Project Sekai - ❌-forensics-employee-428-recovery

Project Sekai

🔒 WolvCTF 2023 / ❌-forensics-employee-428-recovery

Employee 428: Recovery - 500 points

Category: Forensics Description: This is the story of Employee 428 Employee 428 also loves their job, very much. Then one day, something strange happens Something Employee 427 would never forget The master password list that Employee 428 had been entrusted to keep was deleted Employee 428 was shocked, what could have happened? They thought to themself But it's ok! Since Employee 428 is a respectable employee that always makes backups of important files ... ... Wait what? Your're telling me there's no backup? THEY were the only one with the file? How could any company be this stupid? Employee 428 I will be real with you we really need to carve an idea up here because frankly, I'm lost. I can't possibly think of any way to recover this. The new triage data (what good is it anyway?) can be found here Files: No files. Tags: dree#0001, Hard

Sutx pinned a message to this channel. 03/18/2023 10:00 AM

@afterworld wants to collaborate

10:04

@crazyman ai wants to collaborate

lol

@Legoclones wants to collaborate

hey

yo

10:18

looking at new chall

10:18

it seems new data

10:18

not related to original one

okay

we need to recover https://github.com/awesomecorp3234243523/password-list ?

10:27

data/[root]/Users/emplo/Documents/password-list/password_list_redacted.jpg

hmm gives 404

10:28

https://github.com/awesomecorp3234243523/password-list

yeah

isnt that the guy previous flag used

10:29

the profile

yeah

ok let me download this new file and check

https://raw.githubusercontent.com/awesomecorp3234243523/password-list/main/password_list.rar

guessing we need to carve out (used this specific word in chall description) the password_list.rar file in unallocated

10:32

then extract to recover

Employee 428 I will be real with you we really need to carve an idea up here because frankly, I'm lost. I can't possibly think of any way to recover this.

10:33

yeah

10:33

i didnt know you can carve a file in unallocated and extract to have some data tho

awesomecorp3234243523

10:33

[root]/Users/emplo/AppData/Local/Microsoft/Edge/User Data/Default/Sync Data/

10:34

maybe it's useful

the data they give isnt an image, its a folders? how do you load it in autopsy

normally a tool will take an image file, use the MFT or other to find where "unallocated" sectors are. In this case, they did something weird and split up the unallocated sectors into actual files

10:35

so you have to use a tool like binwalk to find files on sectors

10:36

if a file goes across multiple sectors, may need to cat all sectors into one big "unallocated space" file and use binwalk there

so we need this?

Image attachment

10:36

or is this prev chall

THIS CHALL

10:37

https://github.com/awesomecorp3234243523/private-documents/blob/main/profits_redacted.jpg

10:37

prev is like this

yeah the name is changed to "password masterlist"

10:38

so its different i think

yeah similar in design but data is different

10:40

actually solvable now I'm guessing

sahuang

so we need this?

no, this just shows that the password list was replaced with this one

bruh

Image attachment

I'm guessing that's a built-in windows wordlist for Edge

there's a edge wallet but no useful info

10:44

the masterlist reminds me of crypto stuff but seems not there

10:44

there's a password list in edge data, is it for this chall?

10:45

it looks like rockyou stuff so maybe not

no, also built in I think

what is not builtin?

the password list is also built in

11:00

There are 2 folders that hold files for unallocated space

11:00

Magic bytes for rar files start with Rar! (https://en.wikipedia.org/wiki/List_of_file_signatures), so I used the command grep -ral 'Rar!' * in both folders to find which unallocated files the RAR file might be hidden in (edited)

11:02

Only got 3 results: 03610794 05611412 06149412

11:02

When I attempted to extract with binwalk, 03610794 had 2 RAR files, 05611412 had 0, and 06149412

11:04

Of those 3 RAR files I pulled out, 2 were from the Windows RAR utility. Third one only has profits.jpg and profits_redacted.jpg.

11:04

I'm confused why profits is in there and not password list.... that's from employee 427 (last chall), not 428

11:04

wonder if they borked their extraction again

11:05

or perhaps we have to look harder to find it, and there are no magic bytes present for it? Or we're looking for it AFTER it's been extracted from the RAR file?

should prob confirm w admin if 428 has 427 stuff

11:06

sec im checking (edited)

11:06

lol i need to turn off better discord

Image attachment

sahuang

sec im checking (edited)

awesome, thanks

redownload

Image attachment

tremble

broooooo

sleep first (edited)

better get blood on this one just for that

dree — Today at 11:12 AM link for forensics/Employee 428: Recovery has been fixed, please redownload

11:14

bruh

11:14

ok

11:14

that author sucks, made so many mistakes, also the OSINT one

11:14

11:14

legit wasted an hour

i think leg idea is right

right

11:15

dree — Today at 11:14 AM yep it was the same triage as the first two now it's updated to the new one without profits.jpg

@Guesslemonger wants to collaborate

lol

soo is correct file 323 mb?

ye

I'm still seeing profits.jpg in there?

11:22

Same data?

data2.zip

11:22

?

yeah

wtf

please do sanity check for me

11:22

what folders are in [unallocated]?

a sec loading in autopsy

11:23

or u mean these?

Image attachment

yeah okay so it's the same data

11:25

tell the author that the RAR file located in [unallocated space]/01994768/03610794 (at offset 0xE1B000) still has profits.jpg in there, no password list (edited)

1

03559654 is there in 01994768

11:26

for me

11:26

not 03610794

I'm seeing both

i see only 1

11:27

nvm lol

1

haha made me redownload and extract for sanity

she will fix it

11:42

mf

wait no

11:45

dree — Today at 11:41 AM ohhhhh i see yes that's irrelevant, it didn't clear that unallocated space during windows reset sahuang — Today at 11:43 AM oh, so attachment is correct? just this unallocated space thing is irrelevant and we can ignore it? dree — Today at 11:44 AM yep

umm

11:46

so unallocated space isn't even relevant?

1

11:47

$MFT then i guess

sahuang — Today at 11:47 AM so unallocated space isn't even relevant? dree — Today at 11:48 AM the stuff with profits.jpg isnt, but the challenge doesnt mention those sahuang — Today at 11:48 AM what do you mean by "those"? do you mean profit.jpg isnt relevant but unallocated space could be relevant? dree — Today at 11:49 AM yeah

smells of manual carving lol

Exported 113 message(s)