Google CTF 2019 Beginners Quest
Ues ntfs-3g to mount .ntfs file system
mkdir family sudo ntfs-3g family.ntfs family
Go through the file system
By using the bash find and grep command to find the files we need.
find .|grep family find .|grep Family
Indeed we see a directory name Family under Users.
If we go under the Family directory and check each subdirectory with ls -l, we could see that there is a lot of files that are just placeholders with a size of 0.
Soon found a file called credentials.txt under the documents file that has a size of 58.
cd documents cat credentials.txt I keep pictures of my credentials in extended attributes.
This piece of text hints us that there should hidden data under some files within the file system. This is achieved by using something called Extended Attributes
In Linux, we could see the extended attributes by using a tool called getfattr, by running it on credentials.txt we get:
(install)sudo apt-get install attr getfattr credentials.txt # file: credentials.txt user.FILE0
Indeed we see that there is data hidden under credentials.txt. Now by using a getfattr flag, we could get the raw bytes of the data by using -D
getfattr --only-values credentials.txt > raw
If we inspect it with a hex editor:
xxd raw 00000000: 8950 4e47 0d0a 1a0a 0000 000d 4948 4452 .PNG........IHDR
we can see it start with our good old png headers. So now we could just open the raw file with eog.
Get the flag
We get the flag in the images we rendered from raw.