Rootme Job Interview
Root-me.org
Job interview
Hide-and-seek
We’re given a EWF/encase image and we need to find some kind of flag.
I’ve seen this before.We’ll install a package to be able to extract the content of it.
file image_forensic.e01
image_forensic.e01: EWF/Expert Witness/EnCase image file format
sudo apt-get install ewf-tools
ewfexport image_forensic.e01
ewfexport 20140608
Information for export required, please provide the necessary input
Export to format (raw, files, ewf, smart, ftk, encase1, encase2, encase3, encase4, encase5, encase6, encase7, encase7-v2, linen5, linen6, linen7, ewfx) [raw]:
Target path and filename without extension or - for stdout: data
Evidence segment file size in bytes (0 is unlimited) (0 B <= value <= 7.9 EiB) [0 B]:
Start export at offset (0 <= value <= 9431040) [0]:
Number of bytes to export (0 <= value <= 9431040) [9431040]:
Export started at: Mar 22, 2018 11:30:11
This could take a while.
Export completed at: Mar 22, 2018 11:30:11
Written: 8.9 MiB (9431040 bytes) in 0 second(s).
MD5 hash calculated over data: ba74f9213ff89221eb9b68cd03ff0242
ewfexport: SUCCESS
We can choose to export the content in a raw format and choose a file here (data in my case)
Once that it’s done, we got a file. Let’s run file on it.
file data.raw
data.raw: POSIX tar archive (GNU)
An archive file, let’s decompress it.
tar xvf data.raw
bcache24.bmc
We now have a .bmc file. More info -> https://fileinfo.com/extension/bmc
We’ll fetch a script that will allow us to extract everything from inside.
wget https://raw.githubusercontent.com/ANSSI-FR/bmc-tools/master/bmc-tools.py
BMC-tools will allow us to extract all of the bitmap files.
mkdir bcache_extract
python bmc-tools.py -s bcache24.bmc -d ./bcache_extract/
[+++] Processing a single file: 'bcache24.bmc'.
[===] Successfully exported 575 files.
575 files. That’s a lot of files to go through.
We can use eog (Image viewer) or GIMP to browse through image.
Somewhere inside we can see the flag.