I really need help with my budget. Let's see if there's anything you can do with my current situation!
4/10
PCTF{alternate_data_streaming_and_chill}
TBD
Shiloh Smiles (arcticx)
- extract the .wim
- Open the file in Notepad. The text isn't important, but the punchline category being "streaming" should offer a hint to the ADS present.
- Run "dir /R" to see the ADS. It will show as "budget:streaming"
- Switch to powershell and run the following two commands:
$output = Get-Content .\budget:streaming -Encoding Byte -ReadCount 0Set-Content .\streaming -Encoding Byte -Value $output
- The name of the file is "streamingjpegjfif", which indicates its type
- Change the first bytes of the header to
FF D8 FF E0 xx xx 4A 46 49 46 00, which is the header as indicated by Gary Kessler's file signatures. - profit.