Day 5 – MS-DOS and File Magic Bytes – Advent of Cyber 2023 – TryHackMe Challenge

Day 5 in the Advent of Cyber 2023. After the code for the server room door was recovered and they gained access to the the backup tapes, it has been discovered that the internal tool for recovering the backups fails at recovering. A path to troubleshoot the backups has been found, but it only runs on an old DOS machine. Luckily, such an old machine is found at the back of the server room.

WARNING: Spoilers and challenge-answers are provided in the following writeup.
Official walk-through video is as well available at Youtube - Simply Cyber.

Day 5 - A Christmas DOScovery: Tapes of Yule-tide Past

Today's challenge lives within MS-DOS - an old system predating what we currently knows as Microsoft Windows. Within this, we're tasked to edit file to fix its "magic bytes" or "File Signatures" - wiki.

The Challenge

In the challenge machine we're provided with an MS-DOS application that we launches. This greets us with a splash-screen.

Splash screen

We're then informed that we need to restore the backup-file C:\AC2023.BAK, using the tool at C:\TOOLS\BACKUP\BUMMASTER.EXE.
Firstly, taking a look in the C:\ directory, we see the size of the backup-file being 12.407 bytes, and by that have the answer for the first question of the day.

Backup-file

Trying to recover the backup though shows, that it indeed seems to be corrupt or non-functional in some way.

Recover Error

For the backup tool we have a README.TXT. When we open that file, we are greeted with the naming of the tool and by that the answer for the second question.

README

Digging deeper and looking under the "Troubleshooting" section of the readme-file, we can see that it expects backup-files to have the file signature of AC - or in HEX 41 43. This gives us the answer for the third question.

README Troubleshoot

Using the editor EDIT we can then edit the backup-file and change the two XX as the first characters to the correct AC. Trying to run the backup again, and we can see that it succeeds and so we finished today's challenge.

Restored

Leave a Reply

Your email address will not be published. Required fields are marked *