Forensics/4g3n7 5m17h r3l04d3d

Jun 29, 2016 · 2 min read

I decided to participate in Online CTFs for practice; this post discusses my answer to r i n g z e r 0 t e a m’s Forensics Challenge: A g e n t S m i t h r e l o a d e d. If you haven’t solved the problem yet, continue messing around with the file; you might find some new tools and/or techniques which may help you in solving this problem. Do note that there are a lot of possible (and more elegant) ways to solve this problem, so only read this noob writeup if you’re really stuck…or desperate.

Made the title and some parts of my writeup(s) obscure to minimize cheating. (I don’t think it will work though)

The Problem:

Can you find the matrix password again?


The Answer:


To check the properties of this file, simply launch this command on your terminal:

$ fsstat BK 

fsstat is included in the sleuthkit package, so install that if it prompts you to do so:

$ sudo apt-get install fsstat

It will give you the following output (I’ll only show the Metadata Info):

— — — — — — — — — — — — — — — — — — — — — —
Inode Range: 1–1281
Root Directory: 2
Free Inodes: 1265

Root Directory: 2


Since we identified the file to be ext3, we can launch the following command:

$ ext3grep --inode 2 BK

And it gives us the following output:

Image for post
Image for post
secret.sve and secret.odg are Deleted

Based from the output, we can see that secret.sve and secret.odg are Deleted Regular Files, so let’s recover them:

$ ext3grep --restore-file secret.sve BK
$ ext3grep --restore-file secret.odg BK

We can also do this, though:

$ ext3grep --restore-all BK

Which will give us the following files:

$ ls /path/to/RESTORED_FILES
lost+found secret.odg secret.sve

secret.sve seems kinda fishy…

$ file secret.sve
secret.sve: Zip archive data, at least v2.0 to extract
$ unzip secret.sve
Archive: secret.sve
[secret.sve] secret.txt password:


Let’s find some clues then:

$ cat
-cryt my password file with Secret Vault Encrypt
-bring back milk
-buy flower for my love !
-restric my my little brother permission to delete file

Nothing on this file works as a password! Eff it, I’m craking this sht

Once you crack it, the password should be:


password redacted

So when you display the contents of secret.txt, you’ll see this:


Flag redacted to avoid cheating.

Submit that to enjoy 4 points for all that effort! :)

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store