Rating:

# EVIDENCE

```
A buddy of mine is in serious trouble. He works for the feds and accidentally deleted a pendrive containing crucial evidence

Can you get it back and tell us what the evidence is?

We need to know what the suspect bought
```

- File : [evidence.zip](https://github.com/Pynard/writeups/raw/main/2020/BRIXEL/attachements/evidence/evidence.zip)

First we unzip the archive to find an img file :

```
$ file evidence.img
evidence.img: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, heads 255, dos < 4.0 BootSector (0x0), FAT (1Y bit by descriptor); NTFS, sectors/track 63, physical drive 0x80, sectors 1880044, $MFT start cluster 78335, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 0a6822852822828ef; contains bootstrap BOOTMGR
```

This img seems corrupted, as shown with fdisk :

```
$ fdisk -l evidence.img
Périphérique Amorçage Début Fin Secteurs Taille Id Type
evidence.img1 1920221984 3736432267 1816210284 866G 72 inconnu
evidence.img2 1936028192 3889681299 1953653108 931,6G 6c inconnu
evidence.img3 0 0 0 0B 0 Vide
evidence.img4 27722122 27722568 447 223,5K 0 Vide
```

We'll use **photorec** to recover some deleted files and we get 2 wav files :

```
$ ls recup_dir.1
f0011328.wav f0028304.wav
```

- [f0011328.wav](https://github.com/Pynard/writeups/raw/main/2020/BRIXEL/attachements/evidence/f0011328.wav)
- [f0028304.wav](https://github.com/Pynard/writeups/raw/main/2020/BRIXEL/attachements/evidence/f0028304.wav)

These are phone calls between Dorfmeister and a bot

We have to recover DTMF key press :

```
$ multimon-ng -a DTMF -t wav f0011328.wav
```

We get :

```
212555424054666916092533266500018449903336667770844330222666222244466330227778844#2
```

Some are numbers others are multi-tap letters, so lets convert it to text to see what we've got :

```
A ALGAG JGOW M WAJEANJ THX FOR THE COCAINE BRUH
```

So he clearly bought cocaine

flag : `brixelCTF{cocaine}`

Original writeup (https://github.com/Pynard/writeups/blob/main/2020/BRIXEL/challenges/evidence.md).