2 minutes
CyberForce 2024 - Hex Marks the Spot
CTF: CyberForce 2024
Category: Forensics
Difficulty: Hard
Key Concepts: Unallocated Space, ASCII Art
Givens
This challenge starts with two files: scenario.txt
(1kb) and burbs.001
(48mb). The scenario file explains that the larger file is a disk image, and says that the disk contains:
- A password-protected file
- A password
- Hints about the password
scenario.txt
also recommends two tools: Autopsy for analyzing image files, and HxD for viewing hex data.
Part 1: Finding Files
My first step was to open burbs.001
in Autopsy. When Autopsy scans files, it identifies and highlights interesting findings.. One of these, “encryption detected”, identified the password-protected file.
Encrypted file detected by Autopsy
There were additional files aside from the PDF: the disk also contained a picture of meatballs (pictured), a meatball recipe PDF, and several red herring files with names like secret
, password
, and pass
.
Meatballs
Part 2: Into Space
The challenge description said to think about where data can be hidden that doesn't get seen by the computer when it initializes the disk
- which was a good hint to look in unallocated space. Autopsy shows this in the Unalloc
section. Opening this section, I found the password. However, it still required more manipulation to be legible.
Password data in unallocated space
Part 3: Artful
The data immediately stood out to me as ASCII art. The Autopsy view prevented me from viewing it in the correct proportions. After trying several different editors, I opened the original data file in HxD and searched for the start of the password.
Character 3 in HxD default view
To adjust the spacing, I modified the HxD column number until the letters were legible at a width of NUMBER
characters.
Character 3 in HxD 32-character-width view
I used this approach to read each character of the password, decrypt the PDF file, and get the flag (which I won’t reveal here).
Conclusion
This challenge was a fun addition to traditional image analysis: I enjoyed the process of locating and decoding the ASCII art hidden in the hex data. I found the password location quickly, but it took time to find the right spacing. In the future, HxD will be my go-to tool for working with hex.