forbytten blogs

Pursue The Tracks Writeup - Cyber Apocalypse 2024

Last update:

1 Introduction

This writeup covers the Pursue The Tracks Forensics challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having an ‘easy’ difficulty. The challenge involved the forensic analysis of an NTFS MFT (Master File Table) file.

The description of the challenge is shown below.

Pursue The Tracks challenge description

2 Key Techniques

The key techniques employed in this writeup are:

3 Artifacts Summary

The downloaded artifact had the following hash:

$ shasum -a256 forensics_persue_the_tracks.zip
57c67a34fda4e56c204119144ee6adcb24c6a68dccf4c5402cbcdcd3e3eb9c49  forensics_persue_the_tracks.zip

The zip file contained a single z.mft file:

$ unzip forensics_persue_the_tracks.zip
Archive:  forensics_persue_the_tracks.zip
  inflating: z.mft

$ shasum -a256 z.mft
1a67223ce69744ebe57a6a574088e8ac0c16459073e2e7578a7c533e3a76b006  z.mft

4 Challenge overview

The challenge required connecting to the spawned Docker instance and answering a series of questions based on the downloaded z.mft file. For example, to connect using netcat:

$ nc -n -v 94.237.52.22 48303

5 Basic file identification

The file command was unable to identify the file type:

$ file z.mft
z.mft: data

However, based on some internet searching with the query “windows mft file extension” and the context from the challenge description, the file was identified as likely being an MFT (Master File Table) from a Windows machine, storing metadata about every file in an NTFS filesystem. An excerpt from the official documentation:

MFT (Master File Table) definition

6 MFT_Browser

From a list of Windows Incident Response FOSS Tools, MFT_Browser was identified as a tool that can analyze MFT files. Starting up the program in a Windows 11 VM, MFT_Browser was able to successfully open z.mft.

MFT_Browser successfully opened z.mft

7 Revisiting file identification

Taking a look at z.mft with xxd, it appeared the MFT file format has a regular structure characterized by the string “FILE0” at every 0x400 offset. This is good to know for future identification exercises.

$ xxd z.mft |grep FILE0
00000000: 4649 4c45 3000 0300 5151 1000 0000 0000  FILE0...QQ......
00000400: 4649 4c45 3000 0300 9751 1000 0000 0000  FILE0....Q......
00000800: 4649 4c45 3000 0300 dd51 1000 0000 0000  FILE0....Q......
00000c00: 4649 4c45 3000 0300 0c55 1000 0000 0000  FILE0....U......
00001000: 4649 4c45 3000 0300 7152 1000 0000 0000  FILE0...qR......
00001400: 4649 4c45 3000 0300 967e 1000 0000 0000  FILE0....~......
00001800: 4649 4c45 3000 0300 2b52 1000 0000 0000  FILE0...+R......
00001c00: 4649 4c45 3000 0300 0000 0000 0000 0000  FILE0...........
00002000: 4649 4c45 3000 0300 b752 1000 0000 0000  FILE0....R......
00002400: 4649 4c45 3000 0300 3164 1000 0000 0000  FILE0...1d......
00002800: 4649 4c45 3000 0300 4f54 1000 0000 0000  FILE0...OT......
00002c00: 4649 4c45 3000 0300 bb53 1000 0000 0000  FILE0....S......
00003000: 4649 4c45 3000 0300 0000 0000 0000 0000  FILE0...........
00003400: 4649 4c45 3000 0300 0000 0000 0000 0000  FILE0...........
00003800: 4649 4c45 3000 0300 0000 0000 0000 0000  FILE0...........
00003c00: 4649 4c45 3000 0300 0000 0000 0000 0000  FILE0...........
00006000: 4649 4c45 3000 0300 6054 1000 0000 0000  FILE0...`T......
00006400: 4649 4c45 3000 0300 8254 1000 0000 0000  FILE0....T......
00006800: 4649 4c45 3000 0300 7154 1000 0000 0000  FILE0...qT......
00006c00: 4649 4c45 3000 0300 2957 1000 0000 0000  FILE0...)W......
00007000: 4649 4c45 3000 0300 9354 1000 0000 0000  FILE0....T......
00007400: 4649 4c45 3000 0300 ea54 1000 0000 0000  FILE0....T......
00007800: 4649 4c45 3000 0300 825a 1000 0000 0000  FILE0....Z......
00007c00: 4649 4c45 3000 0300 0a58 1000 0000 0000  FILE0....X......
00008000: 4649 4c45 3000 0300 4e59 1000 0000 0000  FILE0...NY......
00008400: 4649 4c45 3000 0300 db5a 1000 0000 0000  FILE0....Z......
00008800: 4649 4c45 3000 0300 0a5f 1000 0000 0000  FILE0...._......
00008c00: 4649 4c45 3000 0300 cc7e 1000 0000 0000  FILE0....~......
00009000: 4649 4c45 3000 0300 ee7e 1000 0000 0000  FILE0....~......
00009400: 4649 4c45 3000 0300 147f 1000 0000 0000  FILE0...........
00009800: 4649 4c45 3000 0300 5465 1000 0000 0000  FILE0...Te......
00009c00: 4649 4c45 3000 0300 ac66 1000 0000 0000  FILE0....f......
0000a000: 4649 4c45 3000 0300 f067 1000 0000 0000  FILE0....g......
0000a400: 4649 4c45 3000 0300 3c69 1000 0000 0000  FILE0...<i......
0000a800: 4649 4c45 3000 0300 a16b 1000 0000 0000  FILE0....k......
0000ac00: 4649 4c45 3000 0300 fe6c 1000 0000 0000  FILE0....l......
0000b000: 4649 4c45 3000 0300 3a7f 1000 0000 0000  FILE0...:.......
0000b400: 4649 4c45 3000 0300 3470 1000 0000 0000  FILE0...4p......
0000b800: 4649 4c45 3000 0300 ff7c 1000 0000 0000  FILE0....|......
0000bc00: 4649 4c45 3000 0300 d572 1000 0000 0000  FILE0....r......
0000c000: 4649 4c45 3000 0300 657d 1000 0000 0000  FILE0...e}......
0000c400: 4649 4c45 3000 0300 6775 1000 0000 0000  FILE0...gu......
0000c800: 4649 4c45 3000 0300 af76 1000 0000 0000  FILE0....v......
0000cc00: 4649 4c45 3000 0300 8a7d 1000 0000 0000  FILE0....}......
0000d000: 4649 4c45 3000 0300 417a 1000 0000 0000  FILE0...Az......

8 Question 1

Question:

Files are related to two years, which are those? (for example: 1993,1995)

In MFT_Browser, files were located under documents/2023 and documents/2024:

MFT_Browser - files located under documents/2023 and documents/2024

Answer:

> 2023,2024

9 Question 2

Question:

There are some documents, which is the name of the first file written? (for example: randomname.pdf)

It’s a bit unclear whether the question means the first file listed or the first file created based on creation date but the first option is fastest to try and the answer was accepted.

Answer:

> Final_Annual_Report.xlsx

10 Question 3

Question:

Which file was deleted? (for example: randomname.pdf)

documents/2024/Marketing_Plan.xlsx was identified as having an “Allocation Status” of 0, which signifies it was deleted.

MFT_Browser - Marketing_Plan.xlsx has an “Allocation Status” of 0

Answer:

> Marketing_Plan.xlsx

11 Question 4

Question:

How many of them have been set in Hidden mode? (for example: 43)

Only documents/credentials.txt was identified as having “File Type Flags” with the “Hidden” flag bit set.

MFT_Browser - credentials.txt has the “Hidden” flag bit set

Answer:

> 1

12 Question 5

Question:

Which is the filename of the important TXT file that was created? (for example: randomname.txt)

Based on the answer to “Question 4”, credentials.txt.

Answer:

> credentials.txt

13 Question 6

Question:

A file was also copied, which is the new filename? (for example: randomname.pdf)

documents/2023/Final_Financial_Statement.xlsx (the old filename) and documents/2024/Financial_Statement_draft.xlsx (the new filename) have related names and identical file sizes.

MFT_Browser - old filename Final_Financial_Statement.xlsx has a file size of 59,392
MFT_Browser - new filename Final_Financial_Statement.xlsx has an identical file size of 59,392

It should be noted that in this instance, the file timestamps are not useful, as they have “File Created” timestamps that are less than 8 milliseconds apart, faster than a human can reproduce by manually copying. Most likely all files were copied in bulk from another directory or machine during creation of the challenge.

MFT_Browser - old and new files have “File Created” timestamps that are less than 8 milliseconds apart

Answer:

> Financial_Statement_draft.xlsx

14 Question 7

Question:

Which file was modified after creation? (for example: randomname.pdf)

documents/2024/Project_Proposal.pdf was identified as having a “File Modified” timestamp later than its “File Created” timestamp.

MFT_Browser - Project_Proposal.pdf has a “File Modified” timestamp later than its “File Created” timestamp

Answer:

> Project_Proposal.pdf

15 Question 8

Question:

What is the name of the file located at record number 45? (for example: randomname.pdf)

documents/2024/Annual_Report.xlsx was identified as having a record number of 45.

MFT_Browser - Annual_Report.xlsx has a record number of 45

Answer:

> Annual_Report.xlsx

16 Question 9

Question:

What is the size of the file located at record number 40? (for example: 1337)

documents/2023/Final_Project_Proposal.xlsx was identified as having a record number of 40 and a file size of 57,344.

MFT_Browser - Final_Project_Proposal.xlsx has a record number of 40 and a file size of 57,344

Answer:

> 57344

17 Final transcript

The final transcript of the challenge solution is below, with the flag returned after the final question is answered.

$ nc -n -v 94.237.52.22 48303
(UNKNOWN) [94.237.52.22] 48303 (?) open

+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
|       Title       |                                                                    Description                                                                    |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Pursue The Tracks |                                    Luxx, leader of The Phreaks, immerses himself in the depths of his computer,                                   |
|                   |                      tirelessly pursuing the secrets of a file he obtained accessing an opposing faction member workstation.                      |
|                   | With unwavering determination, he scours through data, putting together fragments of information trying to take some advantage on other factions. |
|                   |                                    To get the flag, you need to answer the questions from the docker instance.                                    |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+

Files are related to two years, which are those? (for example: 1993,1995)
> 2023,2024
[+] Correct!

There are some documents, which is the name of the first file written? (for example: randomname.pdf)
> Final_Annual_Report.xlsx
[+] Correct!

Which file was deleted? (for example: randomname.pdf)
> Marketing_Plan.xlsx
[+] Correct!

How many of them have been set in Hidden mode? (for example: 43)
> 1
[+] Correct!

Which is the filename of the important TXT file that was created? (for example: randomname.txt)
> credentials.txt
[+] Correct!

A file was also copied, which is the new filename? (for example: randomname.pdf)
> Financial_Statement_draft.xlsx
[+] Correct!

Which file was modified after creation? (for example: randomname.pdf)
> Project_Proposal.pdf
[+] Correct!

What is the name of the file located at record number 45? (for example: randomname.pdf)
> Annual_Report.xlsx
[+] Correct!

What is the size of the file located at record number 40? (for example: 1337)
> 57344
[+] Correct!

[+] Here is the flag: HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s}

18 Conclusion

The flag was submitted and the challenge was marked as pwned

Submission of the flag marked the challenge as pwned