Not so FAT

Category: Forensic

Points: 43

Description: J'ai effacé mon flag par erreur, pourriez-vous le retrouver pour moi ?

Fichiles: image.dd


A password-protected zip is found in a disk image. John helps us to retrieve the archive password to get the flag.


First we look at the type of file we are dealing with.

>_ file image.dd
image.dd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, reserved sectors 4, root entries 512, sectors 32768 (volumes <=32 MB), Media descriptor 0xf8, sectors/FAT 32, sectors/track 32, heads 64, serial number 0x3be84c04, unlabeled, FAT (16 bit)

Since we have a FAT partition, we mount it and look at what's inside.

>_ mkdir -pv tmp
mkdir: created directory 'tmp'

>_ sudo mount image.dd tmp
[sudo] password for lambdhack:

>_ sudo ls -al tmp
total 20
drwxr-xr-x 2 root      root  16384 Jan  1  1970 .
drwxr-xr-x 5 lambdhack users  4096 Jun  9 22:26 ..

Okay, there's nothing in it when we mount the partition. This is probably due to the fact that the file has been deleted. The file can still be present if it is just the inode that has been deleted.

>_ foremost image.dd
Processing: image.dd

>_ tree output
├── audit.txt
└── zip

1 directory, 2 files

All right, it is just the inode that has been deleted because foremost has found a zip file.

>_ unzip output/zip/
Archive:  output/zip/
[output/zip/] flag.txt password: 
password incorrect--reenter: 
password incorrect--reenter: 
   skipping: flag.txt                incorrect password

Well, the archive is protected by a password. We'll try to find it with john and rockyou.txt.

>_ zip2john output/zip/ > hash_zip.txt
ver a  efh 5455  efh 7875>flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=59, decmplen=47, crc=7E07DB

>_ cat hash_zip.txt$pkzip2$1*2*2*0*3b*2f*7e07db*0*42*0*3b*007e*4eb7*399acb6af22539a7f11c775c72b0bcc5721b39af9b4fa11545f84392dbd1182ba60fb59a79cd9b06974ba9e2b1dbaac52c7df4a18fb957c8ff7e92*$/pkzip2$:::::output/zip/

>_ john --wordlist=~/ctf/wordlists/rockyou.txt --format=PKZIP hash_zip.txt
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)

>_ john --show hash_zip.txt

1 password hash cracked, 0 left

And the archive password is password.

>_ unzip output/zip/
Archive:  output/zip/
[output/zip/] flag.txt password: 
extracting: flag.txt

>_ cat flag.txt