ad3n๐Ÿ’€kali:~$
  • ๐Ÿ HOME
    • ๐ŸšฉCTF WRITEUPS
      • CURTIN MALAYSIA CTF 2023
        • Web - General
        • Web - SQLi
        • Pwn & Reverse
      • HTB UNIVERSITY CTF 2023
        • Reverse Engineering
      • Wargames.MY 2023 CTF
        • Web
      • osu!gaming CTF 2024
        • Forensic
      • WolvCTF 2024
        • Web
      • TexSAW CTF 2024
        • Web
      • ACSC 2024 CTF
        • Web
      • NahamCon CTF 2024
        • Forensic
      • UCC CTF 2024
        • Boot2root
    • โœ๏ธNOTES
      • Web Exploitation ๐Ÿ•ธ๏ธ
  • ๐Ÿ”CATEGORIES
  • ๐Ÿ™ŒABOUT
Powered by GitBook
On this page
  1. HOME
  2. CTF WRITEUPS
  3. NahamCon CTF 2024

Forensic

Last updated 11 months ago

  • Taking Up Residence

So, from that information I use tool called MFT Explorer a GUI based tool which make it easier for further analysis on the MFT file. Before that, I try to use tool called strings to get any printable plain-text which found the location of flag.txt in .\Users\User\Downloads. Using MFT explorer, I go to the Downloads folder found the flag.txt but look like the flag has been somewhat encrypted.

Looking at another interesting file called ransom.py found that this is the python script that encrypt the flag.txt. The encrypt type that the script use was fernet which need a base64 key to decrypt the file that already provide in overview pane. With the key, I can finally decrypt it and see the plain-text flag.

Flag: flag{a4096cd70d8859d38cf8e7487b4cd0fa}

Another CTF another forensic challenge solved. For this challenge given the file that I have no idea what this file for which I do some research by looking at the file header starting with "FILE0", I discovered that the file provided was indeed a MFT (Master File Table) file. MFT file mainly consist of a files entry each times file gets added to NTFS file system volume. More information about the MFT file .

๐Ÿ 
๐Ÿšฉ
here