Belkasoft organized a another CTF and it is their 4th CTF. For this CTF, we are given with a Linux Disk dump and some questions to answer.

Belkasoft Team also provided us with trails of Belkasoft X and Passware.

Download the challenge file from here

Password for the archive: MJSWY23BONXWM5DDORTEAMRQGIZA====

I couldn’t play the during the CTF, however I solved the challenges after the CTF. It is fun playing this CTF and an interesting one.

Initial Analysis

We are given a linux disk dump, add the dump in your favorite tool like Autopsy/FTK/Belkasoft X.

Once we load, we can find 2 users in the linux dump given. The users are ivan & stanley.

We can see Thunderbird mail is installed for the user stanley.

We can see some database information and invoice related data regarding

Also we can some parts of crypto wallets in ivan’s Documents directory.

Lets answer the questions.



We have to find all users present in the given linux system.

For this we can directly see the list under home directory or check the /etc/passwd or /etc/shadow. Where we can get the list of user present in the system.

We can see ivan, stanley as the users present in the given linux machine.


ivan, stanley

Special Website

We need to find the website that the user is using to get his pocket money.

We can check the web browser history and see what all websites he accessed.

We can see FireFox browser is installed, and we can check out places.sqlite database where we can find the browser history.



We have to find the bitcoin wallet address used by the user.

When we open the website, the site contains information related to drugs and its price. Seems like it is the a side business for the user.

After viewing a product we can see a bitcoin address for paying the amount.




The plot given says the user reports his sales to someone.

We can have to find the converation between them so that we can get the sales report and see which date has most sales.

As we know that the user stanley has a Thunderbird mail installed, let us check the conversations.

As we can see, the user shared a month wise database containing his sales.

But unfortunatly, the archive is password protected.

We can use Passware, to crack the password.

As you can see above, the password for the archive is vondutcemonaheem_gangsta78.

The wordlist used for creaking the password is already given in the dump. It is located at /home/stanley/.thunderbird/xzyby22m.default-release/Mail/Local Folders/trashwords.txt.

But one interesting file in this folder is Trash.txt where it contains the password of the zip file.

We extract the csv files from the archive and grep for Acapulco Gold, then we can find the date when the sales are high.

As you can see above 2021-05-12 has high sales.




We have to find the private bitcoin wallet address used by the user.

In ivan’s documents directory, found .custom_info file where it contained information regarding the private bitcoin wallet.

The contents of the file are:

M y p r i v a t e c u s t o m c r y p t o w a l l e t : bc1q__2kgdygjrs__zq2n0yrf2493p__kkfjhx__lh ( b i t c o i n )

Where some of the characters are missing.

In the same directory we can some of the invoice documents, where one of the document we can that the endianness is changed and the header is not present.

After we change the endianness and added header, we can see the complete bitcoin wallet ID.




We have to find the password of the secret note.

We can find that secret note in the stanley’s documents directory.

We can extract it and see its file type.

It is a CDFV2 Encrypted file. Which is just a protected Microsoft Word Document.

Now, we have to find the password for this file.

There is file named NOTHING_IMPORTANT_INFO.pdf, in ivan’s hidden folder named .info.

It contained an embedded file named passwd. After opening it, contains some based encoded text.

Opening it in Cyberchef, we can get the decoded string.

As you can see in the above decoded string, we got the password of the note.




We need to find the secret pin mentioned in the notes.

After we open the notes, we find a threat note where tux threats to kidnap.

He also mentioned that you stored the secret pin in a converstation recorded in a shark. (Probably meant a Wireshark/tshark capture or a pcap file).

We found a pcap file in ivan’s Music directory.

We can open PCAP using Wireshark and check the protocal hierarchy, to find what all protocols present in the capture.

We can see a audio file transfered in http.

We can open file in audacity or Sonic Visualiser and open it in Spectrogram, we get the flag.




We are asked to find the timestamp when the user got the threat.

In the previous question, we saw a threat note with a timestamp noted when it is written.

User mentions, he wrote this note after 10 minutes of the threat. So we have to subtract 10 min from the timestamp.

In epoch time, 1 min = 60 sec. So 10 min = 600 sec.

The original timestamp is 1637948867 and subtracting 600 sec gives the flag.




We need to find who the kidnapper threatned.

We can a file in ivan’s .local directory. It is a password protected file.

As we found a secret pin in the other question, we can try using it as a password(flag{1257}) to extract the contents of the zip file.

It worked and we got a sheet containing names and emails.

In the threat it mentioned that 0xTux is the kidnapper, we can find his email from the sheet we received.