categories writeups articles whoami

Contents

BreizhCTF 2023 - The Lost Key

ZarKyo included in writeups breizhctf-2023
   222 words   2 minutes 
/breizhctf-2023/breizhctf-banniere.jpg
Contents

The Lost Key

Difficulty: Easy

Author: Zeecka

States

The USB key of a Norman terrorist has been recovered. Investigate his support to prevent him from taking action!

Solve

1
2

tar xzvf the_lost_key.tar.gz
the_lost_key.img

A file & fdisk to get information about the dump :

1
2

file the_lost_key.img 
the_lost_key.img: DOS/MBR boot sector; partition 1 : ID=0x7, start-CHS (0x4,4,1), end-CHS (0x3ff,254,2), startsector 2048, 3909632 sectors

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

fdisk -l the_lost_key.img 
Disque the_lost_key.img : 1,87 GiB, 2003632128 octets, 3913344 secteurs
Unités : secteur de 1 × 512 = 512 octets
Taille de secteur (logique / physique) : 512 octets / 512 octets
taille d'E/S (minimale / optimale) : 512 octets / 512 octets
Type d'étiquette de disque : dos
Identifiant de disque : 0x7bdf73d0

Périphérique            Amorçage Début     Fin Secteurs Taille Id Type
the_lost_key.img1           2048 3911679  3909632   1,9G  7 HPFS/NTFS/exFAT

We will open in Autopsy the dump, the dump does not contain many documents. We can recover a PDF with a rather interesting name protected by a password :

/breizhctf-2023/The-Lost-Key/autopsy-1.png

In the deleted files, we have a DB Keepass and its master key :

/breizhctf-2023/The-Lost-Key/autopsy-2.png

We open the keepass :

/breizhctf-2023/The-Lost-Key/keepass-1.png

In the trash, we discover the password of the PDF :

/breizhctf-2023/The-Lost-Key/keepass-2.png

We open the PDF document with the password and we have the flag :

/breizhctf-2023/The-Lost-Key/flag.png

Flag : BZHCTF{!LeMontSaintMichelEstNormand!}

Updated on Apr 29, 2023
Read Markdown
 BREIZHCTFFORENSIC
Back | Home