Forensic Challenge. Get the passwords pal!

Here is your weekend challenge. Let’s try something different this week

#The Challenge
A group of Black Hats, known as the Cr4king GuYs are doing very bad things in the Internet, so your team have decided to stop them. Your colleagues have hacked into one of their computers and they’ve found a hidden partition that may contain interesting information.

So, they dumped the partition into a file and gave it to you, the in-house forensic analyst, to figure out if there is something interesting in there.

#Your Goal
Retrieve the passwords in the disk image to finally obliterate those skids.

To probe you solved the challenge, post the passwords you found in the comments. Use the spoiler tag so your solution is not seen by other people trying to solve the challenge. Be free to provide a brief write-up explaining how did you solve the challenge

This is a very basic challenge so there is only two hints.

Hint1: This is a forensic challenge not a cryptographic one

Hint2:

In case you are not familiar with mount, once you get the partition image (check previous challenges for that)

Good luck and Hack Fun

#The Challenging Disk image

H4sICOudyVcAA2Rpc2tfZHVtcC5pbWcA7dxfaFZlGADw120YfEtNKClvfJOyDPxqNvoj/dlfx0DX
cMs0S/r27Wx+be3bvvNNZ4hNuioSUrvsRqULLUMo6EITvYiKGOVlYNFFWjkIoQiRap2VkV1H7aLf
j3Pe5/A+z/tweM+5fqcfevW5oYE0P1Cohpq6eaEm1HwULs8LMTSFP02GlUt3XzjV9Vjsal7fHjNr
m3sbVmdx4bJTW3a9tfx0tX7juwtPXBembtg6fWn111NLpm6Z/rV3WymN2TVSrsZC7CuXq4W+4ST2
l9KhfIzdw0khTWJpJE0qf8sPDJdHR3fGwkj/gtxoJUnT7HFnHEp2xmo5VitZZrBQGon5fD4uyAX+
icePXp6ZyeLMorl+E+aG7///dj4NSSiGSjYuCm9XQz5Uw0R2z5rJnG9v3dDeG2Pvpt4Y+lfsXd65
vDOE2Vgbns9qWgavFs5k/1DzzDX+mJ53bf/mv/rns2WDYTT0/N5/d0NHd0cMYe3V/rOxLhyaw30B
AAAAAAAAAAAAAAAAAAAAAIB/U++2JLZWGodKI4OxY3xzmltXSquxPBBHC2m6o1zpT2ePXSsUi7MH
sZXHKzFNipWkmoXK9lI2mcutLwzvKFSS2NayJjasvrcx17qiNfZk6aSSromD9/TnepLieFbQOlwe
71+TrZzIrVqVc3QbAMyZVxbU1dbWNBSuPLLn8zOPPvPxvkLbU5cPr7yx6ez+zWe+7Nty5Jebum6/
/4emi69tv+tknJ8eX3fz3c1TjS0vd341/+knu4/e+u2zB398s6lz3+KxVbuuHKk/8F3tG58ca3/g
YmXD4bFN3xw9Vrzv4ZMbf3rw/T0riy90vP799Z+dDufO1i/5eePkxPHOpSf2VDvbzu1fNvnibd1f
jB28NP3eS3d+eOHQO113fHDg071H+p7YuniudwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAP57vwHBiBAK
AJABAA==

How do you even put an entire partition into a single file? (except dd)

-Phoenix750

It is not a real partition. It is very small and is almost empty so it can be compressed a lot.

If somebody is interested I can write a couple of lines on how to generate the file… in case nobody mentions this in the comments.

@sergeantsploit be careful, that partition table looks like your hard drive.

I think you know too much for this challenge. As I said it is very easy to solve, you do not need to do anything very sophisticated.

I will add another hint that I hope will make things easier

I checked with an explorer on windows. It stated the number of files is 1. And that is what it is giving me.

I have tried the mount command: I am having alot of errors. I have tried various commands.

It was a word of warning, just in case. I do not want anybody to destroy their own data.

Are you using windows to solve the challenge?. It should be possible to mount the file on windows but I cannot give much support on that. Otherwise, please post/PM the errors to get an idea of what may be the problem. In the old days it was a bit more tricky to mount a file but nowadays the mount command should just work.

And yes. There is only one file in the partition

Don’t mind me. Just having a bad day from sunset.

I tried with linux and the mount command was just trying to make my life miserable. So i switched to windows. I can send the errors if you want

Telling us how to generate the file would be a huge help to me. It would enable me to explore the method used so I can understand the gibberish better. And I’d assume that in the scenario you described I would know how said file was generated

Then again, forensics aren’t my art.

-Phoenix750

@sergeantsploit Well done and great write up!

Alternative way to get the passwords:

@anon79434934
This is how the image was generated:

$ dd if=/dev/zero of=disk_dump.img bs=1K count=100
$ mkfs.vfat disk_dump.img
$ mkdir disk
$ sudo mount disk_dump.img ./disk
$ cd disk
$ sudo -- generate the text file secret.txt with cat, vim,... --
$ sudo gpg -c secret.txt
$ sudo rm secret.txt
$ cd ..
$ sudo umount ./disk
$ cat disk_dump.img | gzip | base64

I’m using base64 -d to decode the image, but running strings only reveals “disk_dump.img”…

Try running file against your file

Woah this is really decent! I have learned soo much in this. Thank you Pico and @sergeantsploit

Continuing this:

Can anybody find the hidden image and what search engine I found it from in this?

http://termbin.com/78ku

File date: 7:57 PM 9/3/2016
string : disk_dump.img
i dont get password explain

check @sergeantsploit comment above for the details

Too bad I don’t understand forensics well enough (yet) to complete this challenge. Kudos to @sergeantsploit for finding such a straightforward solution and writing a detailed explanation though!

-Phoenix750

I have a number of passwords but they don’t seem to work when entered in the little prompt that pops up. Am I finished, or should I have a pass for this little prompt? EDIT: Ok, read Sergeantsploit’s answer above and think I got it, thanks for the challenge @0x00pf !

Here’s roughly what I did: