CTF:             CyberForce 2024
Category:        Forensics
Difficulty:      Hard
Key Concepts:    Unallocated Space, ASCII Art

Givens

This challenge starts with two files: scenario.txt (1kb) and burbs.001 (48mb). The scenario file explains that the larger file is a disk image, and says that the disk contains:

  • A password-protected file
  • A password
  • Hints about the password

scenario.txt also recommends two tools: Autopsy for analyzing image files, and HxD for viewing hex data.

Part 1: Finding Files

My first step was to open burbs.001 in Autopsy. When Autopsy scans files, it identifies and highlights interesting findings.. One of these, “encryption detected”, identified the password-protected file.

Encrypted file detected by Autopsy

There were additional files aside from the PDF: the disk also contained a picture of meatballs (pictured), a meatball recipe PDF, and several red herring files with names like secret, password, and pass.

Meatballs

Part 2: Into Space

The challenge description said to think about where data can be hidden that doesn't get seen by the computer when it initializes the disk - which was a good hint to look in unallocated space. Autopsy shows this in the Unalloc section. Opening this section, I found the password. However, it still required more manipulation to be legible.

Password data in unallocated space

Part 3: Artful

The data immediately stood out to me as ASCII art. The Autopsy view prevented me from viewing it in the correct proportions. After trying several different editors, I opened the original data file in HxD and searched for the start of the password.

Character 3 in HxD default view

To adjust the spacing, I modified the HxD column number until the letters were legible at a width of NUMBER characters.

Character 3 in HxD 32-character-width view

I used this approach to read each character of the password, decrypt the PDF file, and get the flag (which I won’t reveal here).

Conclusion

This challenge was a fun addition to traditional image analysis: I enjoyed the process of locating and decoding the ASCII art hidden in the hex data. I found the password location quickly, but it took time to find the right spacing. In the future, HxD will be my go-to tool for working with hex.