//m_cold

Challenge hint: “the old way is the better way...who wants to use UEFI”

This hint is the entire compass for the solve: it strongly suggests legacy BIOS booting and therefore MBR (Master Boot Record)–era artifacts (sector 0), instead of UEFI/GPT/EFI System Partition.

>TL;DR

The flag is hidden inside the MBR (sector 0) as a short blob of bytes placed right after the classic boot error string Missing operating system. That blob is single-byte XOR obfuscated. Brute-forcing all 256 XOR keys reveals the flag.

Flag: CTF{y0u_f0und_th3_MBR}

>Files Provided

The directory contains:

disk.zip — a ZIP archive containing a single disk image (disk.img).
disk.zip:Zone.Identifier — Windows metadata; irrelevant to the solve.

>Step 1 — Quick Recon

List files:

bash


ls -la

Identify what’s inside the archive:

bash


file disk.zip

unzip -l disk.zip

Extract it:

bash


unzip -o disk.zip

Identify the extracted image:

bash


file disk.img

Expected output includes something like:

DOS/MBR boot sector; partition 1 ...

This is already consistent with the hint (“old way”, “not UEFI”).

>Step 2 — Partition Table Sanity Check (Optional)

This confirms the partition layout but is not where the flag is.

bash


sudo fdisk -l disk.img

In my run the image had a DOS/MBR disklabel and one Linux partition (type 0x83) starting at sector 2048.

>Step 3 — Mount the Partition (Optional, but good for forensics discipline)

Since it’s a forensics challenge, it’s worth mounting the filesystem read-only to see whether the flag is “normally” stored in a file.

Compute the offset: offset = start_sector * sector_size = 2048 * 512.

bash


mkdir -p mnt

sudo mount -o loop,ro,offset=$((2048*512)) disk.img mnt

ls -la mnt

I found:

message.txt (just says hello there...)
command.php (a small webshell-like system($_GET["cmd"]))
cute_cat.jpg

Then I searched for the flag pattern in the mounted filesystem:

bash


grep -R "CTF{" -n mnt || true

strings -a mnt/cute_cat.jpg | grep -E "CTF\\{|flag\\{" || true

No CTF{...} appeared in normal file contents.

Unmount afterward:

bash


sudo umount mnt

At this point, file-level hunting looks unproductive, and the challenge hint becomes decisive.

>Step 4 — Follow the Hint: Inspect the MBR (Sector 0)

Why the MBR?

The hint explicitly contrasts the “old way” with UEFI. In modern systems, UEFI points you toward:

GPT partition table
EFI System Partition
EFI/BOOT/bootx64.efi and friends

But an MBR/BIOS challenge points you toward:

Sector 0 (MBR boot code)
Bootloader error strings
Weird/hidden data in unused bytes or custom payloads

So I inspected the first 512 bytes:

bash


xxd -g 1 -l 512 disk.img | head -60

In the MBR, I saw the classic string:

Missing operating system

Immediately after that string, there was a short run of bytes that looked “out of place” for plain boot code / padding.

That’s a common CTF trick: hide data in boot sectors because most people only look at the mounted filesystem.

>Step 5 — Extract the Suspicious Blob and Break It

Observation

The bytes right after the null-terminated Missing operating system\\0 were:


71 66 74 49 4b 02 47 6d 54 02 47 5c 56 6d 46 5a 01 6d 7f 70 60 4f

The structure was “too patterned” to be random noise.

Given the commonality of XOR obfuscation in CTFs (cheap, reversible, fits in tiny spaces), I tested single-byte XOR.

Full solver script (exact code used)

Save as solve_mbr_xor.py or run inline.

python


#!/usr/bin/env python3

from pathlib import Path

# Read the first sector (MBR)

mbr = Path("disk.img").read_bytes()[:512]

# In this image, the blob starts right after the string "Missing operating system\\0"

# The slice below matches the exact offsets discovered during analysis.

blob = mbr[0x3A:0x50]  # 22 bytes

# Brute-force all single-byte XOR keys

for key in range(256):

    decoded = bytes(b ^ key for b in blob)

    if decoded.startswith(b"CTF{"):

        print("key:", hex(key))

        print(decoded.decode("ascii", errors="replace"))

        break

else:

    print("No CTF{ prefix found via single-byte XOR")

Run:

bash


python3 solve_mbr_xor.py

Output:

XOR key 0x32
CTF{y0u_f0und_th3_MBR}

>Why This Works (and Why This Was the Right Direction)

The challenge hint is explicit about rejecting UEFI, so the correct mental model is BIOS/MBR.
file disk.img confirmed it’s an MBR boot sector, reinforcing the hint.
The mounted filesystem contained “decoy” artifacts (a webshell-like PHP file and a JPG) but no flag.
The MBR contained a recognizable string used in boot code (Missing operating system).
The bytes immediately after that string were unusual and compact — perfect for a short flag after light obfuscation.
Single-byte XOR is the simplest reversible method that fits this pattern, so brute-forcing 256 keys is fast and reliable.

>References

These are general references that informed the approach (no special challenge-specific spoilers):

Wikipedia — Master boot record (MBR): https://en.wikipedia.org/wiki/Master_boot_record
OSDev Wiki — MBR (layout/boot code context): https://wiki.osdev.org/MBR
Sleuth Kit tools overview (general disk forensics tooling): https://www.sleuthkit.org/sleuthkit/