CSAW CTF 2015 - Forensics 100 Flash Writeup

For this challenge, we were given an HDD image and asked to find the flag on it. Let’s start by seeing what kind of file we’re dealing with:

jordan@temp:~/csaw$ file flash_c8429a430278283c0e571baebca3d139.img
flash_c8429a430278283c0e571baebca3d139.img: x86 boot sector, mkdosfs boot message display, code offset 0x3c, OEM-ID "mkfs.fat", sectors/cluster 4, root entries 512, Media descriptor 0xf8, sectors/FAT 256, heads 64, sectors 262144 (volumes > 32 MB) , serial number 0xa0f1dff7, unlabeled, FAT (16 bit)

Ok, a standard FAT volume. Let’s try to mount it:

jordan@temp:~/csaw$ mount flash_c8429a430278283c0e571baebca3d139.img -t vfat -o loop,ro,noexec /mnt
jordan@temp:~$ cd /mnt/
jordan@temp:/mnt$ ls
100.txt  29.txt  48.txt  67.txt  86.txt      pg1184.txt  pg2000.txt  pg4300.txt
10.txt   2.txt   49.txt  68.txt  87.txt      pg11.txt    pg2147.txt  pg4363.txt
11.txt   30.txt  4.txt   69.txt  88.txt      pg120.txt   pg2148.txt  pg46.txt
12.txt   31.txt  50.txt  6.txt   89.txt      pg1232.txt  pg236.txt   pg5000.txt
13.txt   32.txt  51.txt  70.txt  8.txt       pg1260.txt  pg23.txt    pg5200.txt
14.txt   33.txt  52.txt  71.txt  90.txt      pg1322.txt  pg244.txt   pg526.txt
15.txt   34.txt  53.txt  72.txt  91.txt      pg132.txt   pg2500.txt  pg55.txt
16.txt   35.txt  54.txt  73.txt  92.txt      pg1342.txt  pg2542.txt  pg62.txt
17.txt   36.txt  55.txt  74.txt  93.txt      pg135.txt   pg2554.txt  pg730.txt
18.txt   37.txt  56.txt  75.txt  94.txt      pg1399.txt  pg2591.txt  pg74.txt
19.txt   38.txt  57.txt  76.txt  95.txt      pg1400.txt  pg2600.txt  pg768.txt
1.txt    39.txt  58.txt  77.txt  96.txt      pg1497.txt  pg2701.txt  pg76.txt
20.txt   3.txt   59.txt  78.txt  97.txt      pg158.txt   pg2814.txt  pg844.txt
21.txt   40.txt  5.txt   79.txt  98.txt      pg160.txt   pg2852.txt  pg84.txt
22.txt   41.txt  60.txt  7.txt   99.txt      pg161.txt   pg3207.txt  pg863.txt
23.txt   42.txt  61.txt  80.txt  9.txt       pg1656.txt  pg33.txt    pg972.txt
24.txt   43.txt  62.txt  81.txt  pg100.txt   pg1661.txt  pg345.txt   pg98.txt
25.txt   44.txt  63.txt  82.txt  pg1080.txt  pg16.txt    pg35.txt
26.txt   45.txt  64.txt  83.txt  pg108.txt   pg174.txt   pg3600.txt
27.txt   46.txt  65.txt  84.txt  pg10.txt    pg1952.txt  pg36.txt
28.txt   47.txt  66.txt  85.txt  pg1155.txt  pg1998.txt  pg41.txt

Looks like we have quite a few files to dig through. Looks like it’s going to take a while. Ooooorrr, we could just grep for the flag.

root@malfirm:/mnt# grep -r "flag{" * .*
./.10/.hidden:flag{b3l0w_th3_r4dar}

Sweet. The flag is flag{b3l0w_th3_r4dar}

Jordan (@jw_sec)