FCSC 2021 - Intro - Rituel du Boutisme

May 03, 2021   
forensic writeup 
Also available in:  🇫🇷 


Challenge

Your ritual continues with endism! Look for the flag in the attached file using the resources present.

disque.img (480MB) : https://files.france-cybersecurity-challenge.fr/dl/rituel_du_boutisme/disque.img.7z

SHA256(disque.img) = 154a485279c2b7d2740d53a88b333f3ab9258ac3c3695a7d0d7b75d582803c93.


Solving the challenge

Here we have a disk image, ready for forensics analysis. Of course we could do a deep analysis of the disk, but it is useful to start by using the strings function, it can provide a lot of information.

Here, a simple strings -a disque.img | grep FCSC does not find the flag. We can't find it because the encoding is wrong. Indeed the strings command supports different encodings:

$ strings -h
Usage: strings [option(s)] [file(s)]
 Display printable strings in [file(s)] (stdin by default)
 The options are:
  -a - --all                Scan the entire file, not just the data section [default]
  -d --data                 Only scan the data sections in the file
  -f --print-file-name      Print the name of the file before each string
  -n --bytes=[number]       Locate & print any NUL-terminated sequence of at
  -<number>                   least [number] characters (default 4).
  -t --radix={o,d,x}        Print the location of the string in base 8, 10 or 16
  -w --include-all-whitespace Include all whitespace as valid string characters
  -o                        An alias for --radix=o
  -T --target=<BFDNAME>     Specify the binary file format
  -e --encoding={s,S,b,l,B,L} Select character size and endianness:
                            s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
  -s --output-separator=<string> String used to separate strings in output.
  @<file>                   Read options from <file>
  -h --help                 Display this information
  -v -V --version           Print the program's version number
strings: supported targets: elf64-x86-64 elf32-i386 elf32-iamcu elf32-x86-64 pei-i386 pei-x86-64 elf64-l1om elf64-k1om elf64-little elf64-big elf32-little elf32-big pe-x86-64 pe-bigobj-x86-64 pe-i386 srec symbolsrec verilog tekhex binary ihex plugin
Report bugs to <http://www.sourceware.org/bugzilla/>

The encodings supported by strings are as follows:

As we do not know for sure, we try them all with a for loop:

$ for e in s S b l B L; do strings -e $e ewf1 | grep FCSC; done
FCSC{6a8024a83d9ec2d1a9c36c51d0408f15836a043ae0431626987ce2b8960a5937}
FCSC{6a8024a83d9ec2d1a9c36c51d0408f15836a043ae0431626987ce2b8960a5937}

And we get the flag:

FCSC{6a8024a83d9ec2d1a9c36c51d0408f15836a043ae0431626987ce2b8960a5937}