MQCyberSec

MQCyberSec Logo

MQCyberSec
Back to Writeups

Forgotten Footprints

by sealldev
๐Ÿšฉ CTFs UTCTF 2025 forensics
Suggested: #autopsy #cyberchef
Forgotten Footprints / UTCTF 2025
Forgotten Footprints

Description

I didn't want anyone to find the flag, so I hid it away. Unfortunately, I seem to have misplaced it.

https://drive.google.com/file/d/1L75zJ1ha1-myAM3vL_C6lpT8VJe1XQHB/view?usp=sharing

by Caleb (@eden.caleb.a on discord)

This challenge was solved by thehackerscrew and was not solved by me, I post-solved it on my own with some information from there channels during the CTF!

We are given a disk.img file, I start by running file on it:

$ file disk.img
disk.img: BTRFS Filesystem sectorsize 4096, nodesize 16384, leafsize 16384, UUID=19796fde-a3e0-4003-a5c6-607e2f34b80f, 2375680/131072000 bytes used, 1 devices

As Iโ€™m solving on an M1, I spin up a Kali VM to mount this drive. Doing some research Autopsy canโ€™t mount it on Windows without installing a driver, which I decided Iโ€™ll cross that bridge if we need to come to it.

$ sudo mount disk.img /mnt
$ ls /mnt
00ceb2ed7a9a475d66c86d16ea9a5d36.txt  2e467e901d123724941329a727b0bf50.txt  5b2378bfff0cf96052731fd94a1f516c.txt  9611d1421ad76231d3986bc032d9b1f0.txt  c3fc0a1756de274bf0a5b2acb8ef6a70.txt
00d7f3cf9ea2f6b0ab718041ab3f5ea4.txt  2f168ea7ec03859f5454c4257472df1b.txt  5cc3a7284b76365c10a43b40d2440771.txt  972ea658bbfdac5ad8df3c7b157fc7f1.txt  c45a3fc45c3b98230fc449cccd7903a0.txt
01d3003a5b3b1f79457f5f9d625fdcd3.txt  2f26b97ce51a92621053ffede18b3ca9.txt  5d18e1d71d2cc4de63c1f7a163b06037.txt  9778e10b6059fd2cbdfdf9f22d4ef26a.txt  c7f33b32bd809d2e7b00890033f15128.txt
055f8cf970aaae3c4d5d6a5b8a53cf1b.txt  310946b435c5ba157d6e1b4ac415d66a.txt  5e1a255e6b91ce691d4bd432939c2979.txt  982a5dce6ec436d3cb2d9175fea8d92e.txt  ca97af95ca871cc62d08b872a588c6a4.txt
...
2de4c3ec8acaf8bc9ab4739de9dfa7bb.txt  59b4b8d8e33aa563dc5321324acc6fde.txt  956614a853023ec25394166559fee46c.txt  c11b9f9e3fa67ee68fb79368b69e2d02.txt  fee51109c18d7d408bf16e729924cb53.txt
2e1facc7f78671e2c935453654558a3f.txt  5aacb7e5664f60e2e5fd3cfc17004ede.txt  95e4030012f97a566d0672f96b888f6d.txt  c1b46673b22242099c47b277bac1d30f.txt  fefa73adaeb0adce75deabd337d704cd.txt

The file content of these was mostly uninteresting, containing various hexadecimal data that decoded to nothing of interest (checked with file, strings, binwalk, etc, etcโ€ฆ)

I think that perhaps there is some โ€˜not quite removedโ€™ data from the disk.img that might not be showing when mounted? Autopsy canโ€™t check it, so I decide that (with a few assumptions and trial and error):

  • The file content is in hexadecimal for all the files we can see, likely the flag is in hexadecimal as doing grep -i 'utflag' disk.img resulted in nothing.

I end up getting the hexadecimal representation for the flag header: 7574666c61677b.

Letโ€™s look with strings!

$ strings disk.img | grep '7574666c61677b'
...
770c465d31f935af64b4e4548f1258d18fba4a7a2f77a130ea7e36ea57768c09b822688fd74ac22f8b32acc0239d8b0973fdba5498837fefb15b41cbea02f897bf83ee60032842ca45a901d91ee5f39304de32c03c2e1316c68ef3dae0539f060143fc2a992224f79508f1a31a8a088e8ff1bd8989350db517b8071494397d2810d5ef1a4f3b969ed7a4824d147bb08324ba19c3fb6a2ba5650fa0c94b05776b78b14b169c706fb5149702339b395464b00ec0fea042e4ae77ce793c70ff2888460df16aef2eb571095efc1e072e25b8d0b9d1d8546331a3be5b0c2dd29d20712565338c21ef027165dbb7fe5eb57c62bb4c58617d2481fb51f0a0fb2b8eb047573ce848de08d59780c6a501cda4c38aa4152ce35d6ba766aa4615ed57d6115fc101902de1ca3d1b0176fa5bf4ba09dc127c52eeaa5de76db3b765554592ee2d66e75fe0ed3fffa367d40a78777f74df888c4229c10d104aea882af1f5336a700a543d5c614f808b464f50e75bca94be9098d307567420cbbe1b4a0b36b3284bb8c199bb6b31cc3ec29f84e5ac96b89e4755af1cee9a1f3d7f32a672f7ce3bda76935c12d5b77d67868b18b074bb7bf0424de4eb158f7201b00d55bbe6e47e21e8439026882e0496aee0645e43333b5b804d70a028e8168337a0c85f3724f82f81aa65bc363d8bca02ac6417bfcb9ecd971238ac8bbf6aa0fcc2caed46397febf9ee9bfb496d3676c5b820c86536727fce1b897893ae11225bfdb0048ac7a185c9d0f8384b7d36797fe62ede1ed5737946e95146a13fa0058bc84457032e2c0d010acf4cd350e9ef8d7ee5f3c59b5568e8f120c651d111784559ac34d3aeeaaa66d5e7612034cb57e4e0efb5ad1f19988033f325a5fd93582811421a824011c98dae852e44901111c34981f40ad4df53d6cf6a32a1e942bdb4d49b7de821f1baf97f311c537067ceadea97ef6dbcbb351cc32af54e28964edbfabe9058b64d0e1754bdbeab432d6f6163826761640bba98e31becc3ec97f28b36372b553d743704dde85bd5bdb54e385f3d22aa4537d6974dac61c37a94618586f659be90313c51d40f088fa4fec30349763c2d3283a4bda2bbb19a9b45061e88756e56198219da4a6e631820f355548896321af67d6eaba39f91c184e5b62afd1a2436ede092c066580ae9c3dfde50f971c5271b16d4e7c5bb4ef41fd55701665418fa2fdf6fef5feadb7525876b243a85ae1e3509a9dd30d5fd4a9b984bc952e2b85a8634ce689588f3d6cf8eb72863ef52816da0e422e87fb8701cc6ce00d5c5cedcdd7ea1d97c8644071782f70444ecf4408a81c637e3279eb12adada107603b84fcd726c01d5ef1eb82c91f04d34a52558b4c6caca8edb1eee785af4d75a041c39fcbd71e8fe1a5e3778553c230e40c92f1864f24ea4f19592194a5e78a7d11bda577e1ef7a0803cc2316b88b1ea61608834ddb8b3078e0bfae0dd791251e5991f6bf0dd2f788a1ffd0cf41cc03db3856c15fe699a06b5a7a544549e9783fbc434d9cf1212cfb068725a8635984eea1b0517fa5cab4022b187b06a712b434d7f0ea1bf74f332d259d7460f52bf4aaf2917309d923f36f8a7306a1a999cb4735509b75be6d34a97351ed11edabcff645c77daadf036136a549579e42f4855199f50f53a16903a2af9cb294e53cf5243dee5324e9c6fe727f09b47732676f5df23729bbef46b037680606c25e8cb4fe46773b7774d2ebb4f5a662c46946844095f25381c57be60efa934b05cbcb4fe55225401d9c3b1a77755fe28ad7b2947cf3d04a5cf2fe40f7551db76b0e2a86045a96fe45250795416af73a7ae42accfcb4983618e9c08b4a42ab6caba755c71dd8355b34eff98d3ea5898066b07ea41433106d96ffef4a8ea025eda65543f5c41edd5809c6630af4889b857dff4797c8161d45f2b320e6eed93fd5d5ca362f41d57181041ac79b62bb99f70f3344fb835cc89e5cd966400663e96e0ffd30a54dce29da26935153276d0d5f9d50bfa81626cb0a78c3a8030d91f614e44c1654bbb317347ed4d7ef26b43ad6823c1040adf757e408116ccbbc18edf06e023747330a2b607b11b0b9ee07d0fc0f15fdb61232ab2b42144ac91c7f89605762ee58f421059b1cf91fbfaf9fea890dd621cef35d17b6cc15dcae0f238e344a3ad6f19c1cf106bdee64955677655790accaa6ca2ed26d1d0325fe64e0f2a43adbeb239c4bbb09eda77949ce0d72522dafbaf725b47550ce1840b4a9a80b36c86b6373560af7f21cd5df183ecc5acd25f43b25947586db8366ded99cea0ae0698b938c899de80cd000ac9d398a4f50e8db890a901dc31efa715b6f9b1868ee377b1f97819a6b5b0773323c18699769486bc98dacd910b1bc4633478e84bda2c7ebb2954ba4c329abdf01370bb8f823561aad9cf9b760cf8a1a47512283ac0e501e70923511b0cfe64593fea44e359b45f64decfc99587f961854abae6b31f139aa0531a342eefea206146b018107259dca3d8285cf3aab5aab61154553fda55be07d124bfd075fb969f36f7a902d97dc22f40c89671260df398b808fddf0479a3e42bbcb416c4840e37b5af479b601fd7f4d2e74dc1b7db8b1ddfcc272f03e16284cfb6c95f08c8a90513748512f9cb521eaff4198d923c79efd545756de5545e437c54950b7fe0b82ba9c74f0b170a53d46895ab6f4adf95fe73709e361afabc8ced633ba4db6540c2552917b456780608e707728a11a3939145a6fb5d3cc7dab0bd5f09f4dfb4665ff5c54ccca91978a76db69ab72235ef1ab8e1162b20d31e8210dbc4b4f506e1f83fdfd51a4bd9e5713c6d402b7327fd31d9682e28e53f7d7dea106bb4ab69d49a15e181c7c4a8e4269a6119c8d7d37c48064ea9904444cbf80d1eaa848f8c3430fbc1e1fbfd8b4727be7c8ed175dcf333aa7de2f2f8147065bb5fae039d7527ff67157c7dc7d0e8eb9b2be6699580fe06a44e06f06726526b434a9f316b519cf31475afc3818ddeace44b55a71c56519106f379330c3cfba540aa0a3856b1ec1db470b5d205499b6763c66a3d78ec087ddec68b5e13f0d3880a6633590f877ffd70955563829cb66eeb4265ca4631ae85b6d53da9d7d5a7f2c65b8bf2134131d2f9d0428a435f647c63a869d63d2d0ca35ae7b9c0a8d7e3e5aa6ee58dc84c29d6c633371ca096478640caa2e08d2eaa5c103c9a85730b3b53a0fb298787d13dc1f3fd8e256610d9b96e129b973d3595205c8644a347c2a1ca6074cdbd667d9d3a6170e5073d4ffac39c7f9d7bb36a9cb019f0919e48a7ff4d0e17909fd85d9a4c9e63309e3588a6f1c879738932d95e24c1d1e4035691c7e696795980941e0324e8052ec70346c072d3016a44bd296fc957ea471d762029584b45a3992d190ee38ff333f6efc7140298852b05805921adfa034d2ef4c6d628ac462f2435b590ddc2d4f5b4280b101d83d5df5ab029f1b364fe1525e62bc669320054ddfe22413c508332e6b7ea18bb1f9285d76975d756083c2d31a4a886b27dab0fdeffbbcd51bf371e85dc04c8cff260cdc4d5e9fb9cdd1625558cf43ead054af76ac08cafd96134218f6950faf43191ed34f45716b87bfa234e4d8c04076b9a68a825669bc629bb14df005b3c35aa12358817390bd81a0c77ecb31025b6b13de3643c360ec2153e4d131b3087dd882037593fae6bb39a22f7dd1539dac4796a6be8a77faead58527195fdd9d1fc07d6d1a78f2b3085909db62aa20ce41304920b8e8f7f05aedc39b1cd60c9a70855d15379bd89ecdd55ec3da3d1261f79da29717e298bf34c7882a23e21328eb787dddaa6c5547a31d60372f26af3c5923ae4b56fac658250e8ffbc44e878b75f3668a6cdacfe5faf0b9afa4e286f46e72e71dbf0dbf4e9d5a66b5131c6b2298209e5fc59f261da662bd5c58972c52c2fdc7a370ab628f13876fba2a3df0d6699e5c3a01c72a8ee721cc8bc0a36d52eee5ef814cbe2173394500292fd8978d4407c2626aa6d8851c88f1952f4a7860d83506c88a0182085a998ea53442ea16ea2ea42b93b4ad00d873df465efc0a6e4c20d76d70c8b929e93cd8cc2d118bb5c1106a804a13fc6e67b1fe2e5de11fd5f61780a40b780b7ea3b47524f86880cff20cec66aebc827b9afd7981b53669d3785da0de704fa2d85352b56883d2e05deceb6a92445ca0fa682722c6e8181c50e8c93d7c3a26a6421ce06fa9effba2991637cdc1e2f8b494eba8dd06a057c247942c09d0efc93fb567d4b260e51b6a2d53fa4b6bc078cff87d73fc783cba020555088d9c26131afc582456e165db69a0d073490b5f94403cd4d3d8396ec8367285b9d2c964d0a77a8b440747bba256fddd8c422c211841fc2344b88a6759c316d6db07fa88466c4447d0c1966a9a786fdd6251018831d0c98bbb720b001aef105b2e1c19606935b5b6a3cb89b43dfc96c28fe76c8bc9780cea0cb0ddcb2fefe6cc10a419123961d20c5109d85c54660c294ab97d78de8f42f84dad4b5bae9b83502d1f2047a2e1c9430dedf17de932dd4ac4f713d914a9d53bdc478ff9d0e60c98f29d648656340f1dd94fce6223717b7fe824400ad3eefe9be2c420376ffed83700fa0b7d522f58d985655b61ae98e2f15a66e62f367e418cb29900a82d9089aa4b1f4c463cc0a2c67d1866d381cd546b6e2f9caabf81d1c6198c0b992ed6befdbf437707f1a6246be6f99bbede26d362d7e7bf3e8f7102e03a6d937c7315c867361b4fe18b3fa24153f14fd5c1a5d8e1c7b5ee5165e70bd11d0bd8660939ed1d1a45423e6d320087ddba30b1ed05b14d9828ca559e68435c753b703bf3fc15ab28865cab6b897490d1198a799dea7f43c78a0d56068303acc1fffa4bcbbd8d7e68af1c598390e5fc8f766e34e8d92da5c3c162874b75e0869403c212729bd61f11c0c6e588ddfa755e71c4f5182916f18e6eac42b3adcbc891af834a89f54f53b9f6e1ea881059a5a85274fbff553c4ade038e229acb6fc1ad8c54debd52d7cb26c9fc63778f665fe3e275bebd3f9ef6e792651bf0000e503791f95d0e35070f5b95711ac7fa86a8a9bad48124d75cee3dbe795b47fe56b2f25d47bba4ed2c02d3f2f52e62c675f764620c1472232b5441361415d2d4d84db32a969205860d1617681010a342ed4cfdaef45f58fbc6e4669f3890029adbe4cfcb8081c6889093e118142f7e94546413217d484c190ffccc7184d8a2e35c88945d99f7ef37391f0a4a56a2b1c8acb8af96fe7c9a2dccef7bd9a5aec64f15dd32140d6cd2db0ecb48b58ea7f1023672176f2e8b89a129f21b5d4a7f90b6b72ad20f8f8f2f1343007f9cacb657b104bfe4634f6e0fa8232ee82076ea100339f4531f77127003d2b277e9ff3a2a0fe00db1bb456
...

We get a HUGE blob of hexadecimal, letโ€™s cut it down with head.

head -c <num> gets the first <num> bytes!

$ strings disk.img | grep '7574666c61677b' | head -c 100
7574666c61677b64336c337433645f6275375f6e30745f67306e335f34657665727d35ca565d03455294d2c26a3a7aec32ce

Letโ€™s decode that hex (I use python, you can also use Dcode.fr, CyberChef, xxd, etc):

>>> import binascii
>>> binascii.unhexlify("7574666c61677b64336c337433645f6275375f6e30745f67306e335f34657665727d35ca565d03455294d2c26a3a7aec32ce")
b'utflag{d3l3t3d_bu7_n0t_g0n3_4ever}5\xcaV]\x03ER\x94\xd2\xc2j:z\xec2\xce'

Sigh

Flag: utflag{d3l3t3d_bu7_n0t_g0n3_4ever}

Neat 1-liner

I ended up making a 1-liner for this:

$ strings disk.img | grep -o '7574666c61677b[0-9a-f]*' | awk '{sub(/7d.*/, "7d"); print}' | xxd -r -p
utflag{d3l3t3d_bu7_n0t_g0n3_4ever}

Related Writeups

Chunked Integrity

This is one of my favorite images! Unfortunately something has gone wrong and I cant see the whole thing, can you help f ...

Just Packets

Here pcap. Find flag.

Keeping on Schedule

One of our computers on the company network had some malware on it. We think we cleared of the main payload however it c ...

Share this writeup

Contribute

Found an issue or want to improve this writeup?

Edit on GitHub