Tags: reverse qemu mbr dos 

Rating: 5.0

When we run command `file rfc1337.pdf` in linux we get output `rfc1337.pdf: DOS/MBR boot sector`.

After literally the first google *ctf DOS/MBR boot sector* there appeared interesting [writeup](https://ctftime.org/writeup/7765).

QEMU window shows up with a message:
![](https://i.imgur.com/d65ObcG.png)

Next thing we do is:
#### 1. Open gdb
#### 2. qemu-system-x86_64 -s -S -m 512 -fda rfc1337.pdf
#### 3. Continue in *machine* and open *gdb* window
```
$ gdb
(gdb) target remote localhost:1234
(gdb) set architecture i8086
(gdb) break *0x7c00
(gdb) cont
```
##### 4. Finally we execute `dump binary memory result.bin 0x0000 0xffff`

### That's what it all looks like:

![](https://i.imgur.com/cYI7w7d.png)

After opening the .bin file in IDA we can see some strings, one of the being **1337TCPHazards** which is the password to unlock the vault:

![](https://i.imgur.com/zE4Pw7e.png)

### And here is out flag `INTENT{1337H4x0rsKnowHowToBootPDFs}`