github pages for writeups and other things

ACECTF 1.0 - Harder Disk

03 Mar 2025

#writeups, #acectf, #forensics

Alternative tiltle for this one: How noob ways of thinking can shoot you in the back


One of the first things I learnt when I started learning to hack was linux. It was fun until I hit a ceiling of understanding about the differences in Operating Systems, what’s a Shell, Kernel, etc.


But once I got better I started developing a liking towards the terminal and how the Linux operating system is better than say Windows, or worse in some cases. How none of them is superior, nor the other inferior. We shall find out with this challenge.


Be careful, a lot of fake galfs around.


For the challenge you were given an unmarked file named challenge. Upon running file challenge, you see that it is a Windows file system.
Image
I change the file to challenge.iso and I mount it. Naively, I try to strings and grep for the flag:

for i in *; do strings "$i" | grep -e ACECTF; done


With this I am rewarded with…

ACECTF{50_much_f0r_50_l177l3}
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:title><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">ACECTF{50_much_f0r_50_l177l3}</rdf:li></rdf:Alt>
</dc:title></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:description><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">ACECTF{50_much_f0r_50_l177l3}</rdf:li></rdf:Alt>
ACECTF{50_much_f0r_50_l177l3}
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:title><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">ACECTF{50_much_f0r_50_l177l3}</rdf:li></rdf:Alt>
</dc:title></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:description><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">ACECTF{50_much_f0r_50_l177l3}</rdf:li></rdf:Alt>
ACECTF{What are you looking at?}
<x:xmpmeta xmlns:x="adobe:ns:meta/"><rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:title><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">ACECTF{What are you looking at?}</rdf:li></rdf:Alt>
</dc:title></rdf:Description><rdf:Description rdf:about="uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b" xmlns:dc="http://purl.org/dc/elements/1.1/"><dc:description><rdf:Alt xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#"><rdf:li xml:lang="x-default">ACECTF{What are you looking at?}</rdf:li></rdf:Alt>
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}
ACECTF{4ll_7h47_ju57_70_g37_f4k3_64lf}


…And so on. Overall, 1830 lines of fake “galf”s and no real flag. Clearly, I need a different approach - and I hopefully have learned my lesson that if I get a bunch of fake flags while using grep, I probably have the wrong approach.


A new approach, and a bit of hindsight


If you have ever worked with NTFS before, you may have heard of Alternate Data Streams - ADS - on Windows. The TLDR of it is that more than one data stream can be associated with one file, with the format filename.extention:streamname. This can hold metadata, malware, or… flags.


On Linux, you can use testdisk to look at these alternate data streams. On selecting the mounted disk image, selecting Advanced, and then List, I can look at what files are on the disk - and what data streams exist on the files. Lo and behold…

Image


The file 666c61672e747874.jpg has a flag and key! The data stream 666c61672e747874.jpg:Flag has the string CTCHHW{7t3_h1hw3p3sq3_s37i33r_a0l_4li_a3}, and 666c61672e747874.jpg:Key has the string cryforme. After this, it’s a simple Vigenère decode:


Image


This gets the flag: ACECTF{7h3_d1ff3r3nc3_b37w33n_y0u_4nd_m3}