2 minutes
FDCA Xmas 2024 Day 2 - Gaven der Forsvandt
Challenge Description
Danish (original)
Midt under juleforberedelserne i Valhalla er en vigtig gave til guderne forsvundet fra en af de fælles computere, der blev brugt i gave hallen!
Gaven, tiltænkt Thor, var omhyggeligt gemt i de digitale haller, men nu er den væk fra computeren. Odin er rasende og mistænker, at Loke står bag endnu et snedigt trick for at skabe kaos i julefreden. Freja mener at have set Loke gå rundt med et USB-stick.
Vi har fået noget data fra maskinen, måske du kan finde noget?
English (from chatgpt)
During the Christmas preparations in Valhalla, an important gift for the gods has disappeared from one of the shared computers used in the gift hall!
The gift, intended for Thor, was carefully stored in the digital halls, but now it is missing from the computer. Odin is furious and suspects that Loki is behind yet another clever trick to create chaos during the Christmas peace. Freya believes she saw Loki walking around with a USB stick.
We have received some data from the machine, maybe you can find something?
File
We are also given the following file:
Solution
I went with the very low effort solution of just grepping for FDCA and RkRDQ (first few chars of the base64 version of FDCA) as follows:
$ grep "RkRDQ" -r .
grep: ./C/Windows/System32/config/SYSTEM.LOG1: binary file matches
grep: ./C/Windows/System32/config/SYSTEM: binary file matches
grep: ./C/Users/chri8/NTUSER.DAT: binary file matches
grep: ./C/Users/chri8/ntuser.dat.LOG1: binary file matches
The base64 grep matched ./C/Users/chri8/NTUSER.DAT
, so I ran strings on it into grep and decoded the base64:
$ strings C/Users/chri8/NTUSER.DAT | grep "RkRDQ"
RkRDQXtVU0JfRjBSM041MUM1X1JfTjFDM30=
RkRDQXtVU0JfRjBSM041MUM1X1JfTjFDM30=
RkRDQXtVU0JfRjBSM041MUM1X1JfTjFDM30=
$ echo "RkRDQXtVU0JfRjBSM041MUM1X1JfTjFDM30=" | base64 -d
FDCA{USB_F0R3N51C5_R_N1C3}