Compromised

Given evidence.zip file with Where aRe you? hint.
Let's unzip it and see what we have.

It's looks like a lot of Windows folders and files with useless .ini and .lnk extensions. Let's try to find something interesting.

Looks like I found a flag.png file. Let's try to open it.

Hmm, it's seems like a corrupted file. Or... maybe not? Let's check it with terminal.

Ahaa, it's a zip file. Let's unzip it.

It's a flag.txt file, But it's password protected.
Instead of brute force it, I decided to check all the folders to find more files.


I found a files with .rdp extension. It's a Remote Desktop Connection file. That's mean It previously had a connection to another computer.
In Terminal Server Client folder I found a file with .bin extension and .bmc extension. I tried to google about it and find and article to a Medium post about it.
It says that .bin file is a memory dump file and .bmc is a memory map file.
I use terminal to check the .bin file.

It has the same header as the Medium post. That's RDP8bmp format. Let's try to convert it to a image.
I use the same tools as the Medium post.

It's hard to see, with a lot of scattered images. So I found another workaround to combine it all together.


It's looks like a screenshot of a Windows desktop. Let's try to find something interesting.

Ahaa, a zip password, let's try to unzip the flag.txt file and get the flag.
