Walkthrough of Advent of Cyber 2023 : Day 5

Hello, cyber enthusiasts! How are you doing?

I’m here with a new walkthrough of Advent of Cyber 2023 Day 5, “A Christmas DOScovery: Tapes of Yule-tide Past”. 

In this walkthrough, you will learn about DOS (Disk Operating System), MS DOS, file signatures, magic bytes, and reverse engineering.

Disk Operating System (DOS) refers to a family of operating systems that were widely used during the early years of personal computing. 

A computer operating system that provides a file system for operations such as reading, writing, and erasing data on a disk. It is a non-graphical, line-oriented, command-driven computer operating system designed for the IBM PC. Several variations of DOS were developed, such as MS-DOS (Microsoft) and PC-DOS (IBM).

DOS used a file system that followed the 8.3 naming convention, allowing filenames to have up to eight characters followed by a three-character extension. For example, “filename.txt.”

DOS had limitations in terms of memory management. It used a segmented memory model, and applications were restricted to a maximum of 640 KB of RAM. Extended and expanded memory techniques were later introduced to overcome these limitations.

When Microsoft granted licenses for its DOS-driven operating system to computer manufacturers other than IBM, it received the label MS-DOS.

Although the initial IBM personal computers operated on MS-DOS technically, IBM gave the operating system the name PC DOS. Therefore, PC DOS and MS-DOS essentially denote the identical system.

When DOS comes to mind for most individuals, they are envisioning MS-DOS, recognized by its renowned C:> starting prompt.

Common DOS commands and utilities:

CD	Change Directory
DIR	Lists all files and directories in the current directory.
TYPE	Displays the content of a text file.
CLS	Clears the screen.
HELP	Provides help information for DOS commands
EDIT	Opens The MS-DOS Editor

These commands will help you through this walkthrough. Have a look at the MS-DOS command prompt in the given screenshot.

A file signature in computer programming is a unique identifying number, which we can see at the beginning of a file.

This number identifies the type of file, giving information about the data contained within the actual file. 

And we can use this information to determine what type of file is being read when the file extension or user error has misidentified the file as an incorrect type.

Magic bytes are the first few bytes of a file that are used to recognize a file. It is not visible if you open the file. But they can be seen using some special tools, like the hex editor HxD.

These bytes often have corresponding ASCII characters, allowing for easier human readability when inspected. The identification process helps software applications quickly determine whether a file is in a format they can handle, aiding operational functionality and security measures.

In cyber security, file signatures are crucial for identifying file types and formats. You’ll see them in malware analysis, incident response, network traffic inspection, web security checks, and forensics.

Knowing how to work with these magic bytes can help you quickly identify malicious or suspicious activity and choose the right tools for deeper analysis.

Here is a list of some of the most common files and their magic:

File Format	Magic Bytes	ASCII representation
PNG image file	89 50 4E 47 0D 0A 1A 0A	%PNG
GIF image file	47 49 46 38	GIF8
Windows and DOS executables	4D 5A	MZ
Linux ELF executables	7F 45 4C 46	.ELF
MP3 audio file	49 44 33	ID3

In cybersecurity, reverse engineering means breaking down and studying software to understand how it works and find potential security issues.

We’ll describe it in other walkthroughs in detail.

Let’s have a look at the challenges given:

How large (in bytes) is the AC2023.BAK file?

What is the name of the backup program?

What should the correct bytes be in the backup's file signature to restore the backup properly?

What is the flag after restoring the backup successfully?

After looking at these challenges, we can see that there is an AC2023.BAK file and a backup program. And there are some sort of magic bytes that we need to explore; after that, we’ll be able to get the flag. 

So let’s start the machine and wait for 2 to 3 minutes to boot it up.

You will find a ‘DOSBox-X’ icon on the desktop; double-click on it to run the DOS emulator. 

You’ll see a welcome screen. Type cls in the [AC] C:> command prompt to clear the screen.

Now that we are in a DOS environment, let’s check what files are present here.

We can see that there are five directories and two files, AC2023.BAK and PLAN.TXT.

AC2023.BAK is a backup file; when we tried to read the AC2023.BAK file, it wasn’t readable. So first we have to restore it, and then only we can read the content of this file.

So now let’s see the content of the plan.txt file.

When we read the plan.txt file, we get to know that we need to backup or restore the data, and there is a ‘BackupMaster 3000’ file ready to serve.

In troubleshooting, it is written that if you encounter any issues during the backup or restore processes, ensure to check the first few bytes of the file. The first bytes of the file signature should be “AC”. If these bytes do not match, it’s likely that the file is not compatible or may be corrupted.

In order to restore the AC2023.BAK file, we need to have a backup tool. 

When we searched for it, we found the Tools directory. Inside the Tools directory, we found a backup directory. Inside Backup, we have a backup tool called BUMASTER.EXE.

Let’s try to restore the ‘AC2023.BAK’ file with the help of this tool.

Let’s type the command

BUMASTER.EXE C:\AC2023.EXE

We get an error that the file could not be read. Error in file signature. Check the troubleshooting notes in the readme.txt file. 

Let’s read the README.TXT file. Type the command

type readme.txt

In troubleshooting, we can see that we need to check the first few bytes of the file. Let’s check them out.

In order to see the first few bytes of AC2023.BAK, we can use two commands, either edit AC2023.BAK or type AC2023.BAK.

With both commands, we can see the first few bytes that are “XX” instead of “AC”. 

You might wonder, Why AC? When we read the plan.txt file, we see that the first few bytes of this file should be “AC”, then only we can restore this file. 

Similar thing was written in the README.txt file that the first few bytes should be “41 43”. When we’ll convert these hexadecimal values into ASCII representation, we will get “AC”.

Let’s change the first bytes “XX” to “AC”. 

Type the command

edit AC2023.BAK

One editor will open, delete the first two bytes XX and add two bytes AC in place of XX.

To save this file, first press Alt+F, then Alt+S.

To exit from this editor, press Alt+F, then Alt+X on the keyboard.

Then move to the backup folder. Type the command.

cd Tools\Backup

Now we are all set to restore this AC2023.BAK file. Type the command.

BUMASTER.EXE C:\AC2023.BAK

Boom! We got the flag. The backup was successfully restored. And we get our flag, THM{0LD_5CH00L_C00L_d00D}.

Our task is done. So let’s quickly answer the questions.

How large (in bytes) is the AC2023.BAK file?

We can see the size of this file with the dir command.

What is the name of the backup program?

We can see the name of the backup program in the PLAN.TXT file.

What is the flag after restoring the backup successfully?

After restoring the backup file AC2023.BAK file, we can easily find the flag.

I tried to keep this walkthrough simple and easy to follow. 

If you face any issues, feel free to connect with me on LinkedIn and ask your doubts. I’ll be happy to help.

Check out our YouTube channel, Ethical Empire.  

If you’re preparing for the CEH Practical Exam, don’t forget to check out our playlist, ‘CEH Practical Exam Preparation’. 
That’s all for this walkthrough.

Until next time, stay curious, stay secure, and keep exploring the fascinating world of cyber security.