BLACKHAT MEA CTF 2024 Qualifiers

Hola Guys! I am back again with a new writeup that I just played recently. It was an amazing experience playing with my team m4lware. I will be sharing a forensic write-up for NOTFS today. Let's dive!

NotFS (Medium)

After extensive research, I identified several tools for partition recovery. However, TestDisk emerged as the most reliable and efficient solution. Here’s a breakdown of the analysis process:

I opted for a deeper scan to gain a more granular understanding of the Linux partition. This involved analyzing the sector size and other low-level details. The results of this scan are presented below:

Once the deep scan was finished, I modified the partition type to HPFS-NTFS. Subsequently, I listed the files on the partition to confirm if the recovery process was successful. This step was crucial in assessing the partition’s recoverability and functionality. The results of the file listing are presented below:

The recovered files were transferred to a specified directory. The contents of this directory are detailed below:

A preliminary examination of the recovered files, based on thumbnail generation, suggested their integrity. However, one file, ‘DALL·E 2024–08–08 07.08.12 — A bustling scene at Black Hat MEA (Middle East & Africa) cybersecurity event. The image includes a large exhibition hall filled with booths from vario.png’, which exhibited signs of corruption. To delve deeper, a hex editor analysis was conducted. Examining file headers uncovered irregularities, pointing to potential structural damage within the file. A detailed breakdown of the header analysis is provided below.

BHFlagY{8bd8dc3ea7636c5fb8aeb}