Tags: forensics
Rating:
We have given a HDD.vdi file which is a VirtualBox VM. The Challenge description was, This Christmas I went to grandma's house and booted up my old computer from when I was a kid! Sadly, I don't remember my password, but I'm really curious to see what I had in there :(
First I booted up the VM and noticed it was Windows 98. The first task was to bypass the login screen which was easy to do if you know that Windows9x Products don't really had any security features. So you could simply press the ESC key to cancel the login prompt and you were in.
Once you bypassed the login prompt you were on the Desktop were you needed to find the next task or thing to do. It took me a while but I noticed a file called secret which you needed for the second task. You also had to find a way to do something with the file. That's when I noticed there was a program on the Desktop which was called TrueCrypt. This program was there to mount encrypted files with a password. So you needed a password...
If you followed the challenge tip Hint! Try to login to the Desktop without changing the resolution of the VM. and looked closely on the Desktop then you noticed that a few of the files on the Desktop were arranged as the password. Desktop Screenshot
It said MyseKrit d4tum but if you followed what was on the wallpaper then it would be mysekritd4tum. When you opened TrueCrypt you could add the file and with the password and then you could decrypt and mount it. Another thing to mention is when you aren't from a native english speaking country as I am and you have a different keyboard layout then you typed the password probably everytime wrong. The problem is that on a German keyboard the y and z are switched so I wrote every time mzsekritd4tum not mysekritd4tum.
If you managed to finally mount it then you were left with a few folders and files. After a bit of search on google I found out that the .mca files in the regions folder were Minecraft "Anvil" Map Files. Took me quite a while to figure this out but then it was fairly easy.
I installed Minecraft, which wasn't really necessary, and copied the files into the map directory and started the world. The moment it launched I just saw bedrock so I thought to myself it will probably be so large so that you aren't supposed to find it in the game itself. I downloaded a Minecraft world parser (Chunky in my case) and extracted all blocks on a 2D map. The flag was just written in blocks on the map. Chunky Output
So this was the challenge.
Flag was: X-MAS{Druaga1_W0uld've_ruN_th1s_0n_4n_SSD}
