Pursue The Tracks

Catégorie: Forensics Difficulté: easy Flag: HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s}

Challenge

Analyse du fichier

On a un fichier .mft donc on peut l’ouvrir avec l’outil MFT Explorer d’Eric Zimmerman pour l’étudier.

Ensuite il suffit de se connecter au serveur et répondre aux questions

Files are related to two years, which are those?

→ 2023,2024

There are some documents, which is the name of the first file written?

→ Final_Annual_Report.xlsx

Which file was deleted?

→ Marketing_Plan.xlsx

How many of them have been set in Hidden mode?

→ 1

Seul le fichier credentials.txt a le flag hidden

Which is the filename of the important TXT file that was created?

→ credentials.txt

A file was also copied, which is the new filename?

→ Financial_Statement_draft.xlsx

Which file was modified after creation?

→ Project_Proposal.pdf

What is the name of the file located at record number 45?

→ Annual_Report.xlsx

What is the size of the file located at record number 40?

→ 57344

Script de résolution

from pwnlib.tubes.remote import remote

def solve(host, port):
	client = remote(host, port)
	client.recvuntil(b'> ').decode()
	client.sendline(b'2023,2024')
	client.recvuntil(b'> ').decode()
	client.sendline(b'Final_Annual_Report.xlsx')
	client.recvuntil(b'> ').decode()
	client.sendline(b'Marketing_Plan.xlsx')
	client.recvuntil(b'> ').decode()
	client.sendline(b'1')
	client.recvuntil(b'> ').decode()
	client.sendline(b'credentials.txt')
	client.recvuntil(b'> ').decode()
	client.sendline(b'Financial_Statement_draft.xlsx')
	client.recvuntil(b'> ').decode()
	client.sendline(b'Project_Proposal.pdf')
	client.recvuntil(b'> ').decode()
	client.sendline(b'Annual_Report.xlsx')
	client.recvuntil(b'> ').decode()
	client.sendline(b'57344')
	flag = client.recvall(timeout=1).decode().split(': ')[1].strip()
	print(f"Flag: {flag}")

if __name__ == '__main__':
	solve('94.237.62.195', 45890)