Description
A BitLocker-encrypted drive image uses a weak password. Extract the BitLocker hashes, crack them with a wordlist, then mount the unlocked volume to read flag.txt.
Confirm what you have: file bitlocker-1.dd should report a DOS/MBR boot sector with NTFS markers (the BitLocker payload sits inside).
Run bitlocker2john against the disk image to extract a $bitlocker$... hash line. The script ships with John the Ripper Jumbo (apt install john on Kali, or build john-jumbo from source).
Crack the resulting hash with hashcat mode 22100 against rockyou.txt.
Use dislocker to mount the disk with the recovered password, then loop-mount the decrypted file to read flag.txt.
file bitlocker-1.ddbitlocker2john bitlocker-1.dd > hashes.txt # or: python3 /opt/john/run/bitlocker2john.py bitlocker-1.dd > hashes.txthashcat -m 22100 hashes.txt /usr/share/wordlists/rockyou.txtsudo mkdir -p /mnt/dd_image /mnt/bitlocker_datasudo dislocker -V bitlocker-1.dd -u"jacqueline" -- /mnt/dd_imagesudo mount -o loop /mnt/dd_image/dislocker-file /mnt/bitlocker_datals /mnt/bitlocker_data/head -c 200 /mnt/bitlocker_data/flag.txtSolution
Walk me through it- Step 1Extract the hashRun
which bitlocker2john. If it returns a path, use that. Otherwise locatebitlocker2john.pyin the John Jumbo source tree (often/opt/john/run/) and call it explicitly with python3. Save the$bitlocker$...output to hashes.txt for cracking.Learn more
The end-to-end flow has four layers stacked: BitLocker encrypts the volume with AES, the disk image holds the encrypted volume, bitlocker2john extracts the password-verification hash from the volume metadata, cracking the hash gives the password, and dislocker uses the password to decrypt the volume back into a readable filesystem.
BitLocker is Microsoft's full-volume encryption feature built into Windows. It encrypts entire drive volumes using AES (typically 128-bit or 256-bit) and protects the encryption key with one of several authentication methods: a password, a PIN, a USB key, or a TPM chip. The drive image in this challenge is protected by a user-supplied password.
bitlocker2john is a script from the John the Ripper project that parses a BitLocker-protected disk image and extracts a hash line in the
$bitlocker$...format. This hash encodes the password-derived key protection record, which BitLocker stores in the Volume Boot Record metadata. The hash can then be fed to offline password crackers like John or Hashcat without mounting the actual drive.The .dd file extension denotes a raw disk image created by tools like
dd, a byte-for-byte copy of the original storage media. Forensic investigators create these images to preserve evidence without altering the original disk. Raw images can be analyzed, mounted, and cracked just like the original media, making them central to digital forensics workflows. - Step 2Recover the passwordRun
hashcat -m 22100 hashes.txt /usr/share/wordlists/rockyou.txt(or john --wordlist=...). bitlocker2john often emits multiple hash lines (one per protector); -m 22100 is the user-password protector. Hashcat success looks like<plaintext>:<hash>in the output. For this challenge it cracks asjacqueline.Learn more
Hashcat is the world's fastest password recovery tool, capable of leveraging GPU parallelism to test billions of hash candidates per second. Mode
-m 22100targets the BitLocker-with-user-supplied-password format. Hashcat supports dozens of attack modes: dictionary attacks (wordlist), brute-force, rule-based mutations, combinator attacks, and mask attacks.rockyou.txt is the most famous password wordlist in security research, containing approximately 14 million real passwords leaked from the 2009 RockYou data breach. Weak passwords like common first names appear early in the list, which is why the password "jacqueline" cracks quickly. This demonstrates why dictionary words - even uncommon ones - should never be used as encryption passwords.
Proper BitLocker protection requires a complex, randomly generated recovery key (a 48-digit numeric code that BitLocker can generate) rather than a user-chosen password. The recovery key is stored in Active Directory or Microsoft account in enterprise environments. Using a strong random recovery key makes offline dictionary attacks computationally infeasible. The Hash Cracking guide covers hashcat mode lookups, rule-based mutation, and mask attacks for cases where rockyou alone isn't enough.
- Step 3Mount with dislockermkdir the two mountpoints first. Point dislocker at the image with
-u "jacqueline", then loop-mount the generated dislocker-file as NTFS. flag.txt sits at the root of the mounted volume.Learn more
Dislocker is an open-source Linux tool that decrypts BitLocker volumes. Given a password, recovery key, or BEK file, it decrypts the volume and presents it as a virtual FUSE filesystem containing a file called
dislocker-file- which is the decrypted raw partition image. This file can then be mounted normally using themountcommand with a loop device.The two-step mount process is necessary because dislocker operates at the encryption layer while
mountoperates at the filesystem layer. BitLocker wraps an NTFS (or FAT32/exFAT) filesystem, so after dislocker strips the encryption, the underlying filesystem still needs to be interpreted by the kernel's NTFS driver (provided by the ntfs-3g package on Linux).This workflow - extract hash, crack password, mount and read - is standard in digital forensics and incident response (DFIR). Investigators frequently encounter BitLocker-encrypted drives on seized hardware. Commercial tools like FTK and EnCase have built-in BitLocker support, while open-source workflows like this one demonstrate the same capability without licensing costs.
Flag
picoCTF{us3_b3tt3r_p4ssw0rd5_pl5!_324...}
Remember to install dislocker and ntfs-3g if your distro lacks them.