-1
I am trying to solve a task in Google CTF 2019 beginner's quest. There is an NTFS file in the task. I know the file has an Alternate Data Stream (the hint mentions extended attributes).
I don't know how to access ADs in the Linux terminal. I used several tools and keywords but I could not reveal the ADs let alone access them.
Fawad Shah
Posted 2019-08-21T12:16:20.937
Reputation: 1
0
In Windows terms, dir /r doesn't show Extended Attributes; it shows Alternate Data Streams. (While EAs exist in Windows, they're mostly treated as a relic from OS/2.)
Do not extract the filesystem's contents using random tools like 7zip. This will lose most metadata (including EAs and ADSs), as these tools don't understand it and/or don't care about it. You need to inspect the file while it is still inside the original NTFS filesystem image.
You can use ntfs-progs to inspect the image's contents:
ntfsls -l <image>
ntfsinfo -F <path> <image>
You can mount the image using NTFS-3G with streams_interface=xattr, then just query the list of xattrs (in this mode, each NTFS stream is shown as a Linux xattr):
attr -l <path>
getfattr <path>
You can mount the image using NTFS-3G with streams_interface=windows, then query the virtual "ntfs.streams.list" xattr:
attr -g ntfs.streams.list <path>
getfattr -n user.ntfs.streams.list <path>
user1686
Posted 2019-08-21T12:16:20.937
Reputation: 283 655