Nahamcon 2024

Breath of the wild

Solved by : thewhiteh4t

• We are given a file without extension, running file command on it shows that its a VHDX file :

> file breath-of-the-wild
breath-of-the-wild: Microsoft Disk Image eXtended, by Microsoft Windows 10.0.22631.0, sequence 0xa; LOG; region, 2 entries, id BAT, at 0x300000, Required 1, id Metadata, at 0x200000, Required 1

• fastest way to access the disk file is by mounting it in windows, it is bitlocker enabled and we are given a password : videogames
• after unlock we can see about 100 wallpapers, the challenge description hints at finding website from where these are downloaded

• using Autopsy we can automatically get a list of web locations for each file in a matter of seconds :

• one of the URL is using a different domain and it has some extra data which can be decoded in CyberChef :