Category: Forensic
Points: 43
Description: J'ai effacé mon flag par erreur, pourriez-vous le retrouver pour moi ?
Fichiles: image.dd
A password-protected zip is found in a disk image. John helps us to retrieve the archive password to get the flag.
First we look at the type of file we are dealing with.
>_ file image.dd
image.dd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "mkfs.fat", sectors/cluster 4, reserved sectors 4, root entries 512, sectors 32768 (volumes <=32 MB), Media descriptor 0xf8, sectors/FAT 32, sectors/track 32, heads 64, serial number 0x3be84c04, unlabeled, FAT (16 bit)
Since we have a FAT partition, we mount it and look at what's inside.
>_ mkdir -pv tmp
mkdir: created directory 'tmp'
>_ sudo mount image.dd tmp
[sudo] password for lambdhack:
>_ sudo ls -al tmp
total 20
drwxr-xr-x 2 root root 16384 Jan 1 1970 .
drwxr-xr-x 5 lambdhack users 4096 Jun 9 22:26 ..
Okay, there's nothing in it when we mount the partition. This is probably due to the fact that the file has been deleted. The file can still be present if it is just the inode that has been deleted.
>_ foremost image.dd
Processing: image.dd
|foundat=flag.txtUT
*|
>_ tree output
output
├── audit.txt
└── zip
└── 00000104.zip
1 directory, 2 files
All right, it is just the inode that has been deleted because foremost has found a zip file.
>_ unzip output/zip/00000104.zip
Archive: output/zip/00000104.zip
[output/zip/00000104.zip] flag.txt password:
password incorrect--reenter:
password incorrect--reenter:
skipping: flag.txt incorrect password
Well, the archive is protected by a password. We'll try to find it with john
and rockyou.txt
.
>_ zip2john output/zip/00000104.zip > hash_zip.txt
ver a efh 5455 efh 7875 00000104.zip->flag.txt PKZIP Encr: 2b chk, TS_chk, cmplen=59, decmplen=47, crc=7E07DB
>_ cat hash_zip.txt
00000104.zip:$pkzip2$1*2*2*0*3b*2f*7e07db*0*42*0*3b*007e*4eb7*399acb6af22539a7f11c775c72b0bcc5721b39af9b4fa11545f84392dbd1182ba60fb59a79cd9b06974ba9e2b1dbaac52c7df4a18fb957c8ff7e92*$/pkzip2$:::::output/zip/00000104.zip
>_ john --wordlist=~/ctf/wordlists/rockyou.txt --format=PKZIP hash_zip.txt
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)
>_ john --show hash_zip.txt
00000104.zip:password:::::output/zip/00000104.zip
1 password hash cracked, 0 left
And the archive password is password
.
>_ unzip output/zip/00000104.zip
Archive: output/zip/00000104.zip
[output/zip/00000104.zip] flag.txt password:
extracting: flag.txt
>_ cat flag.txt
ECSC{eefea8cda693390c7ce0f6da6e388089dd615379}
ECSC{eefea8cda693390c7ce0f6da6e388089dd615379}