description

After downloading the file we realize that we need a password to open the 7z.

No problem, I got JohnTheRipper and rockyou.txt, it shouldn’t take me too long, well that what I thought…

The hash created by 7z2John is either too big or John doesn’t support unencrypted 7z header. Same result for Hashcat.

magnussen@funcMyLife:~/ntfs$ ./john --format=7z --wordlist=rockyou.txt ntfs_hash.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

After spending a lot of time recompiling JohnTheRipper, trying to find a way to fix the problem or looking for other tools, I finally gave up and decided to use a Windows tool (I know…).

I’ve used Kraken password cracker, and thanks to it I finally found the password: infected, I should have guessed it…

Let’s the fun finally begin !

Testdisk basic analysis

So after unzipping the archive, we recover a disk image. Let’s check it out with testdisk.

magnussen@funcMyLife:~/ntfs$ testdisk for_medium.img
Select a media (use Arrow keys, then press Enter):
    >Disk for_medium.img - 2684 MB / 2560 MiB

Please select the partition table type, press Enter when done.
    [Intel  ] Intel/PC partition
    [EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
    [Humax  ] Humax partition table
    [Mac    ] Apple partition map
    >[None   ] Non partitioned media
    [Sun    ] Sun Solaris partition
    [XBox   ] XBox partition
    [Return ] Return to disk selection


Disk for_medium.img - 2684 MB / 2560 MiB
     CHS 327 255 63 - sector size=512

 [ Analyse  ] Analyse current partition structure and search for lost partitions
>[ Advanced ] Filesystem Utils
 [ Geometry ] Change disk geometry
 [ Options  ] Modify options
 [ Quit     ] Return to disk selection

Directory /

    >dr-xr-xr-x     0     0         0 25-Mar-2019 14:07 .
     dr-xr-xr-x     0     0         0 25-Mar-2019 14:07 ..
     dr-xr-xr-x     0     0         0 25-Mar-2019 16:10 .download
     dr-xr-xr-x     0     0         0 22-Mar-2019 17:54 divers
     dr-xr-xr-x     0     0         0 22-Mar-2019 17:54 reseau
     dr-xr-xr-x     0     0         0 22-Mar-2019 17:54 windows
     -r--r--r--     0     0    752146 22-Mar-2019 17:54 guide-charte-utilisation-moyens-informatiques-outils-numeriques_anssi.pdf
     -r--r--r--     0     0   2659730 22-Mar-2019 17:54 guide-methode-ebios-risk-manager.pdf
     -r--r--r--     0     0    661506 22-Mar-2019 17:54 guide_802.1x_anssi_pa_043_v1.pdf
     -r--r--r--     0     0   1761720 22-Mar-2019 17:54 guide_admin_securisee_si_anssi_pa_022_v2.pdf
     -r--r--r--     0     0    495875 22-Mar-2019 17:54 guide_cloisonnement_systeme_anssi_pg_040_v1.pdf
     -r--r--r--     0     0   4793303 22-Mar-2019 17:54 guide_hygiene_informatique_anssi.pdf
     -r--r--r--     0     0   1002452 22-Mar-2019 17:54 guide_sns_anssi_bp_031_v.2.0.pdf
     -r--r--r--     0     0       180 25-Mar-2019 11:14 liens_utiles.txt
     -r--r--r--     0     0       225 25-Mar-2019 11:14 liens_utiles.txt~
     -r--r--r--     0     0    997307 22-Mar-2019 17:54 linux_configuration-fr-v1.2.pdf
     -r--r--r--     0     0    188936 22-Mar-2019 17:54 np_cryhod_notetech.pdf
     -r--r--r--     0     0         0 22-Mar-2019 17:29 tmp
     -r--r--r--     0     0        36 22-Mar-2019 17:54 tools.pdf

We have a lot of ANSSI files about cybersecurity, seems legit but we also have an hidden directory .download. I bet the flag is in it!

Directory /.download

     dr-xr-xr-x     0     0         0 25-Mar-2019 16:10 .
     dr-xr-xr-x     0     0         0 25-Mar-2019 14:07 ..
     -r--r--r--     0     0    374318 22-Mar-2019 18:05 27158365900_6d256cfae8_h.jpg
    >-r--r--r--     0     0     77140 25-Mar-2019 15:42 ECW_flag_test.jpg
     -r--r--r--     0     0   3136473 22-Mar-2019 18:05 Red_Kitten_01.jpg
     -r--r--r--     0     0     64526 25-Mar-2019 15:44 clue.jpg
     -r--r--r--     0     0    108838 25-Mar-2019 15:42 example.jpg

Well, well, well… ECW_flag_test.jpg, it seems too simple but anyway let see.

not_the_flag_1

Ok, it would have been too simple, besides the kitten pictures there was an other meme that I let you enjoy!

not_the_flag_2

Looking for deleted files

Apparently the flag is not in this directory and I’m too lazy to read all the other documents, maybe the flag has been deleted, let’s extract all deleted files from the disk.

Deleted files
>./3590F75ABA9E485486C100C1A9D4FF06NKQITXGIIGQUSKWT                                                                                                         25-Mar-2019 14:07 261795840
 /.download/ECW_flag.jpg                                                                                                                                    25-Mar-2019 15:42     52746
 /.download/methodology.jpg                                                                                                                                 25-Mar-2019 15:43    113105
 /.download/special_kitten.png                                                                                                                              25-Mar-2019 16:08   1688578
 /.download/toto.png                                                                                                                                        25-Mar-2019 13:15   1688536
 /.download/toto.png:ads                                                                                                                                    25-Mar-2019 13:15         7
 Z..Z..ZZ...Z..ZZ/Z....ZZZ.ZZ.ZZZZ                                                                                                                          25-Mar-2019 14:06       592
 Z..Z..ZZ...Z..ZZ/Z...Z..ZZ..Z.ZZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..Z....Z.Z...ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..Z..Z..ZZZZ.ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..Z.Z...ZZ.Z.ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..Z.ZZ....Z.ZZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..Z.ZZ.Z..Z.Z.Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..ZZ....ZZ.Z.ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..ZZ.Z.Z...Z..Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z..ZZ.ZZ.ZZ...ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z.Z.Z....Z..Z..Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z.Z.ZZZ..Z.....Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z.ZZZZ..ZZ.ZZZ.Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/Z.ZZZZZZ...ZZ..Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZ.....Z...ZZ.ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZ...ZZ.Z...ZZZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZ.Z..ZZ.ZZZZZZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZ.ZZ.Z....ZZZ.Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZ.ZZ.ZZZZZZZ..Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZ.ZZZZ...ZZZ.ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZZ...ZZZZ.Z.Z.Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZZ.Z.Z.ZZ..Z.ZZ                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZZ.Z.ZZZZZZ.ZZZ                                                                                                                          25-Mar-2019 14:06       592
 Z..Z..ZZ...Z..ZZ/ZZZ.ZZZZZ.Z.Z..Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZZZ.ZZ....Z...Z                                                                                                                          25-Mar-2019 14:06       600
 Z..Z..ZZ...Z..ZZ/ZZZZ.ZZ.ZZ.....Z                                                                                                                          25-Mar-2019 14:06       600

Mmmhhh, /.download/ECW_flag.jpg, is it an other troll or the true flag?

not_the_flag_3

Damn! Let’s see the other pictures…

not_the_flag_4

I have to say, this is the most accurate image I’ve ever saw, but still not the flag…

I have the same image with two different name: special kitten.png and toto.png.

description

Let’s check that string!

magnussen@funcMyLife:~/ntfs$ strings special_kitten.png

kW~"
wfPln
susZ
7qN^
ue/,o
Cy  ?/
&(7A
*Mh!
5tEXtArtist
calculate Message Digest 5 of file and add one
IEND

I can smell the flag! Apparently I just have to calculate the md5 sum of this file and add one.

magnussen@funcMyLife:~/ntfs$ md5sum special_kitten.png
3d9382f08cd82a430a59343b21934752  special_kitten.png

Indeed, the flag was ECW{3d9382f08cd82a430a59343b21934753}.

I’ve really liked this challenge, not the hardest but surely the funnier! Thanks to the ECW team for this challenge and the CTF!