Intergalactic Recovery [easy]: HackTheBox Forensics Challenge (RAID 5 Disk Recovery)

Save
3 years ago
73

Video walkthrough for retired @HackTheBox (HTB) Forensics challenge (originally featured in Cyber Apocalypse 2022 CTF) "Intergalactic Recovery" [easy]: "Miyuki's team stores all the evidence from important cases in a shared RAID 5 disk. Especially now that the case IMW-1337 is almost completed, evidences and clues are needed more than ever. Unfortunately for the team, an electromagnetic pulse caused by Draeger's EMP cannon has partially destroyed the disk. Can you help her and the rest of team recover the content of the failed disk?"

We'll use PwnTools to XOR the two uncorrupted RAID 5 drives, recovering the destroyed disk. Next, we'll use mdadm to rebuild the RAID 5 array. Finally, we'll mount the array and extract a PDF document, containing the flag. Hope you enjoy 🙂 #HackTheBox #HTB #CTF #Forensics #DFIR #OffSec #CyberApocalypse #CyberApocalypse22

↢Social Media↣
Twitter: https://twitter.com/_CryptoCat
GitHub: https://github.com/Crypto-Cat
HackTheBox: https://app.hackthebox.eu/profile/11897
LinkedIn: https://www.linkedin.com/in/cryptocat
Reddit: https://www.reddit.com/user/_CryptoCat23
YouTube: https://www.youtube.com/CryptoCat23
Twitch: https://www.twitch.tv/cryptocat23

↢HackTheBox↣
https://app.hackthebox.com/challenges/317
https://www.hackthebox.com/events/cyber-apocalypse-2022
https://twitter.com/hackthebox_eu
https://discord.gg/hackthebox

↢Video-specific Resources↣
https://medium.com/jeremy-gottfrieds-tech-blog/why-every-bit-is-not-equal-a-primer-in-computer-memory-7cb0be4fe115
https://www.prepressure.com/library/technology/raid
https://www.ontrack.com/en-gb/data-recovery/raid/explained/5
https://www.forensicfocus.com/forums/general/raid-5/
https://sleuthkit.discourse.group/t/raid-forensic-analysis/407
https://www.cyberciti.biz/faq/what-happens-when-hard-disk-fails-in-raid-5
https://mustafakalayci.me/2020/05/01/raid-5-and-xor
https://www.thomas-krenn.com/en/wiki/Mdadm_recovery_and_resync
https://ctftime.org/task/21470

↢Resources↣
Ghidra: https://ghidra-sre.org/CheatSheet.html
Volatility: https://github.com/volatilityfoundation/volatility/wiki/Linux
PwnTools: https://github.com/Gallopsled/pwntools-tutorial
CyberChef: https://gchq.github.io/CyberChef
DCode: https://www.dcode.fr/en
HackTricks: https://book.hacktricks.xyz/pentesting-methodology
CTF Tools: https://github.com/apsdehal/awesome-ctf
Forensics: https://cugu.github.io/awesome-forensics
Decompile Code: https://www.decompiler.com
Run Code: https://tio.run

↢Chapters↣
Start: 0:00
Basic file checks: 0:45
Computer Memory (volatile vs non-volatile): 3:04
Redundant Arrays of Inexpensive Disks (RAID): 6:30
RAID 5 parity and XOR: 11:08
XOR working disks to recover corrupted disk (PwnTools): 14:49
Map images to devices (losetup): 17:00
Rebuild RAID 5 array (mdadm): 17:56
Mount array and extract PDF: 19:18
Fix image sequence (-.-): 19:56
End: 22:02

Loading comments...