Walkthrough
Solution was inspired during the contest by the 2009 f100 writeup at http://shallweplayaga.me/. It involved a lot more groveling through the raw hex dump, but here's a decent enough way to find it without defaulting to hd *.bin | less:
$ file f100_6db079ca91c4860f.bin
f100_6db079ca91c4860f.bin: x86 boot sector; partition 1: ID=0x7,
starthead 0, startsector 31, 31558 sectors, extended partition table
$ sudo apt-get install sleuthkit
$ fls f100_6db079ca91c4860f.bin
Cannot determine file system type
$ hd f100_6db079ca91c4860f.bin | head
00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001c0 01 01 07 00 df fa 1f 00 00 00 46 7b 00 00 00 00 |..........F{....|
000001d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
000001f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 55 aa |..............U.|
00000200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00003e00 eb 52 90 4e 54 46 53 20 20 20 20 00 02 08 00 00 |.R.NTFS .....|
00003e10 00 00 00 00 00 f8 00 00 3f 00 ff 00 1f 00 00 00 |........?.......|
$ python
>>> 0x3e00 / 512
31
>>>
$ dd if=f100_6db079ca91c4860f.bin of=f100.dd bs=512 skip=31
$ fls f100.dd
r/r 4-128-4: $AttrDef
r/r 8-128-2: $BadClus
r/r 8-128-1: $BadClus:$Bad
r/r 6-128-4: $Bitmap
r/r 7-128-1: $Boot
d/d 11-144-4: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-1: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure:$SDS
r/r 9-144-11: $Secure:$SDH
r/r 9-144-5: $Secure:$SII
r/r 10-128-1: $UpCase
r/r 3-128-3: $Volume
r/r 42-128-4: 2009040811380736734_115018_0.jpg
r/r 42-128-5: 2009040811380736734_115018_0.jpg:Zone.Identifier
r/r 35-128-4: carpenter.png
r/r 35-128-5: carpenter.png:Zone.Identifier
r/r 36-128-3: caught.jpg
r/r 36-128-4: caught.jpg:Zone.Identifier
r/r 37-128-3: evidence.jpg
r/r 37-128-4: evidence.jpg:Zone.Identifier
r/r 41-128-3: furries.jpg
r/r 41-128-4: furries.jpg:Zone.Identifier
r/r 39-128-3: images.jpg
r/r 39-128-4: images.jpg:Zone.Identifier
r/r 40-128-4: whiteflag.jpg
r/r 40-128-5: whiteflag.jpg:Zone.Identifier
-/r * 38-128-1: key
-/r * 38-128-3: key:Zone.Identifier
d/d 256: $OrphanFiles
$ strings f100.dd | grep key
keyfile.dat
$ hd f100.dd | grep -C 10 key
00f69060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00f69070 00 00 00 00 00 e0 00 00 77 68 65 72 65 30 77 68 |........where0wh|
00f69080 65 72 65 31 35 74 68 65 6b 33 79 3f 00 00 00 00 |ere15thek3y?....|
00f69090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00f690a0 00 69 00 74 00 69 00 73 00 6e 00 6f 00 74 00 68 |.i.t.i.s.n.o.t.h|
00f690b0 00 65 00 72 00 65 00 00 00 00 00 00 00 00 00 00 |.e.r.e..........|
00f690c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00f690d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 aa 50 |...............P|
00f690e0 4b 00 31 38 00 0d 00 00 00 04 00 20 00 03 10 00 |K.18....... ....|
00f690f0 22 01 01 00 42 00 00 00 00 00 00 00 00 00 00 00 |"...B...........|
00f69100 00 00 00 00 00 e0 00 ee 00 6b 65 79 66 69 6c 65 |.........keyfile|
00f69110 2e 64 61 74 00 00 00 00 00 00 00 00 00 00 00 00 |.dat............|
00f69120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00f6c200
Well, that's not very encouraging. Wait a second, Microsoft likes Unicode...
$ strings -e -l f100.dd | grep key
$ strings -e l -3 f100.dd | grep key
key
key
key
key
$ strings -e -l -3 f100.dd | grep -C 2 key
$I30
$SDH
key
key
('P'
(8`8@
--
$SDH
(X@
key
((P(
(8`8@
--
evidence.jpg
Zone.Identifier
key
notdeleted,never
Zone.Identifier
$ hd f100.dd | grep -C 2 n.o.t.d
0052b8f0 03 03 6b 00 65 00 79 00 80 00 00 00 48 00 00 00 |..k.e.y.....H...|
0052b900 00 00 18 00 00 00 01 00 00 00 00 00 18 00 00 00 |................|
0052b910 6e 00 6f 00 74 00 64 00 65 00 6c 00 65 00 74 00 |n.o.t.d.e.l.e.t.|
0052b920 65 00 64 00 2c 00 6e 00 65 00 76 00 65 00 72 00 |e.d.,.n.e.v.e.r.|
0052b930 65 78 69 73 74 65 64 0d 0a 00 00 00 00 00 00 00 |existed.........|
So the key is "notdeleted,neverexisted".
0 comments:
Post a Comment