CTFtime.org

Check yourself so you won't wreck yourself

by ghostcat / LordOfTheFlags

Rating:

Check yourself so you won't wreck yourself

Category: Forensics

100 Points

Solved by the LordOfTheFlags Team

Solution:

First off we would like to know what kind of file we will be working with, that is checked with the linux file utility as shown below:

```
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ file checkyourself.E01
checkyourself.E01: EWF/Expert Witness/EnCase image file format
```
So we see that it a file that is used with Encase. Searching the internet we can fild an example of someone mounting the file and being able to navigate through the file system inside(https://www.andreafortuna.org/2018/04/11/how-to-mount-an-ewf-image-file-e01-on-linux/).

Using the example commands provided in the article we were able to perform the following steps to mount ththe filesystem:

```
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ mkdir mount_encase
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ mkdir windows_fs
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ sudo ewfmount checkyourself.E01 mount_encase/
efwmount 20140807

```

Now to see what is inside of the E01 file we use the fdisk utility to list the different partitions as show below:

```
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ sudo fdisk -l mount_encase/ewf1
Disk mount_encase/ewf1: 40 GiB, 42949672960 bytes, 83886080 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E1EE055D-4293-4322-9DB1-11480F3861EB

Device Start End Sectors Size Type
mount_encase/ewf1p1 2048 1085439 1083392 529M Windows recovery environment
mount_encase/ewf1p2 1085440 1288191 202752 99M EFI System
mount_encase/ewf1p3 1288192 1320959 32768 16M Microsoft reserved
mount_encase/ewf1p4 1320960 83884031 82563072 39.4G Microsoft basic data
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$
```
Now we can see that there is an Microsoft basic data located at 1320960 witht he size of 39.4G, that seems like an interesting partiton to mount and bropwse around in.
We can mount the pattition with the following command taken from the example we found earlier:

```
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ sudo mount ./mount_encase/ewf1 ./windows_fs -o ro,loop,show_sys_files,streams_interace=windows,offset=$((1320960*512))
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ ls windows_fs
'$AttrDef' '$Secure' 'Program Files (x86)'
'$BadClus' '$UpCase' Recovery
'$Bitmap' '$Volume' swapfile.sys
'$Boot' 'Documents and Settings' 'System Volume Information'
'$Extend' pagefile.sys Users
'$LogFile' PerfLogs Windows
'$MFTMirr' ProgramData
'$Recycle.Bin' 'Program Files'
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$
```
So we can see that there is a bunch of windows files in here, we know that the flag starts with BSIDES so we do a recursive search for that string using grep as shown below:

```
ghostcat@LordOfTheFlags:~/Documents/BsidesTLV/Forensics/checkyoself$ grep -inr BSIDES
grep: $Extend/$ObjId: No such file or directory
grep: $Extend/$Quota: No such file or directory
grep: $Extend/$Reparse: No such file or directory
grep: $Extend/$UsnJrnl: No such file or directory
$Recycle.Bin/S-1-5-21-3498983559-1615527653-2205644034-1001/$R0K6T9B.txt:1:BSIDESTLV{ICanSeeYouUnlessYouCleanUpAfterYourself}
grep: $Secure: No such file or directory
Binary file pagefile.sys matches
grep: Program Files/WindowsApps/Microsoft.GetHelp_10.2004.31291.0_x64__8wekyb3d8bbwe/Microsoft.Apps.Stubs.Handoff.winmd: Input/output error
grep: Program Files/WindowsApps/Microsoft.GetHelp_10.2004.31291.0_x64__8wekyb3d8bbwe/AppxBlockMap.xml: Input/output error
grep: Program Files/WindowsApps/Microsoft.GetHelp_10.2004.31291.0_x64__8wekyb3d8bbwe/AppxManifest.xml: Input/output error
grep: Program Files/WindowsApps/Microsoft.GetHelp_10.2004.31291.0_x64__8wekyb3d8bbwe/clrcompression.dll: Input/output error
grep: Program Files/WindowsApps/Microsoft.GetHelp_10.2004.31291.0_x64__8wekyb3d8bbwe/GetHelp.dll: Input/output error
........ snipped
```

And there is the flag: BSIDESTLV{ICanSeeYouUnlessYouCleanUpAfterYourself}

Comments