Description
A BitLocker-encrypted drive image uses a weak password. Extract the BitLocker hashes, crack them with a wordlist, then mount the unlocked volume to read flag.txt.
Run bitlocker2john against the disk image to convert it into hashcat-ready format.
Crack the resulting hash with wordlist attacks (rockyou.txt suffices).
Use dislocker to mount the disk with the recovered password, then mount the decrypted filesystem to read flag.txt.
python3 john/run/bitlocker2john.py bitlocker-1.dd > hashes.txt
hashcat -m 22100 hashes.txt rockyou.txt
sudo dislocker -V ~/bitlocker-1.dd -u"jacqueline" -- /mnt/dd_image
sudo mount -o loop /mnt/dd_image/dislocker-file /mnt/bitlocker_data
cat /mnt/bitlocker_data/flag.txt
Solution
- Step 1Extract the hashbitlocker2john converts the image to `$bitlocker$...` lines. Save them to hashes.txt for cracking.
- Step 2Recover the passwordRun `hashcat -m 22100 hashes.txt rockyou.txt` (or use John). One of the entries cracks quickly as `jacqueline`.
- Step 3Mount with dislockerPoint dislocker at the image with `-u "jacqueline"`, mount the generated dislocker-file loop device, and read flag.txt inside the mounted NTFS volume.
Flag
picoCTF{us3_b3tt3r_p4ssw0rd5_pl5!_324...}
Remember to install dislocker and ntfs-3g if your distro lacks them.