CTFtime.org / BSidesTLV 2020 CTF / MoreWithLess / Writeup

# More With Less

### Challenge Text

>You need some EFF in your life.
>http://bsidesctf.s3-website.eu-central-1.amazonaws.com/MoreWithLess.E01

### Challenge Work

You are given no hints and a `.E01` Expert Witness (EnCase 6) file. So let us recover files with `ewftools`:

```
pwnbot :: ctfs/bsides/mwl % tsk_recover -e MoreWithLess.E01 recovered

pwnbot :: ctfs/bsides/mwl % ll recovered 130 ↵
total 1.4G
drwxrwxr-x. 4 galleywest galleywest 4.0K Jun 28 17:49 '$Extend'
drwxrwxr-x. 4 galleywest galleywest 4.0K Jun 28 17:49 '$Recycle.Bin'
-rw-rw-r--. 1 galleywest galleywest 1.4G Jun 28 17:49 pagefile.sys
drwxrwxr-x. 11 galleywest galleywest 4.0K Jun 28 17:50 ProgramData
drwxrwxr-x. 21 galleywest galleywest 4.0K Jun 28 17:49 'Program Files'
drwxrwxr-x. 16 galleywest galleywest 4.0K Jun 28 17:49 'Program Files (x86)'
drwxrwxr-x. 10 galleywest galleywest 4.0K Jun 28 17:50 Python38
-rw-rw-r--. 1 galleywest galleywest 16M Jun 28 17:50 swapfile.sys
drwxrwxr-x. 2 galleywest galleywest 4.0K Jun 28 17:50 'System Volume Information'
drwxrwxr-x. 5 galleywest galleywest 4.0K Jun 28 17:50 Users
drwxrwxr-x. 69 galleywest galleywest 4.0K Jun 28 17:53 Windows
```

First we notice there is a User named after the CTF...this is likely where we should look first. Digging around in here we notice that the History file for Google Chrome is present, and it is a SQLIte database:

```
pwnbot :: ctfs/bsides/mwl % ll recovered/Users
total 16K
drwxrwxr-x. 17 galleywest galleywest 4.0K Jun 28 17:50 bsidestlv2020
drwxrwxr-x. 3 galleywest galleywest 4.0K Jun 28 17:50 Default
-rw-rw-r--. 1 galleywest galleywest 174 Jun 28 17:50 desktop.ini
drwxrwxr-x. 10 galleywest galleywest 4.0K Jun 28 17:50 Public

pwnbot :: ctfs/bsides/mwl % file recovered/Users/bsidestlv2020/AppData/Local/Google/Chrome/User\ Data/Default/History
recovered/Users/bsidestlv2020/AppData/Local/Google/Chrome/User Data/Default/History: SQLite 3.x database, last written using SQLite version 3031001
```

Well, lets see what they searched for...

![flag_find.png](https://raw.githubusercontent.com/turnipsoup/ctfwriteups/master/BSidesTLV-2020/less-with-more/flag_find.png 'flag-find.png')

```
BSIDESTLV2020{HideYourNeedleInTheHayStack}
```

Original writeup (https://github.com/turnipsoup/ctfwriteups/tree/master/BSidesTLV-2020/less-with-more).

MoreWithLess

Comments

Sign in with