Home >

Huntress CTF > Medium Challenges

Back <> Next

People say you shouldn’t plug in USB drives! But I discovered this neat file on one that I found in the parking lot…

In this challenge, we are given a file ‘ADATA_128GB.lnk’ file to download.

A “.lnk” file, also known as a Windows shortcut, is a file that points to another file or resource on a Windows operating system. It is used to provide a convenient way to access programs, files, directories, or network resources without having to navigate through the entire file system. When you double-click a .lnk file, it typically opens the linked resource. We used lnkparse for the first step, which can be installed on linux using:

pip3 install lnkparse

If we use the tool ’lnkparse’ we can extract the following link from the file:

lnkparse -a ADATA_128GB.lnk

tinyurl.com/a7ba6ma which we can expand using urlscan.io to get a link to a google drive file ‘usb.txt’

The text file contains some encoded data, and after some trial and error, we found that it was encoded with base32. We new we were on the right track when we could make out the MZ headder indicating that this will be a windows PE file.

We downloaded that file, and figured out that this was a dll that we could run by calling rundll32 like so:

rundll32.exe .\hello-world.dll, main

The program will error, but we still get the flag!

Back <> Next