Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
33 lines (18 sloc) 1.59 KB

Insider Threat

Solution author: https://twitter.com/1337Moldova

Description: Find the secret John had stolen. Flag looks like: 1337.MD{something_random_or_not}

This was probably the easiest challenge during InfoSec Meetup CTF. We got johnspc.img.gz, which a GZIP arhive.

image

Let's gunzip the file and see what's inside. Do not forget to make a backup copy :))

image

Looks like we got an 1GB filesystem image file. Well, there is nothing else we can do except:

  1. Mount it right away;
  2. Analyze with binwalk and then mount right away :D;

image

Once image is mounted we can see a bunch of directories and files.

image

In order to unzip the_secret.zip file, we need the password to it. After several trials, looks like the password is in the hidden .password.wav file. Password is: 13371337133713

image

And the extracted file is a PDF, containing the flag: 1337.MD{some_forensics_to_spice_up_things}

image

You can’t perform that action at this time.