Compromised
Given evidence.zip file with Where aRe you? hint.
Let's unzip it and see what we have.
It's looks like a lot of Windows folders and files with useless .ini and .lnk extensions. Let's try to find something interesting.
Looks like I found a flag.png file. Let's try to open it.
Hmm, it's seems like a corrupted file. Or... maybe not? Let's check it with terminal.
Ahaa, it's a zip file. Let's unzip it.
It's a flag.txt file, But it's password protected.
Instead of brute force it, I decided to check all the folders to find more files.
I found a files with .rdp extension. It's a Remote Desktop Connection file. That's mean It previously had a connection to another computer.
In Terminal Server Client folder I found a file with .bin extension and .bmc extension. I tried to google about it and find and article to a Medium post about it.
It says that .bin file is a memory dump file and .bmc is a memory map file.
I use terminal to check the .bin file.
It has the same header as the Medium post. That's RDP8bmp format. Let's try to convert it to a image.
I use the same tools as the Medium post.
It's hard to see, with a lot of scattered images. So I found another workaround to combine it all together.
It's looks like a screenshot of a Windows desktop. Let's try to find something interesting.
Ahaa, a zip password, let's try to unzip the flag.txt file and get the flag.
