SD Card

Overview

Overall difficulty for me (From 1-10 stars): ★★★☆☆☆☆☆☆☆
Challenge difficulty: ★☆☆☆☆

Background

I have accidentally format my SD card. Please help me to recover the photo inside 🙏.

Attachment: sdcard_f88edd62fb9d6f66b9bcab4497ca23b9.zip

Solution: https://hackmd.io/@blackb6a/hkcert-ctf-2022-i-en-3f8a9ef6

Find the flag

In this challenge, we can download an attachment:

┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Forensics/SD-Card]
└─# unzip sdcard_f88edd62fb9d6f66b9bcab4497ca23b9.zip 
Archive:  sdcard_f88edd62fb9d6f66b9bcab4497ca23b9.zip
  inflating: sdcard.dd

┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Forensics/SD-Card]
└─# file sdcard.dd 
sdcard.dd: DOS/MBR boot sector, code offset 0x3c+2, OEM-ID "MSDOS5.0", sectors/cluster 8, reserved sectors 8, root entries 512, sectors 31680 (volumes <=32 MB), Media descriptor 0xf8, sectors/FAT 12, sectors/track 63, heads 255, serial number 0x385844de, unlabeled, FAT (12 bit)

In here, we can just follow the solution! (It surprises me lol)

Let’s transfer this file to my Windows machine!

┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Forensics/SD-Card]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

PS C:\Users\siunam\Desktop> Invoke-WebRequest -Uri http://192.168.183.141/sdcard.dd -OutFile .\sdcard.dd

Open it in Autopsy:

We indeed saw a _lag.png file!

Let’s extract it!

I’ll use updog to transfer the picture to my Linux machine:

┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Forensics/SD-Card]
└─# updog
[+] Serving /root/ctf/HKCERT-CTF-2022/Forensics/SD-Card...
 * Running on all addresses (0.0.0.0)
   WARNING: This is a development server. Do not use it in a production deployment.
 * Running on http://127.0.0.1:9090
 * Running on http://192.168.183.141:9090 (Press CTRL+C to quit)

┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Forensics/SD-Card]
└─# file lag.png                        
lag.png: PNG image data, 1 x 1, 1-bit grayscale, non-interlaced

Hmm… The size is 1x1, looks like it’s corrupted!

Let’s upload this picture to https://www.nayuki.io/page/png-file-chunk-inspector to inspect the PNG chuncks!

We can see that the has mulitple chuncks! Let’s upload the image to HexEd.it to remove those chuncks!

Remove extra chunck:

Export the image:

View the image:

┌──(root🌸siunam)-[~/ctf/HKCERT-CTF-2022/Forensics/SD-Card]
└─# eog /home/nam/Downloads/lag\(1\).png

We got the flag!

Flag: hkcert22{funfunfunfunlookinforwardtotheweekend}

Conclusion

What we’ve learned:

Disk Forensics & Recovering Corrupted Image