Rating:

## Image Archeology (Admin, 350)

> We have found the file, which contains a part of gai. But where is it?
> Hints
> You don't need any special reverse skills to solve this. It will be enough to use strings
> to reveal how the flag can be found.

In this task, we received an image of a small disk. After mounting it, we found an usual Unix folder (/bin and so on).
Even without the hint, we searched for unusual things in it:
```
find . -type f -exec bash -c "strings {} | grep -E volga\|Volga && echo {}" \;
hacker.volga.ctf
./bin/busybox2
hacker.volga.ctf
./core
strings: ./usr/bin/sudo: Permission denied
strings: ./usr/sbin/visudo: Permission denied
```
Well, it's unlikely that untampered system would have such strings, so we quickly looked into `busybox2` executable.
When ran, it didn't do much - it returned into prompt immediately. However, after a couple of seconds, our system
restarted... After a close look, we noticed the executable contained string `/sbin/reboot`. We patched it, so it will call
`/bin/ls` instead (a crude patch, but it worked).

The code itself was not very hard - it was:
- xoring stuff
- taking two `rand()`s without any `srand()` before and interpreting the results as a date
- sending something to `hacker.volga.ctf` (host unavailable)
- forking, and rebooting in one child

Well, we did not waste our time reversing the code any further - we simply stepped through the code in debugger
and break when the connection was made to the aforementioned site. It turns out, that the flag was in memory at that
time.

Original writeup (https://github.com/p4-team/ctf/tree/master/2016-03-26-volga2016-quals/image_archeology).