The starting artifact was a Firefox history database. It did not contain the answer directly; it preserved the first link in a trail that crossed a source repository, a commit discussion, and a shared evidence bundle.
Rebuild the browser trail
Firefox stores visited URLs in moz_places. A small SQLite query recovered the relevant history in chronological order:
SELECT url, title, last_visit_date
FROM moz_places
WHERE url IS NOT NULL
ORDER BY last_visit_date DESC;The useful entry pointed to a notes repository. A commit comment referenced a second repository, which in turn exposed a shared download containing a disk image and supporting pictures.
Inspect the filesystem, then ignore the decoys
Partition inspection placed an ext4 filesystem one mebibyte into the image. The visible download directory contained zero-byte files with tempting names, so filesystem listings alone were not enough.
We kept the image read-only and switched to carving. File signatures in the raw data recovered:
- an encrypted ZIP archive;
- multiple PNG images;
- a PDF document.
The recovered images and document were compared rather than treated independently. One note supplied the archive password; the obvious empty files were only decoys.
Unlock the final archive
The password opened the carved WinZip AES archive. Its contents provided the final evidence needed for the submission.
Takeaway
Browser history is often a map, not the destination. Preserve chronology, follow every repository reference, and inspect unallocated data when the mounted filesystem looks suspiciously clean.
Event page: No Hack No CTF 2026 on CTFtime.
