Forensics - Operation Oni - writeup
description
Download this
disk featuredImage, find the key and
log into the remote machine.
Note: if you are using the webshell,
download and extract the disk featuredImage
into /tmp not your home directory.
writeup
So I went ahead, fired up the remote machine
and downloaded the disk featuredImage.
1
| wget https://artifacts.picoctf.net/c/372/disk.img.gz
|
It is gzip compressed so I first had to decompress it
Now I have a ‘disk.img’ file.
1
2
3
| file disk.img
disk.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x83, start-CHS (0xc,223,20), end-CHS (0x1d,81,52), startsector 206848, 264192 sectors
|
That is a dos (MBR) partiton table.
Let’s look at the partitions.
1
2
3
4
5
6
7
8
9
10
11
12
| fdisk -l disk.img
Disk disk.img: 230 MiB, 241172480 bytes, 471040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x0b0051d0
Device Boot Start End Sectors Size Id Type
disk.img1 * 2048 206847 204800 100M 83 Linux
disk.img2 206848 471039 264192 129M 83 Linux
|
Let’s try to mount the partitions using my bash script again:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| #!/usr/bin/bash
img="disk.flag.img"
dev="$(sudo losetup --show -f -P "$img")"
echo "$dev"
for part in "$dev"?*; do
if [ "$part" = "${dev}p*" ]; then
part="${dev}"
fi
dst="mnt/$(basename "$part")"
echo "$dst"
mkdir -p "$dst"
sudo mount -o loop "$part" "$dst"
done
|
I was able to mount these two partitions:
disk/loop14p1
disk/loop14p2
The first partition is a boot partiton and does not
contain any interesting data.
The second partition is a root partition.
In the directory of the root user I found a public and
a private ssh key.
1
2
3
| ls loop14p2/root/.ssh
id_ed25519 id_ed25519.pub
|
I can use these credentials to login to the ssh server
on the remote machine using the following command
that was mentioned in the description of this challenge:
1
| ssh -i key_file -p 49764 ctf-player@saturn.picoctf.net
|
So let’s first copy the ssh prvivate key:
1
| cp disk/loop14p2/root/.ssh/id_ed25519 ./
|
Now let’s try to connect to the aforementioned ssh server…
1
| ssh -i id_ed25519 -p 49764 ctf-player@saturn.picoctf.net
|
That does not work because the permission of the ssh key are wrong.
I first have to change the owner to my own username and the permission
of ssh keys are usually 400.
So let’s fix that.
1
| sudo chown pascal:pascal id_ed25519
|
1
| sudo chmod 400 id_ed25519
|
Now the connection works!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
| ssh -i id_ed25519 -p 49764 ctf-player@saturn.picoctf.net
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.13.0-1017-aws x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
ctf-player@challenge:~$
|
In the home directory of that user a a file flag.txt
1
2
3
4
5
| ctf-player@challenge:~$ pwd
/home/ctf-player
ctf-player@challenge:~$ ls
flag.txt
|
Let’s cat it out!
1
2
3
| ctf-player@challenge:~$ cat flag.txt
picoCTF{k3y_5l3u7h_339601ed}
|
There is our flag!
1
| picoCTF{k3y_5l3u7h_339601ed}
|
