NTFS
Category: Forensic
Points: 50
Description:
Files: ntfs.7z
Note: The challenge organizers do not allow the sources to be made available.
TL;DR
A file is found in an NTFS partition thanks to the MFT.
Methodology
We start with a 7z archive.
>_ file -k ntfs.7z
ntfs2.7z: 7-zip archive data, version 0.4\012- dataWe decompress the archive.
>_ 7z e ntfs2.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 28439786 bytes (28 MiB)
Extracting archive: ntfs2.7z
--
Path = ntfs2.7z
Type = 7z
Physical Size = 28439786
Headers Size = 170
Method = LZMA2:26 7zAES
Solid = -
Blocks = 1
Enter password (will not be echoed):
ERROR: Data Error in encrypted file. Wrong password? : for_medium.img
Sub items Errors: 1
Archives with Errors: 1
Sub items Errors: 1Great, we have an encrypted archive and we have no information to recover the password!
We're going to try a brute force with rockyou.txt. The problem is that John and Hashcat are unable to correctly generate a hash of the archive.
A little research on github and we find a little script that does it very well for us.
>_ 7z_bruteforce.py ntfs.7z rockyou.txt
Password found: infectedAnd now we can extract the file for_medium.img.
>_ 7z e ntfs.7z
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,8 CPUs Intel(R) Core(TM) i5-8350U CPU @ 1.70GHz (806EA),ASM,AES-NI)
Scanning the drive for archives:
1 file, 28439786 bytes (28 MiB)
Extracting archive: ntfs.7z
--
Path = ntfs.7z
Type = 7z
Physical Size = 28439786
Headers Size = 170
Method = LZMA2:26 7zAES
Solid = -
Blocks = 1
Enter password (will not be echoed):
Everything is Ok
Size: 2684354560
Compressed: 28439786We get an ntfs image. Hence the title of the chall!
>_ file -k for_medium.img
for_medium.img: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 0, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors 5242879, $MFT start cluster 4, $MFTMirror start cluster 327679, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 01d66d0eb2ff5e7f3\012- DOS/MBR boot sector\012- DOS/MBR boot sector DOS executable (COM), boot code\012- (Lepton 3.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.000000\012- (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.000000\012- data
>_ fdisk -l for_medium.img
Disk for_medium.img: 2.51 GiB, 2684354560 bytes, 5242880 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x00000000
Device Boot Start End Sectors Size Id Type
for_medium.img1 2048 5242879 5240832 2.5G 87 NTFS volume setFirst reflex, you never know!
>_ strings for_medium.img| grep --color=auto -i ecw
https://challenge-ecw.fr/
https://challenge-ecw.fr/
rc:ecW6
ecw_
EcW"
3pEcw
FECw
ECWA
eCW^>
)ECW
EcW"
3pEcw
HECw
becWl
ECWA
eCW^>
)ECW
EcW"
3pEcwWe're mounting the image to see what's in it.
>_ sudo mount -t auto -o loop for_medium.img usb
[sudo] password for lambdhack:
>_ cd usb
>_ ls -al
total 13046
drwxrwxrwx 1 root root 4096 Mar 25 2019 ./
drwxr-xr-x 9 lambdhack users 4096 Oct 24 21:37 ../
drwxrwxrwx 1 root root 4096 Mar 22 2019 divers/
drwxrwxrwx 1 root root 4096 Oct 6 12:47 .download/
-rwxrwxrwx 1 root root 661506 Mar 22 2019 guide_802.1x_anssi_pa_043_v1.pdf
-rwxrwxrwx 1 root root 1761720 Mar 22 2019 guide_admin_securisee_si_anssi_pa_022_v2.pdf
-rwxrwxrwx 1 root root 752146 Mar 22 2019 guide-charte-utilisation-moyens-informatiques-outils-numeriques_anssi.pdf
-rwxrwxrwx 1 root root 495875 Mar 22 2019 guide_cloisonnement_systeme_anssi_pg_040_v1.pdf
-rwxrwxrwx 1 root root 4793303 Mar 22 2019 guide_hygiene_informatique_anssi.pdf
-rwxrwxrwx 1 root root 2659730 Mar 22 2019 guide-methode-ebios-risk-manager.pdf
-rwxrwxrwx 1 root root 1002452 Mar 22 2019 guide_sns_anssi_bp_031_v.2.0.pdf
-rwxrwxrwx 1 root root 180 Mar 25 2019 liens_utiles.txt
-rwxrwxrwx 1 root root 225 Mar 25 2019 liens_utiles.txt~
-rwxrwxrwx 1 root root 997307 Mar 22 2019 linux_configuration-fr-v1.2.pdf
-rwxrwxrwx 1 root root 188936 Mar 22 2019 np_cryhod_notetech.pdf
drwxrwxrwx 1 root root 4096 Mar 22 2019 reseau/
-rwxrwxrwx 1 root root 0 Mar 22 2019 tmp
-rwxrwxrwx 1 root root 36 Mar 22 2019 tools.pdf
drwxrwxrwx 1 root root 0 Mar 22 2019 windows/The .download folder looks interesting but it's just a troll.
>_ ls -al .download
total 3688
drwxrwxrwx 1 root root 4096 Oct 6 12:47 ./
drwxrwxrwx 1 root root 4096 Mar 25 2019 ../
-rwxrwxrwx 1 root root 374318 Mar 22 2019 27158365900_6d256cfae8_h.jpg
-rwxrwxrwx 1 root root 64526 Mar 25 2019 clue.jpg
-rwxrwxrwx 1 root root 77140 Mar 25 2019 ECW_flag_test.jpg
-rwxrwxrwx 1 root root 108838 Mar 25 2019 example.jpg
-rwxrwxrwx 1 root root 3136473 Mar 22 2019 Red_Kitten_01.jpg
By comparing the 2 liens_utiles files we get a site that looks interesting.
>_ cat liens_utiles.txt
https://www.thalesgroup.com/fr
https://github.com/swisskyrepo/PayloadsAllTheThings
https://guif.re/windowseop
https://hausec.com/
https://adsecurity.org/
https://challenge-ecw.fr/
>_ cat liens_utiles.txt\~
https://www.thalesgroup.com/fr
https://github.com/swisskyrepo/PayloadsAllTheThings
https://guif.re/windowseop
https://hausec.com/
https://adsecurity.org/
https://challenge-ecw.fr/
https://6215a8ee0353577b9a296542095b6eef.io/After searching, the site does not exist and crackstation fails to crack the hash.
Maybe we'll have better luck with foremost.
>_ foremost for_medium.img
Processing: for_medium.img
|**************************|
>_ tree
.
├── for_medium.img
└── output
├── audit.txt
├── jpg
│ ├── 00721864.jpg
│ ├── 00722113.jpg
│ ├── 00788688.jpg
│ ├── 00886672.jpg
│ ├── 01049912.jpg
│ ├── 01050064.jpg
│ ├── 01282240.jpg
│ ├── 01315008.jpg
│ ├── 01315744.jpg
│ ├── 01315872.jpg
│ └── 01381376.jpg
└── pdf
├── 00656352.pdf
├── 00689088.pdf
├── 00754624.pdf
├── 00787392.pdf
├── 00820160.pdf
├── 00852928.pdf
├── 00885696.pdf
├── 00918464.pdf
├── 00951232.pdf
├── 00984000.pdf
├── 01016768.pdf
├── 01049536.pdf
├── 01082304.pdf
├── 01115072.pdf
├── 01180608.pdf
├── 01213376.pdf
├── 01246144.pdf
└── 01278912.pdf
3 directories, 31 filesThere are more images but they are only thumbnails of the images already found.
Since we have nothing when mounting the partition and tools like binwalk/foremost don't give us anything, we will try another approach.
We're going to use testdisk which is very convenient for going through disk images. As NTFS is a file logging system, testdisk will allow us to recover potentially deleted files thanks to the MFT.
nb: We re-extract the image from the archive because in the amount we may have modified or even deleted log data.
We open our image with testdisk and choose Proceed to start.
>_ testdisk for_medium.img
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter):
>Disk for_medium.img - 2684 MB / 2560 MiB
>[Proceed ] [ Sudo ] [ Quit ]As we have an NTFS partition we choose None which tesdisk offers us by default.
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk for_medium.img - 2684 MB / 2560 MiB
Please select the partition table type, press Enter when done.
[Intel ] Intel/PC partition
[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
[Humax ] Humax partition table
[Mac ] Apple partition map
>[None ] Non partitioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection
Hint: None partition table type has been detected.
Note: Do NOT select 'None' for media with only a single partition. It's very
rare for a disk to be 'Non-partitioned'.Select Advanced.
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk for_medium.img - 2684 MB / 2560 MiB
CHS 327 255 63 - sector size=512
[ Analyse ] Analyse current partition structure and search for lost partitions
>[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ Quit ] Return to disk selection
Note: Correct disk geometry is required for a successful recovery. 'Analyse'
process may give some warnings if it thinks the logical geometry is mismatched.We list the files that are in the partition.
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk for_medium.img - 2684 MB / 2560 MiB - CHS 327 255 63
Partition Start End Size in sectors
> P NTFS 0 0 1 326 90 20 5242880
[ Type ] [ Boot ] >[ List ] [Undelete] [Image Creation] [ Quit ]
Boot sector recoveryWe see if new files or folders appear by comparing with what we had in our mounted image but we have nothing new.
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
P NTFS 0 0 1 326 90 20 5242880
Directory /
>dr-xr-xr-x 0 0 0 24-Oct-2019 21:42 .
dr-xr-xr-x 0 0 0 24-Oct-2019 21:42 ..
dr-xr-xr-x 0 0 0 6-Oct-2019 12:47 .download
dr-xr-xr-x 0 0 0 22-Mar-2019 17:54 divers
dr-xr-xr-x 0 0 0 22-Mar-2019 17:54 reseau
dr-xr-xr-x 0 0 0 22-Mar-2019 17:54 windows
-r--r--r-- 0 0 752146 22-Mar-2019 17:54 guide-charte-utilisation-moyens-informatiques-outils-numeriques_ans
-r--r--r-- 0 0 2659730 22-Mar-2019 17:54 guide-methode-ebios-risk-manager.pdf
-r--r--r-- 0 0 661506 22-Mar-2019 17:54 guide_802.1x_anssi_pa_043_v1.pdf
-r--r--r-- 0 0 1761720 22-Mar-2019 17:54 guide_admin_securisee_si_anssi_pa_022_v2.pdf
-r--r--r-- 0 0 495875 22-Mar-2019 17:54 guide_cloisonnement_systeme_anssi_pg_040_v1.pdf
-r--r--r-- 0 0 4793303 22-Mar-2019 17:54 guide_hygiene_informatique_anssi.pdf
-r--r--r-- 0 0 1002452 22-Mar-2019 17:54 guide_sns_anssi_bp_031_v.2.0.pdf
-r--r--r-- 0 0 180 25-Mar-2019 11:14 liens_utiles.txt
-r--r--r-- 0 0 225 25-Mar-2019 11:14 liens_utiles.txt~
-r--r--r-- 0 0 997307 22-Mar-2019 17:54 linux_configuration-fr-v1.2.pdf
-r--r--r-- 0 0 188936 22-Mar-2019 17:54 np_cryhod_notetech.pdf
-r--r--r-- 0 0 0 22-Mar-2019 17:29 tmp
-r--r--r-- 0 0 36 22-Mar-2019 17:54 tools.pdf
Next
Use Right to change directory, h to hide Alternate Data Stream
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
P NTFS 0 0 1 326 90 20 5242880
Directory /.download
>dr-xr-xr-x 0 0 0 6-Oct-2019 12:47 .
dr-xr-xr-x 0 0 0 24-Oct-2019 21:42 ..
-r--r--r-- 0 0 374318 22-Mar-2019 18:05 27158365900_6d256cfae8_h.jpg
-r--r--r-- 0 0 77140 25-Mar-2019 15:42 ECW_flag_test.jpg
-r--r--r-- 0 0 3136473 22-Mar-2019 18:05 Red_Kitten_01.jpg
-r--r--r-- 0 0 64526 25-Mar-2019 15:44 clue.jpg
-r--r--r-- 0 0 108838 25-Mar-2019 15:42 example.jpg
Next
Use Left arrow to go back, Right to change directory, h to hide Alternate Data Stream
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current fileWe're going back and we'll see the deleted files.
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Disk for_medium.img - 2684 MB / 2560 MiB - CHS 327 255 63
Partition Start End Size in sectors
> P NTFS 0 0 1 326 90 20 5242880
[ Type ] [ Boot ] [ List ] >[Undelete] [Image Creation] [ Quit ]
File undeleteAnd then we get 5 files that were in the .download folder.
TestDisk 7.0, Data Recovery Utility, April 2015
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
P NTFS 0 0 1 326 90 20 5242880
Deleted files
>./3590F75ABA9E485486C100C1A9D4FF06NKQITXGIIGQUSKWT 25-Mar-2019 14:07 261795840
/.download/ECW_flag.jpg 25-Mar-2019 15:42 52746
/.download/methodology.jpg 25-Mar-2019 15:43 113105
/.download/special_kitten.png 25-Mar-2019 16:08 1688578
/.download/toto.png 25-Mar-2019 13:15 1688536
/.download/toto.png:ads 25-Mar-2019 13:15 7
Z..Z..ZZ...Z..ZZ/Z....ZZZ.ZZ.ZZZZ 25-Mar-2019 14:06 592
Z..Z..ZZ...Z..ZZ/Z...Z..ZZ..Z.ZZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..Z....Z.Z...ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..Z..Z..ZZZZ.ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..Z.Z...ZZ.Z.ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..Z.ZZ....Z.ZZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..Z.ZZ.Z..Z.Z.Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..ZZ....ZZ.Z.ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..ZZ.Z.Z...Z..Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z..ZZ.ZZ.ZZ...ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z.Z.Z....Z..Z..Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z.Z.ZZZ..Z.....Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z.ZZZZ..ZZ.ZZZ.Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/Z.ZZZZZZ...ZZ..Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZ.....Z...ZZ.ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZ...ZZ.Z...ZZZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZ.Z..ZZ.ZZZZZZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZ.ZZ.Z....ZZZ.Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZ.ZZ.ZZZZZZZ..Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZ.ZZZZ...ZZZ.ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZZ...ZZZZ.Z.Z.Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZZ.Z.Z.ZZ..Z.ZZ 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZZ.Z.ZZZZZZ.ZZZ 25-Mar-2019 14:06 592
Z..Z..ZZ...Z..ZZ/ZZZ.ZZZZZ.Z.Z..Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZZZ.ZZ....Z...Z 25-Mar-2019 14:06 600
Z..Z..ZZ...Z..ZZ/ZZZZ.ZZ.ZZ.....Z 25-Mar-2019 14:06 600
Use : to select the current file, a to select/deselect all files,
C to copy the selected files, c to copy the current file, q to quitWe extract all the files and see what it is.
>_ file -k .download/*
.download/ECW_flag.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 642x389, components 3\012- data
.download/methodology.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, progressive, precision 8, 500x701, components 3\012- data
.download/special_kitten.png: PNG image data, 8000 x 4500, 8-bit/color RGBA, non-interlaced\012- data
.download/toto.png: PNG image data, 8000 x 4500, 8-bit/color RGBA, non-interlaced\012- data
.download/toto.png:ads: ASCII text, with CRLF line terminators>_ cat toto.png:ads
toto 
We get 2 more trolls and 2 almost identical images.
>_ exiftool toto.png
ExifTool Version Number : 11.50
File Name : toto.png
Directory : .
File Size : 1649 kB
File Modification Date/Time : 2019:03:25 13:15:15+01:00
File Access Date/Time : 2019:10:24 22:37:01+02:00
File Inode Change Date/Time : 2019:10:24 22:36:37+02:00
File Permissions : rw-------
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 8000
Image Height : 4500
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
Pixel Units : meters
Artist : FLAG
Image Size : 8000x4500
Megapixels : 36.0
>_ exiftool special_kitten.png
ExifTool Version Number : 11.50
File Name : special_kitten.png
Directory : .
File Size : 1649 kB
File Modification Date/Time : 2019:03:25 16:08:52+01:00
File Access Date/Time : 2019:10:24 22:37:01+02:00
File Inode Change Date/Time : 2019:10:24 22:36:37+02:00
File Permissions : rw-------
File Type : PNG
File Type Extension : png
MIME Type : image/png
Image Width : 8000
Image Height : 4500
Bit Depth : 8
Color Type : RGB with Alpha
Compression : Deflate/Inflate
Filter : Adaptive
Interlace : Noninterlaced
Pixels Per Unit X : 11811
Pixels Per Unit Y : 11811
Pixel Units : meters
Artist : calculate Message Digest 5 of file and add one
Image Size : 8000x4500
Megapixels : 36.0The only thing that changes between these 2 images is the name of the artist. We quickly understand that to get our flag, we have to take the md5 from special_kitten.png and add 1.
>_ md5sum special_kitten.png
3d9382f08cd82a430a59343b21934752 special_kitten.pngFlag_is:
ECW{3d9382f08cd82a430a59343b21934753}