HITB CTF Teaser - Carved Penguin

The Penguin is a fragile animal, who's delicious meat requires surgical precision. Even one false move could completely corrupt its delicate structure. We will give you the raw materials, now show us your skills

[fagrant@ctf fagrant]$ file fc61aa9193662704c7a6cc2f838bd352.dd 
fc61aa9193662704c7a6cc2f838bd352.dd: SGI XFS filesystem data (blksz 4096, inosz 256, v2 dirs)

So, it's a XFS filesystem. Let's mount it:

$ sudo losetup /dev/loop0 /fagrant/fc61aa9193662704c7a6cc2f838bd352.dd 
$ sudo mkdir /mnt/hitb
$ sudo mount /dev/loop0 /mnt/hitb/
[root@ctf hitb]# cd /mnt/hitb
[root@ctf hitb]# ls -alh
total 8.0K
drwxr-xr-x 2 root root 4.0K Mar  1 20:30 .
drwxr-xr-x 4 root root 4.0K Mar  1 20:30 ..

No files. :( We probably need to recover some deleted files, either by using the filesystem (table) or by carving the raw .dd image.

Googling about using the filesystem gave the following:

There is no undelete in XFS, in fact once you delete something, the chances are the space it used to occupy is the first thing reused. Undelete is really something you have to design in from the start. Getting anything back after a accidental rm -rf is near to impossible.

No wonder the challenge is called "CARVED penguin"...

Let's check it out with foremost:

$ foremost -av /fagrant/fc61aa9193662704c7a6cc2f838bd352.dd | tee -a /fagrant/output_foremost.txt
....
1111 FILES EXTRACTED

jpg:= 1
bmp:= 562
exe:= 524
png:= 1
mpg:= 23
------------------------------------------------------------------

$ 

Let's start with the JPG and the PNG...

And we have the flag in the PNG.

Carving is the best

flag: HITB{d22308141a7a35ced13e8a489328a7f0}

Another way to solve it, is by installing UFS explorer and seeing the file findme.ext in the file listing.

UFS Explorer

Opening the hexadecimal view, we find that it's actually a PNG file:

It's a PNG

You can then just carve for PNG files and speed up the process. :)

*****
Written by Adriaan Dens on 03 April 2016