Pursue The Tracks Writeup - Cyber Apocalypse 2024
- 1 Introduction
- 2 Key Techniques
- 3 Artifacts Summary
- 4 Challenge overview
- 5 Basic file identification
- 6 MFT_Browser
- 7 Revisiting file identification
- 8 Question 1
- 9 Question 2
- 10 Question 3
- 11 Question 4
- 12 Question 5
- 13 Question 6
- 14 Question 7
- 15 Question 8
- 16 Question 9
- 17 Final transcript
- 18 Conclusion
→ 1 Introduction
This writeup covers the Pursue The Tracks Forensics challenge from the Hack The Box Cyber Apocalypse 2024 CTF, which was rated as having an ‘easy’ difficulty. The challenge involved the forensic analysis of an NTFS MFT (Master File Table) file.
The description of the challenge is shown below.
→ 2 Key Techniques
The key techniques employed in this writeup are:
- Using MFT_Browser to analyze an NTFS MFT (Master File Table) file.
→ 3 Artifacts Summary
The downloaded artifact had the following hash:
$ shasum -a256 forensics_persue_the_tracks.zip
57c67a34fda4e56c204119144ee6adcb24c6a68dccf4c5402cbcdcd3e3eb9c49 forensics_persue_the_tracks.zip
The zip file contained a single z.mft
file:
$ unzip forensics_persue_the_tracks.zip
Archive: forensics_persue_the_tracks.zip
inflating: z.mft
$ shasum -a256 z.mft
1a67223ce69744ebe57a6a574088e8ac0c16459073e2e7578a7c533e3a76b006 z.mft
→ 4 Challenge overview
The challenge required connecting to the spawned Docker instance and
answering a series of questions based on the downloaded
z.mft
file. For example, to connect using netcat:
$ nc -n -v 94.237.52.22 48303
→ 5 Basic file identification
The file
command was unable to identify the file
type:
$ file z.mft
z.mft: data
However, based on some internet searching with the query “windows mft file extension” and the context from the challenge description, the file was identified as likely being an MFT (Master File Table) from a Windows machine, storing metadata about every file in an NTFS filesystem. An excerpt from the official documentation:
→ 6 MFT_Browser
From a list of Windows Incident
Response FOSS Tools, MFT_Browser was
identified as a tool that can analyze MFT files. Starting up the program
in a Windows 11 VM, MFT_Browser was able
to successfully open z.mft
.
→ 7 Revisiting file identification
Taking a look at z.mft
with xxd
, it
appeared the MFT file format has a regular structure characterized by
the string “FILE0” at every 0x400 offset. This is good to know for
future identification exercises.
$ xxd z.mft |grep FILE0
00000000: 4649 4c45 3000 0300 5151 1000 0000 0000 FILE0...QQ......
00000400: 4649 4c45 3000 0300 9751 1000 0000 0000 FILE0....Q......
00000800: 4649 4c45 3000 0300 dd51 1000 0000 0000 FILE0....Q......
00000c00: 4649 4c45 3000 0300 0c55 1000 0000 0000 FILE0....U......
00001000: 4649 4c45 3000 0300 7152 1000 0000 0000 FILE0...qR......
00001400: 4649 4c45 3000 0300 967e 1000 0000 0000 FILE0....~......
00001800: 4649 4c45 3000 0300 2b52 1000 0000 0000 FILE0...+R......
00001c00: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........
00002000: 4649 4c45 3000 0300 b752 1000 0000 0000 FILE0....R......
00002400: 4649 4c45 3000 0300 3164 1000 0000 0000 FILE0...1d......
00002800: 4649 4c45 3000 0300 4f54 1000 0000 0000 FILE0...OT......
00002c00: 4649 4c45 3000 0300 bb53 1000 0000 0000 FILE0....S......
00003000: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........
00003400: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........
00003800: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........
00003c00: 4649 4c45 3000 0300 0000 0000 0000 0000 FILE0...........
00006000: 4649 4c45 3000 0300 6054 1000 0000 0000 FILE0...`T......
00006400: 4649 4c45 3000 0300 8254 1000 0000 0000 FILE0....T......
00006800: 4649 4c45 3000 0300 7154 1000 0000 0000 FILE0...qT......
00006c00: 4649 4c45 3000 0300 2957 1000 0000 0000 FILE0...)W......
00007000: 4649 4c45 3000 0300 9354 1000 0000 0000 FILE0....T......
00007400: 4649 4c45 3000 0300 ea54 1000 0000 0000 FILE0....T......
00007800: 4649 4c45 3000 0300 825a 1000 0000 0000 FILE0....Z......
00007c00: 4649 4c45 3000 0300 0a58 1000 0000 0000 FILE0....X......
00008000: 4649 4c45 3000 0300 4e59 1000 0000 0000 FILE0...NY......
00008400: 4649 4c45 3000 0300 db5a 1000 0000 0000 FILE0....Z......
00008800: 4649 4c45 3000 0300 0a5f 1000 0000 0000 FILE0...._......
00008c00: 4649 4c45 3000 0300 cc7e 1000 0000 0000 FILE0....~......
00009000: 4649 4c45 3000 0300 ee7e 1000 0000 0000 FILE0....~......
00009400: 4649 4c45 3000 0300 147f 1000 0000 0000 FILE0...........
00009800: 4649 4c45 3000 0300 5465 1000 0000 0000 FILE0...Te......
00009c00: 4649 4c45 3000 0300 ac66 1000 0000 0000 FILE0....f......
0000a000: 4649 4c45 3000 0300 f067 1000 0000 0000 FILE0....g......
0000a400: 4649 4c45 3000 0300 3c69 1000 0000 0000 FILE0...<i......
0000a800: 4649 4c45 3000 0300 a16b 1000 0000 0000 FILE0....k......
0000ac00: 4649 4c45 3000 0300 fe6c 1000 0000 0000 FILE0....l......
0000b000: 4649 4c45 3000 0300 3a7f 1000 0000 0000 FILE0...:.......
0000b400: 4649 4c45 3000 0300 3470 1000 0000 0000 FILE0...4p......
0000b800: 4649 4c45 3000 0300 ff7c 1000 0000 0000 FILE0....|......
0000bc00: 4649 4c45 3000 0300 d572 1000 0000 0000 FILE0....r......
0000c000: 4649 4c45 3000 0300 657d 1000 0000 0000 FILE0...e}......
0000c400: 4649 4c45 3000 0300 6775 1000 0000 0000 FILE0...gu......
0000c800: 4649 4c45 3000 0300 af76 1000 0000 0000 FILE0....v......
0000cc00: 4649 4c45 3000 0300 8a7d 1000 0000 0000 FILE0....}......
0000d000: 4649 4c45 3000 0300 417a 1000 0000 0000 FILE0...Az......
→ 8 Question 1
Question:
Files are related to two years, which are those? (for example: 1993,1995)
In MFT_Browser, files
were located under documents/2023
and
documents/2024
:
Answer:
> 2023,2024
→ 9 Question 2
Question:
There are some documents, which is the name of the first file written? (for example: randomname.pdf)
It’s a bit unclear whether the question means the first file listed or the first file created based on creation date but the first option is fastest to try and the answer was accepted.
Answer:
> Final_Annual_Report.xlsx
→ 10 Question 3
Question:
Which file was deleted? (for example: randomname.pdf)
documents/2024/Marketing_Plan.xlsx
was identified as
having an “Allocation Status” of 0, which signifies it was deleted.
Answer:
> Marketing_Plan.xlsx
→ 11 Question 4
Question:
How many of them have been set in Hidden mode? (for example: 43)
Only documents/credentials.txt
was identified as having
“File Type Flags” with the “Hidden” flag bit set.
Answer:
> 1
→ 12 Question 5
Question:
Which is the filename of the important TXT file that was created? (for example: randomname.txt)
Based on the answer to “Question 4”,
credentials.txt
.
Answer:
> credentials.txt
→ 13 Question 6
Question:
A file was also copied, which is the new filename? (for example: randomname.pdf)
documents/2023/Final_Financial_Statement.xlsx
(the old
filename) and documents/2024/Financial_Statement_draft.xlsx
(the new filename) have related names and identical file sizes.
It should be noted that in this instance, the file timestamps are not useful, as they have “File Created” timestamps that are less than 8 milliseconds apart, faster than a human can reproduce by manually copying. Most likely all files were copied in bulk from another directory or machine during creation of the challenge.
Answer:
> Financial_Statement_draft.xlsx
→ 14 Question 7
Question:
Which file was modified after creation? (for example: randomname.pdf)
documents/2024/Project_Proposal.pdf
was identified as
having a “File Modified” timestamp later than its “File Created”
timestamp.
Answer:
> Project_Proposal.pdf
→ 15 Question 8
Question:
What is the name of the file located at record number 45? (for example: randomname.pdf)
documents/2024/Annual_Report.xlsx
was identified as
having a record number of 45.
Answer:
> Annual_Report.xlsx
→ 16 Question 9
Question:
What is the size of the file located at record number 40? (for example: 1337)
documents/2023/Final_Project_Proposal.xlsx
was
identified as having a record number of 40 and a file size of
57,344.
Answer:
> 57344
→ 17 Final transcript
The final transcript of the challenge solution is below, with the flag returned after the final question is answered.
$ nc -n -v 94.237.52.22 48303
(UNKNOWN) [94.237.52.22] 48303 (?) open
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Title | Description |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
| Pursue The Tracks | Luxx, leader of The Phreaks, immerses himself in the depths of his computer, |
| | tirelessly pursuing the secrets of a file he obtained accessing an opposing faction member workstation. |
| | With unwavering determination, he scours through data, putting together fragments of information trying to take some advantage on other factions. |
| | To get the flag, you need to answer the questions from the docker instance. |
+-------------------+---------------------------------------------------------------------------------------------------------------------------------------------------+
Files are related to two years, which are those? (for example: 1993,1995)
> 2023,2024
[+] Correct!
There are some documents, which is the name of the first file written? (for example: randomname.pdf)
> Final_Annual_Report.xlsx
[+] Correct!
Which file was deleted? (for example: randomname.pdf)
> Marketing_Plan.xlsx
[+] Correct!
How many of them have been set in Hidden mode? (for example: 43)
> 1
[+] Correct!
Which is the filename of the important TXT file that was created? (for example: randomname.txt)
> credentials.txt
[+] Correct!
A file was also copied, which is the new filename? (for example: randomname.pdf)
> Financial_Statement_draft.xlsx
[+] Correct!
Which file was modified after creation? (for example: randomname.pdf)
> Project_Proposal.pdf
[+] Correct!
What is the name of the file located at record number 45? (for example: randomname.pdf)
> Annual_Report.xlsx
[+] Correct!
What is the size of the file located at record number 40? (for example: 1337)
> 57344
[+] Correct!
[+] Here is the flag: HTB{p4rs1ng_mft_1s_v3ry_1mp0rt4nt_s0m3t1m3s}
→ 18 Conclusion
The flag was submitted and the challenge was marked as pwned