Suninatas Game 32

Posted on Edited on In Views: Disqus:

challenges

Game 32

Challenge summary:

  • A USB image is malformed and not recognized by normal tools.
  • Q1: modified timestamp of the file containing the next terror plan (UTC+9)
  • Q2: next target place
  • Final: lowercase(md5(YYYY-MM-DD_HH:MM:SS_place))

Given artifact:

1
2
$ file 'USB_Image(SuNiNaTaS)'
USB_Image(SuNiNaTaS): DOS/MBR boot sector, ... FAT (32 bit) ...

1) Why the image fails

Sleuth Kit initially fails:

1
2
3
$ fsstat -f fat32 USB_Image\(SuNiNaTaS\)
Invalid magic value (Error: sector size (4352) is not a multiple of device size (512)
Do you have a disk image instead of a partition image?)

Hex inspection shows FAT32 signatures (RRaA) shifted because bytes were inserted before the boot-sector end marker (0x55aa).

2) Repair the FAT32 boot area

I fixed the image in a hex editor (imhex) by aligning the boot sector so 0x55aa is at offset 0x1fe-0x1ff.

After repair:

1
2
3
4
5
6
7
8
$ fsstat -f fat32 USB_Image\(SuNiNaTaS\)
FILE SYSTEM INFORMATION
--------------------------------------------
File System Type: FAT32
OEM Name: MSDOS5.0
Volume ID: 0xde96e00a
Volume Label (Boot Sector): NO NAME
...

3) Enumerate files and find the plan document

1
2
3
4
5
6
$ fls -r -p USB_Image\(SuNiNaTaS\) | grep -v Orphan
...
r/r 11: 2^^^^~1.HWP
r/r 15: Terrorism Report-2013-North  Korea.pdf
r/r 19: Terrorism Report-2013-South Korea.pdf
...

The DOS short name 2^^^^~1.HWP corresponds to 2차 테러 계획.hwp (“2nd terror plan”).

Extract and inspect metadata:

1
2
3
4
5
6
7
8
9
10
11
$ icat USB_Image\(SuNiNaTaS\) 11 > tero.hwp

$ istat USB_Image\(SuNiNaTaS\) 11
Directory Entry: 11
Allocated
Name: 2^^^^~1.HWP

Directory Entry Times:
Written:  2016-05-30 02:44:02 (CST)
Accessed: 2016-05-30 00:00:00 (CST)
Created:  2016-05-30 02:50:41 (CST)

Challenge asks for UTC+9 formatted as YYYY-MM-DD_HH:MM:SS, and the solved value used is:

1
2016-05-30_11:44:02

4) Read document content for location

Open tero.hwp with an HWP-compatible viewer (e.g., Hancom/ONLYOFFICE).

Recovered content:

1
2
3
4
2차 테러 계획
일 자  2016-07-15
시 간  09:00:00
장 소  Rose Park

Q2 answer:

1
Rose Park

Final Auth Key

Input string:

1
2016-05-30_11:44:02_Rose Park

Result:

8ce84f2f0568e3c70665167d44e53c2a