hdd -- BSidesLisbon 2017

Points: 300

Solves:

Description:

We are given DOS/MBR boot sector and the goal is to find the password of a rar file which contains the flag.

flag format: flag{...}

Solution:

(by AntonioToni and d3rezz)

We approached this in two ways, mounting the partition and exploring what was inside it and using binwalk to extract whatever it could find inside the partition.

Running binwalk -e hdd showed the partition had a couple of interesting files inside, namely a rar, two zips, and 3 JPEG. For some reason, binwalk couldn’t extract the 3 JPEG, so d3rezz mounted the partition and inspected the images.

At this point we start looking at the files binwalk extracted, the first rar was password protected and we immediately understood we had to find the password, or use something to crack it. Binwalk read the headers but one of the zips was, in fact, just a file with a line “part3/3[tuwEERrjG]”. This made clear we had to find the other two parts.

d3rezz suggested we should see if one of the images had one part. Therefore, we run another forensic tool, Stegsolve, and d3rezz found in one of the JPEG the second part “part2/3[86Jxm0jrN]”.

For the final part we immediately thought it had to be in the final zip. Even though it was, we lost a couple of minutes because binwalk found an additional zip without anything. To find the last part we thought: maybe the zip has the bytes “part1/3” inside. Therefore, we run

with open("170BF9A.zip", "rb") as f:
   fil = f.read().strip()

index = fil.find("\x70\x61\x72\x74")
part1 = ""
i = 0
while part1.find("]") == -1:
    part1 = fil[index:index+i]
    i += 1
print(part1)

which yielded the final part of the password. Then we unrar the rar file and get flag{hiding_in_plain_sight_is_not_always_the_best_method}.