Cyber Apocalypse
2024
PursueTheTracks
Luxx, leader of The Phreaks, immerses himself in the depths of his computer, tirelessly pursuing the secrets of a file he obtained accessing an opposing faction member workstation. With unwavering determination, he scours through data, putting together fragments of information trying to take some advantage on other factions. To get the flag, you need to answer the questions from the docker instance.
Forensics
300 points
Walkthrough
We start by downloading the source files.
The provided zip file contains a
z.mft
file, which is a Master File Table (MFT) file from a Windows NTFS filesystem. The MFT is a special file on NTFS filesystems that contains metadata about every file and directory on the filesystem.You can extract the data using linux with analyzeMFT:
analyzeMFT.py -f z.mft -o mftanalyzed.csv
You can get more information here.
Unfortunately this extraction is not enough to solve the challenge. We can use Mft2Csv for windows to extract more information from the MFT file.
We then use
Excel
or csv-viewer-online to look at the extracted data.We use this data to answer the questions in the docker instance:
nc 94.237.53.26 55072
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Title | Description |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Pursue The Tracks | Luxx, leader of The Phreaks, immerses himself in the depths of his computer, |
| | tirelessly pursuing the secrets of a file he obtained accessing an opposing faction member workstation. |
| | With unwavering determination, he scours through data, putting together fragments of information trying to take some advantage on other factions. |
| | To get the flag, you need to answer the questions from the docker instance. |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
Files are related to two years, which are those? (for example: 1993,1995)
> 2023,2024
[+] Correct!
There are some documents, which is the name of the first file written? (for example: randomname.pdf)
> Final_Annual_Report.xlsx
[+] Correct!
Which file was deleted? (for example: randomname.pdf)
> Marketing_Plan.xlsx
[+] Correct!
How many of them have been set in Hidden mode? (for example: 43)
> 1
[+] Correct!
Which is the filename of the important TXT file that was created? (for example: randomname.txt)
> credentials.txt
[+] Correct!
A file was also copied, which is the new filename? (for example: randomname.pdf)
> Financial_Statement_draft.xlsx
[+] Correct!
Which file was modified after creation? (for example: randomname.pdf)
> Project_Proposal.pdf
[+] Correct!
What is the name of the file located at record number 45? (for example: randomname.pdf)
[+] Correct!
What is the size of the file located at record number 40? (for example: 1337)
> 57344
[+] Correct!
[+] Here is the flag: HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s}
Was this helpful?