Gian Klug

swiss hacking challenge 2024 - optimized-ntfs

Posted on May 1, 2024
Tags: SHC24 Writeup

Difficulty: medium

Category: forensics

Author: xNULL

Barbara! Can you come over and help me?

It seems like my computer has an issue. I placed this really important file on my Desktop but it seems to be gone.

Surely mark from accounting must have deleted it because I ate his yoghurt from the fridge.

I had it somewhere on the desktop, can you recover it?

Hint | Where are very small files stored?

Files

We get a rar compressed (WHY??) image.raw.

Exploitation

I used volatility2docker as Python 2 isn’t even in the package repos anymore.

First, we need to detect the profile of the image:

# volatility -f image.raw imageinfo
Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : FileAddressSpace (/workspace/image.raw)
                      PAE type : PAE
                           DTB : 0x31c000L
                          KDBG : 0x8054c2e0L
          Number of Processors : 2
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0xffdff000L
                KPCR for CPU 1 : 0xbab38000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2024-02-06 20:39:29 UTC+0000
     Image local date and time : 2024-02-06 21:39:29 +0100

Then we can extract the MFT entries (where very small files are stored ^^):

# volatility -f image.raw  --profile=WinXPSP2x86 mftparser | less
...
Creation                       Modified                       MFT Altered                    Access Date                    Name/Path
------------------------------ ------------------------------ ------------------------------ ------------------------------ ---------
2024-02-06 20:36:18 UTC+0000 2024-02-06 20:36:18 UTC+0000   2024-02-06 20:36:18 UTC+0000   2024-02-06 20:36:18 UTC+0000   Documents and Settings\xnull\Desktop\supersecretpassword.txt

$OBJECT_ID
Object ID: 1e2c2862-2fc5-ee11-9a25-0c7a15d45c96
Birth Volume ID: 80000000-5000-0000-0000-180000000100
Birth Object ID: 32000000-1800-0000-6332-0d0a686a0d0a
Birth Domain ID: 4d6a0d0a-4179-4e48-7475-64475a7a5832

$DATA
0000000000: 63 32 0d 0a 68 6a 0d 0a 4d 6a 0d 0a 41 79 4e 48   c2..hj..Mj..AyNH
0000000010: 74 75 64 47 5a 7a 58 32 52 76 61 57 35 6e 58 32   tudGZzX2RvaW5nX2
0000000020: 35 30 5a 6e 4e 66 64 47 68 70 62 6d 64 7a 66 51   50ZnNfdGhpbmdzfQ
0000000030: 6f 3d                                             o=
...

Decoding the base64 gives us the flag:

$ echo -n "c2..hj..Mj..AyNHtudGZzX2RvaW5nX250ZnNfdGhpbmdzfQo=" | base64 -d -i

Flag

shc2024{ntfs_doing_ntfs_things}

Conclusion

Why can’t volatility3 just finally reimplement all the vol2 plugins? :c