Cyber Apocalypse 2024

Pursue the tracks

Solved by : thewhiteh4t

To get the flag, you need to answer the questions from the docker instance.
  • We get a .mft file in this challenge and we need to answer questions based on that
  • Tools used : -
    MFTExplorer -
    MFTECmd -
  • First we extracted the data in CSV format on linux :
    • -f z.mft -o result.csv

  • with some grep-cut we can see a list of files :

  • Some pointers which are important for solving :
    • shows limited information so for things like Q6 its easily visible in MFTExplorer
    • Modified after creation in Q7 is also visible in MFTExplorer
    • Accurate file size in Q9 is not shown by either analyzeMFT or MFTExplorer for that we had to use MFTECmd
  • Answers of all the questions :
Q1. Files are related to two years, which are those?
> 2023,2024

Q2. There are some documents, which is the name of the first file written?
> Final_Annual_Report.xlsx

Q3. Which file was deleted?
> Marketing_Plan.xlsx

Q4. How many of them have been set in Hidden mode?
> 1

Q5. Which is the filename of the important TXT file that was created?
> credentials.txt

Q6. A file was also copied, which is the new filename?
> Financial_Statement_draft.xlsx

Q7. Which file was modified after creation?
> Project_Proposal.pdf

Q8. What is the name of the file located at record number 45?
> Annual_Report.xlsx

Q9. What is the size of the file located at record number 40?
> 57344

Published on : 16 Mar 2024