[CTF] picoCTF22 - Forensics

Torrent Analyze

This is a really interesting challenge. Hints suggest to enable bittorrrent protocols in wireshark and also to learn more about seeds and leachers , Article.

First of all enable bittorrent protocols in wireshark.

Analyze -> Enabled Protocols

Then i filtered the network with bt-dht. DHT stores peers information. I chose a random packet 53120. It have a hash value.

Simply googled the hash and boom , it was the infohash of torrent. Infohash is used to check the integrity of files.


Sleuthkit Apprentice

mmls - Display the partition layout of a volume system (partition tables).
fls - List file and directory names in a disk image.
icat - Output the contents of a file based on its inode number.

Learn more sleuthkit commands here

mmls disk.flag.img

Found starting sector of linux partition : 360448

List directories : fls -o 360448 disk.flag.img

Get the file content of flag.uni.txt : icat -o 360448 disk.flag.img 2371

It have the flag.

Operation Oni

mmls disk.img

Sector : 206848

List /root/.ssh : fls -o 206848 disk.img 3916

Get contents of ssh key : icat -o 206848 disk.img 2345 > key_file

chmod 600 key_file

ssh -i key_file -p {instance_port} ctf-player@saturn.picoctf.net

cat flag.txt

Operation Orchid

mmls disk.flag.img

Found 2 Linux Partitions :-

Partition 1 offset : 2048 Partition 2 offset : 411648

Partition 1 is boot parition , it doesn’t have any user files

On partition 2 :

inode of /root/ = 472

List files :-

fls -o 411648 disk.flag.img 472

r/r 1875:    .bash_history
r/r * 1876(realloc):    flag.txt 
r/r 1782:    flag.txt.enc

Save files :-

icat -o 411648 disk.flag.img 1782 > flag.enc
icat -o 411648 disk.flag.img 1876 > flag
icat -o 411648 disk.flag.img 1875 > bash_history

flag.enc is encrypted and flag have no useful text

what left is bash_history , it have this interesting command

openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567

Well thats it , we just need to add -d to it

openssl aes256 -d -salt -in flag.enc -out flag.txt -k unbreakablepassword1234567

cat flag.txt