Forensics/4g3n7 5m17h r3l04d3d

I decided to participate in Online CTFs for practice; this post discusses my answer to r i n g z e r 0 t e a m’s Forensics Challenge: A g e n t S m i t h r e l o a d e d. If you haven’t solved the problem yet, continue messing around with the file; you might find some new tools and/or techniques which may help you in solving this problem. Do note that there are a lot of possible (and more elegant) ways to solve this problem, so only read this noob writeup if you’re really stuck…or desperate.
Made the title and some parts of my writeup(s) obscure to minimize cheating. (I don’t think it will work though)

The Problem:

Can you find the matrix password again?

Given:

9987d22788e810116a45109f2ea88648.zip

The Answer:

First, we need to unzip the zip file, which gives us the file:

BK

To check the properties of this file, simply launch this command on your terminal:

$ fsstat BK 

fsstat is included in the sleuthkit package, so install that if it prompts you to do so:

$ sudo apt-get install fsstat

It will give you the following output (I’ll only show the Metadata Info):

...
METADATA INFORMATION
— — — — — — — — — — — — — — — — — — — — — —
Inode Range: 1–1281
Root Directory: 2
Free Inodes: 1265
...
Root Directory: 2
Noted.

Since we identified the file to be ext3, we can launch the following command:

$ ext3grep --inode 2 BK

And it gives us the following output:

secret.sve and secret.odg are Deleted

Based from the output, we can see that secret.sve and secret.odg are Deleted Regular Files, so let’s recover them:

$ ext3grep --restore-file secret.sve BK
...
$ ext3grep --restore-file secret.odg BK
...

We can also do this, though:

$ ext3grep --restore-all BK

Which will give us the following files:

$ ls /path/to/RESTORED_FILES
lost+found secret.odg secret.sve TODO.me
secret.sve seems kinda fishy…
$ file secret.sve
secret.sve: Zip archive data, at least v2.0 to extract
$ unzip secret.sve
Archive: secret.sve
[secret.sve] secret.txt password:
PASSWORD PROTECTED FUUUUUUUUUUUUUUUUUUU

Let’s find some clues then:

$ cat TODO.me
-cryt my password file with Secret Vault Encrypt
-bring back milk
-buy flower for my love !
-restric my my little brother permission to delete file
Nothing on this file works as a password! Eff it, I’m craking this sht

Once you crack it, the password should be:

*****
password redacted

So when you display the contents of secret.txt, you’ll see this:

FLAG-******
Flag redacted to avoid cheating.

Submit that to enjoy 4 points for all that effort! :)