TryHackMe || Advent of Cyber Day 5: A Christmas DOScovery: Tapes of Yule-tide Past || WalkThrough
The backup tapes were finally recovered after the team successfully hacked the server room door. However, as fate would have it, the internal tool for recovering the backups can’t seem to read them. While poring through the tool’s documentation, you discover that an old version of this tool can troubleshoot problems with the backup. But the problem is, that version only runs on DOS (Disk Operating System)!
So, we will learn and use the Microsoft Disk Operating System(MS-DOS) today and recover the backup files.
Either we can use the attackbox or VM can be used. For VM, the credentials would be Username: Administrator, Password: Passw0rd! & IP: MACHINE_IP. You will get the Machine IP when you click the Green Start Machine button and wait for 1 minute.
When connected, click on the ‘DosBox-X’ app. Type ‘CLS’ to clear the screen and then ‘DIR’ to get the list of Files and Directories. Here you will get the answer to the first question, ie, the size of AC2023.BAK. The blurred one contains the answer.
Change the directory to ‘C:\TOOLS\BACKUP’ and run the command ‘BUMASTER.EXE C:\AC2023.BAK’. You will get a response below.
We have to see the troubleshooting notes from README.TXT by using the command ‘TYPE README.TXT.’ Here, you will get the answers to the 2nd and 3rd questions.
Now, navigate to ‘C:\DEV\HELLO’, use to ‘DIR’ command to locate, and then use ‘TC HELLO.C’ to open the file with the Borland Turbo C Compiler. We have to compile it by clicking on ‘Compile -> Build All’ and then exit by clicking ‘File -> Quit’. Now a new file should be visible in the current directory named ‘HELLO.EXE’. We will use another command ‘EDIT HELLO.EXE’ to get the contents of the executable in text form. By analyzing we know its DOS executable file.
Using ‘EDIT C:\AC2023.BAK’, we get the first two bytes of it as XX, which should be AC( 41 43 in Hexadecimal) as per the troubleshooting section of the README.TXT. We have to replace XX with AC and then run the ‘BUMASTER.EXE C:\AC2023.BAK’ from C:TOOLS\BACKUP. We will get the flag as well as
If you still haven't been able to get the answer, you will get it too.
Q/A
- How large (in bytes) is the AC2023.BAK file? Answer: 12,704
- What is the name of the backup program? Answer: BackupMaster3000
- What should the correct bytes be in the backup’s file signature to restore the backup properly? Answer: 41 43
- What is the flag after restoring the backup successfully? Answer: THM{0LD_5CH00L_C00L_d00D}
If you find this blog helpful, follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/
Happy Learning