We start by downloading the source files.
The provided zip file contains a
You can extract the data using linux with analyzeMFT:
analyzeMFT.py -f z.mft -o mftanalyzed.csv
You can get more information here.
Unfortunately this extraction is not enough to solve the challenge. We can use Mft2Csv for windows to extract more information from the MFT file.
We then use
We use this data to answer the questions in the docker instance:
nc 94.237.53.26 55072
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Title | Description |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Pursue The Tracks | Luxx, leader of The Phreaks, immerses himself in the depths of his computer, |
| | tirelessly pursuing the secrets of a file he obtained accessing an opposing faction member workstation. |
| | With unwavering determination, he scours through data, putting together fragments of information trying to take some advantage on other factions. |
| | To get the flag, you need to answer the questions from the docker instance. |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
Files are related to two years, which are those? (for example: 1993,1995)
> 2023,2024
[+] Correct!
There are some documents, which is the name of the first file written? (for example: randomname.pdf)
> Final_Annual_Report.xlsx
[+] Correct!
Which file was deleted? (for example: randomname.pdf)
> Marketing_Plan.xlsx
[+] Correct!
How many of them have been set in Hidden mode? (for example: 43)
> 1
[+] Correct!
Which is the filename of the important TXT file that was created? (for example: randomname.txt)
> credentials.txt
[+] Correct!
A file was also copied, which is the new filename? (for example: randomname.pdf)
> Financial_Statement_draft.xlsx
[+] Correct!
Which file was modified after creation? (for example: randomname.pdf)
> Project_Proposal.pdf
[+] Correct!
What is the name of the file located at record number 45? (for example: randomname.pdf)
[+] Correct!
What is the size of the file located at record number 40? (for example: 1337)
> 57344
[+] Correct!
[+] Here is the flag: HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s}