BTLO File Carving

Employee of the Year

Scenario

John received the ‘Best Employee of the Year’ award for his hard work at FakeCompany Ltd. Unfortunately, today John deleted some important files (typical John!). It’s your job to recover the deleted files and capture all the flags within!

The file given is recoverfiles.dd. The first thing I needed to do was understand what’s inside this disk image and its file system.

I used the mmls command to look at the structure of the disk image. Here’s what I found:

The disk image uses a DOS partition table and has one partition.
This partition starts at sector 2048 and it’s where the Linux operating system is located.

└─$ mmls recoverfiles.dd 
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048 Unallocated
002:  000:000   0000002048   0000020479   0000018432   Linux (0x83)

The fsstat command with the correct offset 2048 provides additional file system information, such as the file system type Ext4, volume name, volume ID, and other details.

└─$ fsstat -o 2048 recoverfiles.dd 

FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: Ext4
Volume Name: 
Volume ID: 619b3a18aabdc1a6a44a07e931710220

....
....
....

fls lists the files and directories and with that, we learned original file names and clues for future investigation.

└─$ fls -o 2048 recoverfiles.dd
d/d 11: lost+found
r/r * 12:       Vanilla.gif
r/r * 13:       SBTCertifications.mp4
r/r * 14:       Flag3.pdf
r/r * 15:       Flag2.docx
r/r * 16:       Flag1.png
V/V 2305:       $OrphanFiles

It’s time to recover files, with the use of photorec. This interactive tool allows you to select the correct file system, partition, and the specific files you want to recover. :

└─$ photorec recoverfiles.dd

PhotoRec 7.1, Data Recovery Utility, July 2019
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org

photorec

Then it will attempt to recover files and output them in your chosen location. And just like that the files are recovered.

files_rec

The first flag was easy to find, just by looking at the gif image I got back:

first

The next flag is also hiding in plain sight in the recovered png:

second

For the third flag, I had to dig into the pdf file. It seemed like the flag was hidden inside it. pdf

Using exiftool on the pdf revealed the hidden info.

ExifTool Version Number         : 12.67
File Name                       : f0009040.pdf
Directory                       : .
File Size                       : 13 kB
File Modification Date/Time     : 2024:01:05 19:14:09-05:00
File Access Date/Time           : 2024:01:07 17:38:13-05:00
File Inode Change Date/Time     : 2024:01:05 19:14:09-05:00
File Permissions                : -rw-r--r--
File Type                       : PDF
File Type Extension             : pdf
MIME Type                       : application/pdf
PDF Version                     : 1.5
Linearized                      : No
Author                          : FLAG3%3A%40BLU3T3AM%240LDI3R
Producer                        : Skia/PDF m90
Page Count                      : 1

using strings works too.

└─$ strings f0009040.pdf | grep 'FLAG'  
/Author (FLAG3%3A%40BLU3T3AM%240LDI3R)

The string is slightly obfuscated or URL-encoded. You can decode it with CyberChef or go fancy:

└─$ python3 -c "import urllib.parse; print(urllib.parse.unquote('FLAG3%3A%40BLU3T3AM%240LDI3R'))"
FLAG3:@BLU3T3AM$0LDI3R

Okay, move on to the FLAG2 that is in f0009072.docx file, according to the original names of the files.

There are a few ways it’s possible to retrieve a hidden string from that document the easiest way to extract the text content from a DOCX file:

you can use the docx2txt tool. This command will create a text file containing the extracted text content from the DOCX file.:

└─$ docx2txt f0009072.docx | cat f0009072.txt 

RkxBRzI6QVNPTElEREVGRU5ERVI=

Since docx files are zipped collections of XML files, the unzip command will help:

└─$ unzip f0009072.docx 
Archive:  f0009072.docx
  inflating: word/numbering.xml      
  inflating: word/settings.xml       
  inflating: word/fontTable.xml      
  inflating: word/styles.xml         
  inflating: word/document.xml       
  inflating: word/_rels/document.xml.rels  
  inflating: _rels/.rels             
  inflating: word/theme/theme1.xml   
  inflating: [Content_Types].xml

Then you can search manually XML documents and find the flag in document.xml. Which is boring.

xml

or use strings piped with grep in combination with regex.

└─$ strings f0009072.docx word/*.xml | grep -E '>[^<>]+<'

grep

This flag is also obfuscated:

└─$ echo -n 'RkxBRzI6QVNPTElEREVGRU5ERVI=' | base64 -d

FLAG2:ASOLIDDEFENDER