We are provided with a .ntfs image, which is a file system format that can be parsed by Autopsy. After looking for a while we can see that the only files inside of the image are numbered txt files:
The flag{number}.txt files do not contain anything useful, but the companion files (flag{number}.txt:flag{number}) all contain different text:
These companion files use something called alternate data streams (or ADS) for storing data. It cannot be read very easily on windows, so malware will sometimes leverage this to hide data or executables.
Anyway, after extracting all interesting files we can use a small script to concatenate their contents and display it as a single string:
import os
def get_filtered_files(directory='.'):
return sorted(
(int(file_name.split('flag')[1][:-5]), file_name)
for file_name in os.listdir(directory)
if os.path.isfile(file_name) and not file_name.endswith(('.txt', '.py'))
)
def read_concatenated_content(files):
return ''.join(
open(file_name, 'r').read().strip()
for _, file_name in files
)
if __name__ == "__main__":
filtered_files = get_filtered_files()
concatenated_content = read_concatenated_content(filtered_files)
print(concatenated_content)The output looks very much like hex encoded data, that when looking further appeared to create an image of a QR-code. When parsing this QR-code we finally get out flag. Here is the final solution with CyberChef.
Flag: TCP1P{hidden_flag_in_the_extended_attributes_fea73c5920aa8f1c}