Challenge Category: Forensics
Challenge Points: 500
Hmm... I wonder where is the flag?
.wimextension is unique to only Windows.- The challenge title "Advertisement" hints that it could be an ADS (Alternate Data Streams) challenge, also unique to Windows and the NTFS file system.
If the flag is hidden in plain sight behind an alternate data stream, we can easily extract out all the strings using the strings command.
strings -a flag.wimMSWIM
Hmm... I wonder where is the flag?NYP{streams_@re_aL7ern@t1ng}
I] 9`
o./G
And if we clean up a little bit
strings -a flag.wim | grep -o "NYP{.*}"NYP{streams_@re_aL7ern@t1ng}
We can use Powershell to show us all the streams located in the file.
> Get-Item .\forensics_advertisement.wim -Stream *PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\taronaeo\Documents\GitHub\CTF-NYP-DEC-2023\.files\forensics_advertisement.wim::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\taronaeo\Documents\GitHub\CTF-NYP-DEC-2023\.files
PSChildName : forensics_advertisement.wim::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\Users\taronaeo\Documents\GitHub\CTF-NYP-DEC-2023\.files\forensics_advertisement.wim
Stream : :$DATA
Length : 1467
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\taronaeo\Documents\GitHub\CTF-NYP-DEC-2023\.files\forensics_advertisement.wim:Zone.Identifier
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\taronaeo\Documents\GitHub\CTF-NYP-DEC-2023\.files
PSChildName : forensics_advertisement.wim:Zone.Identifier
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\Users\taronaeo\Documents\GitHub\CTF-NYP-DEC-2023\.files\forensics_advertisement.wim
Stream : Zone.Identifier
Length : 263
Notice that there is a $DATA stream? We can extract the contents by using:
> Get-Item .\forensics_advertisement.wim | Get-Content -Stream $DATAMSWIMÐ
☺€EÓù™*ÒKkµ3Pœ‘Ç@☺☺☺–☻q☻–´☻☻♥´☻Hmm... I wonder where is the flag?NYP{streams_@re_aL7ern@t1ng}
hÿÿÿÿxI] 9`∟Ú☺€ÿÿÿÿ►Ç„N`∟Ú☺☻►flag.txt(œP☺§òwà C“Ÿ
x☺[XŽæýœ8òëmŸIÇN{•hýßñ‹mè↔§Èflag"Ð"☺☺œP☺§òwà C“Ÿ
x☺[XŽæýœ▼ò▼☺☺òëmŸIÇN{•hýßñ‹mè↔§È▲`☺☻◄☺`☺☺☺íÊÔÅÍ→o./GŠ↨Ž‡ï(↕ã^'ÿþ<WIM><TOTALBYTES>775</TOTALBYTES><IMAGE INDEX="1"><NAME>1</NAME><DIRCOUNT>0</DIRCOUNT><FILECOUNT>1</FILECOUNT><TOTALBYTES>34</TOTALBYTES><CREATIONTIME><HIGHPART>0x01DA1C60</HIGHPART><LOWPART>0x91C5289B</LOWPART></CREATIONTIME><LASTMODIFICATIONTIME><HIGHPART>0x01DA1C60</HIGHPART><LOWPART>0x91C5289B</LOWPART></LASTMODIFICATIONTIME></IMAGE></WIM>
We got the flag. Let's cleanup the output a little.
> Get-Item .\forensics_advertisement.wim | Get-Content -Stream $DATA | Select-String -Pattern "NYP{.*}" -AllMatches | ForEach-Object { $_.Matches } | ForEach-Object { $_.Value }NYP{streams_@re_aL7ern@t1ng}