Forensics - Operation Orchid - writeup
description
Download this disk featuredImage and find the flag.
Note: if you are using the webshell, download and
extract the disk featuredImage into /tmp not your home directory.
https://artifacts.picoctf.net/c/242/disk.flag.img.gz
writeup
Ok let’s download the featuredImage first!
1
| wget https://artifacts.picoctf.net/c/242/disk.flag.img.gz
|
Next I will extract it.
1
| gunzip disk.flag.img.gz
|
1
2
3
| file disk.flag.img
disk.flag.img: DOS/MBR boot sector; partition 1 : ID=0x83, active, start-CHS (0x0,32,33), end-CHS (0xc,223,19), startsector 2048, 204800 sectors; partition 2 : ID=0x82, start-CHS (0xc,223,20), end-CHS (0x19,159,6), startsector 206848, 204800 sectors; partition 3 : ID=0x83, start-CHS (0x19,159,7), end-CHS (0x32,253,11), startsector 411648, 407552 sectors
|
That is a dos / mbr boot partition
Let’s look at the partitions.
1
2
3
4
5
6
7
8
9
10
11
12
13
| fdisk -l disk.flag.img
Disk disk.flag.img: 400 MiB, 419430400 bytes, 819200 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xb11a86e3
Device Boot Start End Sectors Size Id Type
disk.flag.img1 * 2048 206847 204800 100M 83 Linux
disk.flag.img2 206848 411647 204800 100M 82 Linux swap / Solaris
disk.flag.img3 411648 819199 407552 199M 83 Linux
|
Let’s try to mount the partitions using my bash script again:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| #!/usr/bin/bash
img="disk.flag.img"
dev="$(sudo losetup --show -f -P "$img")"
echo "$dev"
for part in "$dev"?*; do
if [ "$part" = "${dev}p*" ]; then
part="${dev}"
fi
dst="mnt/$(basename "$part")"
echo "$dst"
mkdir -p "$dst"
sudo mount -o loop "$part" "$dst"
done
|
1
2
3
4
5
6
7
| ./mount_loop.sh
[sudo] Passwort für pascal:
/dev/loop11
mnt/loop11p1
mnt/loop11p2
mount: /home/pascal/Pentesting/picoCTF_2022/Forensics/Operation Orchid/mnt/loop11p2: unknown filesystem type 'swap'.
mnt/loop11p3
|
Let’s look for the flag …
1
2
3
4
| find . | grep flag
./loop11p3/root/flag.txt.enc
./loop11p3/root/flag.txt
|
’loop11p3’ is the root partition.
I found the file /root/flag.txt.enc
Let’s see what this is…
1
2
| file flag.txt.enc
flag.txt.enc: openssl enc'd data with salted password
|
That’s a salted openssl file
I found an ash shell history file!
1
2
3
4
5
6
7
8
9
10
11
12
13
| cat root/.ash_history
touch flag.txt
nano flag.txt
apk get nano
apk --help
apk add nano
nano flag.txt
openssl
openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
shred -u flag.txt
ls -al
halt
|
The command used to encrypt the flag file was
1
| openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
|
And we can see that the key is ‘unbreakablepassword1234567’
Let’s decrypt it using openssl again!
1
2
3
4
5
6
| openssl aes256 -d -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140528353342848:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:
|
We get a few warnings but the decryption worked!
1
2
| cat flag.txt
picoCTF{h4un71ng_p457_cc87abb6}
|
So the flag is:
1
| picoCTF{h4un71ng_p457_cc87abb6}
|
