Employee of the Year

Preparation

First download and install PhotoRec from here:

wget https://www.cgsecurity.org/testdisk-7.2-WIP.linux26-x86_64.tar.bz2
tar xjvf ./testdisk-7.2-WIP.linux26-x86_64.tar.bz2
rm ./testdisk-7.2-WIP.linux26-x86_64.tar.bz2

Solution

What is the text written on the recovered gif image? (2 points)

My first step when solving anything is to run strings on the given file:

$ strings ./recoverfiles.dd | head
/media/splunk/20027131-e907-4aa4-a6c1-bdaa183a9b61
/media/splunk/20027131-e907-4aa4-a6c1-bdaa183a9b61
/media/splunk/20027131-e907-4aa4-a6c1-bdaa183a9b61
c8'7
lost+found
Vanilla.gif
SBTCertifications.mp4
Flag3.pdf
Flag2.docx
Flag1.png

This gives us the file type that we're looking for in each of the upcoming questions, so now we aren't going in blind.

Before running PhotoRec, we need to determine the file system type. We can do that with the use of the parted utility (source):

$ sudo parted -m ./recoverfiles.dd print | tail -n +3 | awk -F ":"'{print $(NF-2)}'
ext4

If you prefer to do it manually without the one-liner and awk, you can run the following sequence:

$ sudo parted ./recoverfiles.dd
GNU Parted 3.3
Using /tmp/recoverfiles.dd
Welcome to GNU Parted! Type 'help' to view a list of commands.
(parted) print list
Model:  (file)
Disk /tmp/recoverfiles.dd: 10.5MB
Sector size (logical/physical): 512B/512B
Partition Table: msdos
Disk Flags:

Number  Start   End     Size    Type     File system  Flags
1      1049kB  10.5MB  9437kB  primary  ext4

We can see that the file system is ext4. Now we can run PhotoRec on the DD image:

cd ./testdisk-7.2-WIP
sudo ./photorec_static /tmp/recoverfiles.dd

You need to select the following options:

Disk /tmp/recoverfiles.dd - 10 MB / 10 MiB (RO)
No partition 0 0 1 1 70 5 20480 [Whole disk]
[ ext2/ext3 ] ext2/ext3/ext4 filesystem
Choose the directory you want the recovered files to be output to. A new directory called recup_dir.1 will be created in the destination you choose.

Source: f0010896.gif

Answer: GoodJobDefender

Submit Flag1 (1 points)

Source: f0019896.png

Answer: FLAG1:WELOVEBTLO
Submit Flag2 (1 points)

Source: f0011120.docx

The document contained the string RkxBRzI6QVNPTElEREVGRU5ERVI=. This is a Base64 encoded string, which we can decode from the terminal with the following:
```
echo "RkxBRzI6QVNPTElEREVGRU5ERVI=" | base64 -d
```
Answer: FLAG2:ASOLIDERDEFENDER

Submit Flag3 (1 points)

Source: f0011088.pdf

There was no visual flag contained within the PDF, so we have to get more creative with this one. Running exiftool ./f0011088.pdf gave us the following output:

ExifTool Version Number         : 11.88
File Name                       : f0011088.pdf
Directory                       : .
File Size                       : 12 kB
File Modification Date/Time     : 2023:01:05 18:52:57-05:00
File Access Date/Time           : 2023:01:05 18:54:04-05:00
File Inode Change Date/Time     : 2023:01:05 18:52:57-05:00
File Permissions                : rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Author                          : FLAG3%3A%40BLU3T3AM%240LDI3R
Producer                        : Skia/PDF m90
Page Count                      : 1

The Author field contains the flag, but it is URL encoded. Decoding it with CyberChef gives us the final flag.

Answer: FLAG3:@BLU3T3AM$0LDI3R

What is the filesystem of the provided disk image? (2 points)

We know this because we ran parted on the DD image earlier.

Answer: ext4
What is the original filename of the recovered mp4 file? (3 points)

The challenge creator wanted us to find this information via the use of the scalpel tool, but that tool is complicated to set up and no longer maintained. We can instead find the answer with the following in this case:
```
strings ./recoverfiles.dd | grep mp4
```
Answer: SBTCertifications.mp4

Employee of the Year

Preparation

Solution

Tags