TryHackMe: Advent of Cyber 2023 (Day 5) A Christmas DOScovery: Tapes of Yule-tide Past

Today we will be messing around with DOS, a blast from the past for those of use who lived in the olden times.

“The backup tapes have finally been recovered after the team successfully hacked the server room door. However, as fate would have it, the internal tool for recovering the backups can’t seem to read them. While poring through the tool’s documentation, you discover that an old version of this tool can troubleshoot problems with the backup. But the problem is, that version only runs on DOS (Disk Operating System)!

Thankfully, tucked away in the back of the IT room, covered in cobwebs, sits an old yellowing computer complete with a CRT monitor and a keyboard. With a jab of the power button, the machine beeps to life, and you are greeted with the DOS prompt.

Frost-eau, who is with you in the room, hears the beep and heads straight over to the machine. The snowman positions himself in front of it giddily. “I haven’t used these things in a looong time,” he says, grinning.

He hovers his hands on the keyboard, ready to type, but hesitates. He lifts his newly installed mechanical arm, looks at the fat and stubby metallic fingers, and sighs.

“You take the helm,” he says, looking at you, smiling but looking embarrassed. “I’ll guide you.”

You insert a copy of the backup tapes into the machine and start exploring.”

Question 1: How large (in bytes) is the AC2023.BAK file?

The file is found in the root directory. You can see here that it is 12,704 bytes.

Question 2: What is the name of the backup program?

Navigate to the directory where the backup program resides.

Then open the readme file to find the name of the program, BackupMaster3000.

Question 3: What should the correct bytes be in the backup's file signature to restore the backup properly?

In the troubleshooting section of the above image, it says the magic bytes need to be 41 43.

Question 4: What is the flag after restoring the backup successfully?

If you open the file, you can see that it just says XX in the top left corner where those bytes are supposed to be.

We can correct that by editing the file. Before we do that though, 41 43 needs to be converted from hex values to ASCII. There are lots of online converters you can use for this, just type “hex to ASCII” in Google.

Save the file and then exit.

From here just run the file for the flag!

❤