logoChat01.ai

tên challenge: Don't forget to lock mô tả: We seiz...

Created on: May 8, 2026

Answered using GPT-5.5 Thinking by Chat01

Question

challenge_part_aa
challenge_part_ab
challenge2.7z

tên challenge: Don't forget to lock
mô tả: We seized a suspect's computer and managed to capture a RAM dump before it was powered off, along with an encrypted disk. Your objective is to decrypt the drive.
flag format: THC{...}
solve challenge

Thought

bash -lc python3 - <<'PY' import zipfile, io, re p='/mnt/data/work/decrypted.raw' with open(p,'rb') as f: data=f.read()

find zip that contains flag.txt

for m in re.finditer(b'PK\x03\x04', data): off=m.start() if b'flag.txt' in data[off:off+200]: print('zip off', off) # find EOCD after eocd=data.find(b'PK\x05\x06', off) print('eocd', eocd) blob=data[off:eocd+22] if eocd!=-1 else data[off:] z=zipfile.ZipFile(io.BytesIO(blob)) print(z.namelist()[:20]) print('flag repr',repr(z.read('flag.txt'))) break PY

Thought for 16m 21s

Answer

Solved.

I decrypted the BitLocker volume using the FVEK recovered from the RAM dump:

93c6450bf0226b49a531fada4f1f5e45fffddbda17fd86e8feff378a21c86142

Inside the decrypted NTFS image, there was a ZIP/carved archive containing flag.txt.

flag.txt contains:

text
THCon{TMTC_B1nwalk_D3t3ct3d}

Note: the challenge statement says THC{...}, but the recovered flag.txt literally contains THCon{...}.

Share this Q&A