Employee of the Year — BTLO Lab Solving

Assalamu Alaikum Wa Rahmatullah. How are you hackers?? May allah bless me and you.

Today I am writing this blog/article after solving Employee of the Year. I wrote this based on How I Solve this lab.

Before Read this, Try to solve lab. If you stuck then come here for help.

Ok Now lets move on to the lab.

First Read the Scenario.

John received the ‘Best Employee of the Year’ award for his hard work at FakeCompany Ltd. Unfortunately, today John deleted some important files (typical John!). It’s your job to recover the deleted files and capture all the flags contained within!

In the asset section they give me a zip file. I download the zip file and Inside the zip file I got files.

When I look at the BTLO.txt file, There is nothing crazy.

Before moveing to solve the lab,Let’s list the tool that used to solve this lab.

1. foremost
2. eog
3. pdf-parser
4. cfdisk

Now lets Solve the Lab.

What is the text written on the recovered gif image?

Answer :

GoodJobDefender

Note : We are given a disk image file. So first we need to extract that. For this task I am going to use a forensic tools called “foremost”. After extracting the disk file I got a new folder called “output”

Inside the folder I got some more folder but accoding to the question I go to gif folder and open the gif and got the answer.

Submit Flag1

Answer :

FLAG1:WELOVEBTLO

Note : Go get the Flag1 go to the “output/png” folder and you will get the flag.

Submit Flag2

Answer :

FLAG2:ASOLIDDEFENDER

Note : After getting flag1 I though flag2 will be pdf file. But I was wrong. Then I investegate all the other file. Then I got the flag2. To able to find the flag2 we need to go “/output/zip” and unzip the zip file. After unzip I got a a folder called /word when I visit the folder I found a document.xml file. Inside the xml file I found a base64 hash. You can use other advance text editor to open the file for a better visibility.

After Decode the hash I got the Flag2.

Submit Flag3

Answer :

FLAG3:@BLU3T3AM$0LDI3R

Note : To find flag3 Go to /output/pdf. When you visit the pdf, you will see a pdf like this.

Ok now next task is to get more information about the pdf. For this task I am going to use pdf-parser. In the pdf-parser’s result you will find an Author name with ASCII Encoding.

Now it’s time to decode it. If you look at the hash carefully you will find that there is some character which are encoded. Such as %3A (Decode = ‘ : ’), %40 (Decode = ‘ @ ’) and lastly %24 (Decode = ‘ $ ’)

You can use this command to decode those :

echo "%3A" | xxd -r -p
echo "%40" | xxd -r -p
echo "%24" | xxd -r -p

After Decoding the hash you will get the flag3.

What is the filesystem of the provided disk image?

Answer :

ext4

Note : You can use other tools. But I also tried other tools but this is the best “cfdisk”. Ran cfdisk with sudo permission. You will get the filesystem. Command that is used :

sudo cfdisk file.dd

What is the original filename of the recovered mp4 file?

Answer :

SBTCertifications.mp4

Note : If you look the hole folder, there is no .mp4 file. Now what. It’s simple use strings command. Using strings command you will get the .mp4 file.

Congratulation!!!!!!!!!!!!!!! You successfully Solve the lab.

Thanks for reading. Hope this article/blog will help you. If you have any question or doute feel free to ask. And please follow my medium it’s free and you can always change your mind.

Here is my social Link :

Linkedin : https://www.linkedin.com/in/r3dw4n4hm3d/

GitHub : https://github.com/r3dw4n48m3d

Website : https://r3dw4n48m3d.github.io/Portfolio/

YouTube : https://www.youtube.com/@R3DW4NA8M3D