Post

imaginaryCTF 2023 - Rev

Posted Updated
By Alexander Moomaw 1 min read

by Eth007

I guess reversing deserved a challenge after all.

Attachments: rev.zip

Solution

This zip file contains two RAID metadata files. I was unsure what could be done with these until I came across this post. Using this knowledge, I XOR’d the two images together to form one recovered image. I then binwalked the file which contained a linux filesystem:

Screenshot 2023-07-23 at 4 21 28 PM

I extracted the file system, then ran strings on it to display the entire file system:

Screenshot 2023-07-23 at 4 34 27 PM

Once I was able to see the file system, I came to the conclusion that we could likely just extract the files from this filesystem utilizing the hex dump and the “dd” command. Knowing this, I found the location of a PNG header signature inside the hex dump, converted it’s hex location to decimal, then extracted the PNG file:

Screenshot 2023-07-23 at 4 39 30 PM

Screenshot 2023-07-23 at 4 40 00 PM

Writeup
ctf imaginaryctf imaginaryctf2023 forensics
This post is licensed under CC BY 4.0 by the author.