# FE01 - 100pts ## Briefing > Download the file and find a way to get the flag. Contents: fe01.ost Challenge Files: * [fe01.zip](https://github.com/HHousen/NCS-Competition/tree/e3a1ab990b675bd865fdddd9e5fa5cd7895b3b02/Forensics/FE01/fe01.zip) ## Solution 1. We can run `file fe01.ost` to determine that `fe01.ost` is a Microsoft Outlook email folder. 2. Searching online for a program that can read this identifies `pffexport`, which can be installed with `sudo apt install pff-tools`. 3. We can extract the content with `pffexport fe01.ost` and `cd` into `fe01.ost.export`. 4. Run `find . -type d -empty -delete` **in `fe01.ost.export`** to delete all empty directories. 5. Searching the folder for `flag` shows that `Root - Mailbox/IPM_SUBTREE/Inbox/Message00018/Attachments` has a ZIP file called `1_flag.zip` (as an attachment to the `Message00018` email) that is password protected. 6. Looking around some more reveals that the calendar contains the key. `Root - Mailbox/IPM_SUBTREE/Calendar/Appointment00001/Appointment.txt` has the name `c]5p@S7K/z}Z!Q - 11am meeting with Chris` so `c]5p@S7K/z}Z!Q` is the password. 7. Extracting the `1_flag.zip` with `c]5p@S7K/z}Z!Q` as the password shows an image `flag.jpg` with the flag in it. ### Flag `pst_i'm_in_here!` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ncs2021.haydenhousen.com/forensics/fe01.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.