.

21| P a g e
 Now in Wireshark, we have to find keyword rhino to find any clues.

 For that press ctrl+f and search bar will appear. In search bar, select String and
search for rhino. There will be many files in with keyword (rhino) but we have to look
for file with protocol ( FTP-DATA ). And there you go, there will be file name
( STOR rhino1.jpg ) with ( FTP DATA ) type protocol.

 After file is found, right click on file and go to Follow and select [ TCP Stream ].

22| P a g e
 Now data you will be shown will be in ASCII format, convert it into Raw format.

23| P a g e
 Now save raw data by clicking Save As.

24| P a g e
 Now select destination where you saved rhino pictures and name file [ rhino1.jpg ].
 NOTE: give extension ( .jpg ) without fail. It will convert raw data into picture.

 After saving first rhino pic from log file. We have to do same procedure for rhino3 pic
which was shown in list when you searched rhino keyword.

 By searching rhino3, file named [ STOR rhino3.jpg ] will be there in FTP-DATA

type protocol. Extract it and in [ TCP Stream ]. Covert data into raw format and save
it as we did with first pic.

25| P a g e
26| P a g e
 Now we have extracted every rhino pictures from rhino.log file. It time to work on 2nd
log file named rhino2.log.

27| P a g e
 In 2nd file, there are only http and TCP protocol, hence it was trickier then file 1. But
after little search I found 2 pics in 2nd log file. Let’s extract it.

 To extract, go to File in tool bar. Over there go to Export Obejcts and click on
HTTP.

28| P a g e
 Now there will be 2 files namely rhino4.jpg and rhino5.gif. select one file at a time
and save it by clicking Save and do same procedure for both.

29| P a g e
 Now we have extracted every rhino picture from 2nd network trace file. It’s time to
work on 3rd file. 3rd file had some weird files but it was hardest to extract last picture
because it was not name rhino or related to rhino. It is a zip file with password. So, we
have to extract zip file first then crack it and extract picture file from it.

30| P a g e
 Open rhino3.log in Wireshark. Open search bar and search for [ contraband ]. In
result you will find file named ( STOR contraband.zip ) with FTP-DATA type.
Open file in TCP Stream, convert data into Raw format and Save file to any choice
destination with name contraband.zip.
 NOTE : Give extension ( .zip ) without fail otherwise file will be in wrong format
and won’t work.

31| P a g e
32| P a g e
Use of Kali Linux:

 Now we have zip file but its password protected so we will crack it in Kali Linux. For
that we have to transfer zip file to Kali Linux. So open virtual machine and run Kali
Linux. After Kali is open, Drag and drop zip file to desktop in Kali Linux.

 After that open terminal and give [ Desktop ] command. Now you are in desktop
directory where you zip file is. After that give
[ zip2john contraband.zip > hack.txt ]. It will create text file of password hash.
Here zip2john is tool name and it will do every work.
 After that one text file will be there, to check it give ls command and see hack.txt file
is there or not.
 After that give [ john hack.txt ] command and it will crack your password by john
tool. Finally you will see password of zip file and it’s [ monkey ].

33| P a g e
 Now we have password and zip file with rhino2.jpg , hence it’s time to extract it from
zip file.

 To extract I used windows but you can use of your own choice also. So extract as
below procedure given.

34| P a g e
 Select destination where all picture of rhino is and give extract.

 Enter password [ monkey ] and you are done.

 And its done. We found 9 pics in given data.

35| P a g e
Pictures which recovered in given data:

36| P a g e
37| P a g e
38| P a g e
39| P a g e
Conclusion:

As per given data. Owner of data has more then 9 pictures of rhino, hence he did crime and is guilty
of charges.

40| P a g e