Tags: forensics 


# A trip to grandma's house

We have given a HDD.vdi file which is a VirtualBox VM.
The Challenge description was,
*This Christmas I went to grandma's house and booted up my old computer from when I was a kid! Sadly, I don't remember my password, but I'm really curious to see what I had in there :(*

First I booted up the VM and noticed it was Windows 98.
The first task was to *bypass* the login screen which was easy to do if you know that Windows9x Products don't really had any security features.
So you could simply press the ESC key to cancel the login prompt and you were in.
- If you had a problem that the VM was trying to connect to the localhost then you needed to reinstall the VM but disconnect the network adapters first before booting it up the first time.

Once you bypassed the login prompt you were on the Desktop were you needed to find the next task or thing to do.
It took me a while but I noticed a file called **secret** which you needed for the second task.
You also had to find a way to do something with the file. That's when I noticed there was a program on the Desktop which was called TrueCrypt.
This program was there to mount encrypted *files* with a *password*.
So you needed a password...

If you followed the challenge tip *Hint! Try to login to the Desktop without changing the resolution of the VM.* and looked closely on the Desktop then you noticed that a few of the files on the Desktop were arranged as the password.
[Desktop Screenshot](https://drive.google.com/open?id=1rH1XwPb5mVuy9IDJ2BNsAjT-k-Q4yRcN)

It said *MyseKrit d4tum* but if you followed what was on the wallpaper then it would be *mysekritd4tum*.
When you opened TrueCrypt you could add the file and with the password and then you could decrypt and mount it.
**Another thing to mention is when you aren't from a native english speaking country as I am and you have a different keyboard layout then you typed the password probably everytime wrong.
The problem is that on a German keyboard the y and z are switched so I wrote every time *mzsekritd4tum* not *mysekritd4tum*.**

If you managed to finally mount it then you were left with a few folders and files.
After a bit of search on google I found out that the *.mca* files in the regions folder were Minecraft "Anvil" Map Files.
Took me quite a while to figure this out but then it was fairly easy.

I installed Minecraft, which wasn't really necessary, and copied the files into the map directory and started the world.
The moment it launched I just saw bedrock so I thought to myself it will probably be so large so that you aren't supposed to find it in the game itself.
I downloaded a Minecraft world parser (Chunky in my case) and extracted all blocks on a 2D map.
The flag was just written in blocks on the map.
[Chunky Output](https://drive.google.com/file/d/1Jfntoqle9cCGkWbD9msAVlIwv0ncvTmO/view?usp=sharing)

So this was the challenge.

**Flag was: X-MAS{Druaga1_W0uld've_ruN_th1s_0n_4n_SSD}**