Not so FAT

Category: Forensic

Points: 43

Description: J'ai effacé mon flag par erreur, pourriez-vous le retrouver pour moi ?

Fichiles: image.dd

TL;DR

A password-protected zip is found in a disk image. John helps us to retrieve the archive password to get the flag.

Methodology

First we look at the type of file we are dealing with.

>_ file image.dd
image.dd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, reserved sectors 4, root entries 512, sectors 32768 (volumes <=32 MB), Media descriptor 0xf8, sectors/FAT 32, sectors/track 32, heads 64, serial number 0x3be84c04, unlabeled, FAT (16 bit)

Since we have a FAT partition, we mount it and look at what's inside.

>_ mkdir -pv tmp
mkdir: created directory 'tmp'

>_ sudo mount image.dd tmp
[sudo] password for lambdhack:

>_ sudo ls -al tmp
total 20
drwxr-xr-x 2 root      root  16384 Jan  1  1970 .
drwxr-xr-x 5 lambdhack users  4096 Jun  9 22:26 ..

Okay, there's nothing in it when we mount the partition. This is probably due to the fact that the file has been deleted. The file can still be present if it is just the inode that has been deleted.

>_ foremost image.dd
Processing: image.dd
|foundat=flag.txtUT 
*|

>_ tree output
output
├── audit.txt
└── zip
    └── 00000104.zip

1 directory, 2 files

All right, it is just the inode that has been deleted because foremost has found a zip file.

>_ unzip output/zip/00000104.zip
Archive:  output/zip/00000104.zip
[output/zip/00000104.zip] flag.txt password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: flag.txt                incorrect password

Well, the archive is protected by a password. We'll try to find it with john and rockyou.txt.

>_ zip2john output/zip/00000104.zip > hash_zip.txt
ver a  efh 5455  efh 7875  00000104.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=59, decmplen=47, crc=7E07DB

>_ cat hash_zip.txt
00000104.zip:$pkzip2$1*2*2*0*3b*2f*7e07db*0*42*0*3b*007e*4eb7*399acb6af22539a7f11c775c72b0bcc5721b39af9b4fa11545f84392dbd1182ba60fb59a79cd9b06974ba9e2b1dbaac52c7df4a18fb957c8ff7e92*$/pkzip2$:::::output/zip/00000104.zip

>_ john --wordlist=~/ctf/wordlists/rockyou.txt --format=PKZIP hash_zip.txt
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)

>_ john --show hash_zip.txt
00000104.zip:password:::::output/zip/00000104.zip

1 password hash cracked, 0 left

And the archive password is password.

>_ unzip output/zip/00000104.zip
Archive:  output/zip/00000104.zip
[output/zip/00000104.zip] flag.txt password: 
extracting: flag.txt

>_ cat flag.txt
ECSC{eefea8cda693390c7ce0f6da6e388089dd615379}

FLAG_IS:

ECSC{eefea8cda693390c7ce0f6da6e388089dd615379}