Like Clockwork

SpookyCTF2023 Oct 29, 2023

📜Scenario

🔎Solve

We get the file after a loooong time of downloading 

$ file SpookyKS.E01
SpookyKS.E01: EWF/Expert Witness/EnCase image file format

$ ewfinfo SpookyKS.E01
ewfinfo 20140814

Acquiry information
        Case number:            10272023
        Description:            Image of a strange laptop found abandoned on campus during midterms
        Examiner name:          NICC-Investigator-007
        Evidence number:        Spooky2023-KS
        Acquisition date:       Mon Oct 23 16:40:33 2023
        System date:            Mon Oct 23 16:40:33 2023
        Operating system used:  6.3.0-kali1-amd64
        Software version used:  guymager 0.8.13-2
        Password:               N/A
        Model:                  VBOX_HARDDISK
        Serial number:          VB5d68cb45-abeda6a9

EWF information
        File format:            EnCase 6
        Sectors per chunk:      64
        Error granularity:      1
        Compression method:     deflate
        Compression level:      good (fast) compression

Media information
        Media type:             fixed disk
        Is physical:            yes
        Bytes per sector:       512
        Number of sectors:      52428800
        Media size:             25 GiB (26843545600 bytes)

Digest hash information
        MD5:                    b9a81de6419d741b25d73621a306a85f
        SHA1:                   c956c116b7ff8c7df1cb256f8a1d5e9e65826445

$ mkdir spooky_ewf
$ ewfmount SpookyKS.E01 spooky_ewf/
$ file spooky_ewf/ewf1
spooky_ewf/ewf1: DOS/MBR boot sector; partition 1 : ID=0xee, start-CHS (0x0,0,2), end-CHS (0x3ff,255,63), startsector 1, 52428799 sectors, extended partition table (last)

Now that we have our two partitions with our file system, we can use FTK Imager to explore it.

After a few ten minutes of searching, we found a file named cronjob.log in the /tmp folder.

$ cat cronjob.log
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
NICC{d3ad_m3n_t311_n0_L135
n0
+ exec
/bin/headless.sh: line 5: tmp/cronjob.log: No such file or directory
+ source /bin/gondor.sh
++ source /bin/icey.sh
+++ source /bin/gitit.sh
++++ f1=NIC
++++ f2=C
++++ source /bin/gotit.sh
+++++ g1='{'
+++++ g2='}'
++++ f3='{d3ad_'
++++ source /bin/bumpit.sh
+++++ h1=m3n_
+++++ h2=t311_
++++ h1=m3n_
++++ h2=t311_
++++ f4='}'
+++ message='NICC{d3ad_m3n_t311_'
++ of=n0
++ rohan=_L135
++ riders='NICC{d3ad_m3n_t311_n0_L135'
++ echo 'NICC{d3ad_m3n_t311_n0_L135'
NICC{d3ad_m3n_t311_n0_L135
+ echo n0
n0
+ ending='}'
+ /bin/wall 'NICC{d3ad_m3n_t311_n0_L135}'

WriteUp made by Shaym

Tags

Shaym

Recommended for you