Big Zip

Again, download the big-zip-files.zip file from the challenge.

If we run file on this file, we can see that it is a zip file.

Now unzip the file and cd into its directory.

To search all files and file names for a specific term, use the command:

grep "<search term>" -r .

Where the search term is “picoCTF” and -r is the recursive flag which will search through subdirectories.

Sleuthkit Intro

First we download the disk image file from the challenge.

If we run file on this file we can see that it is compressed by gzip.

We can decompress using the command: gunzip disk.img.gz.

Now we can dump the partition table of the disk image to see that partitions it contains using mmls disk.img.

If we look at the second and last partition (the Linux partition), we can see its size/length in sectors is 20572.

Let’s then connect to the remote checker service via net cat using the command nc saturn.picoctf.net 60909 and pass this as the input.

Great this returns the flag!

Sleuthkit Apprentice

First we download the disk image file from the challenge.

If we run file on this file we can see that it is compressed by gzip.

We can decompress using the command: gunzip disk.flag.img.gz.

Now we can dump the partition table of the disk image to see that partitions it contains using mmls disk.flag.img.

We can see the main partition is either the 2nd or 4th and we will go with the 2nd partition since it is the largest.

We know that either could be the main partition since they have the description label: “Linux (0x83)”

Let’s dive deeper to the filename layer and view the root of the partition by running the command fls -o 360448 disk.flag.img where 360448 is the offset into the start position of the main partition and we are supplying it via the offset flag.

Beacause we don’t supply an inode, the root directory is used.

We now know this is the main/a main partition since we can see many directories found in a standard linux root directory like “home”, “usr”, “etc”, “sys”, “tmp”…

We can now supply the inode number for home to view within the “home” directory. This can be done with: fls -o 360448 disk.flag.img 451

This returns nothing as there are no files or directories contained within the home folder.

If we pass the root inode number instead, fls -o 360448 disk.flag.img 1995 we find a file called “.ash_history” and a directory named “my_folder”.

If we explore “my_folder” using the command: fls -o 360448 disk.flag.img 3981, we find the flag text file.

We can now use the inode layer tool icat and run icat -o 360448 disk.flag.img 2371 by supplying the inode number of “flag.uni.txt”.

We don’t get a result for the other “flag.txt” file because the file has been deleted and the inode is reassigned to another file that is why it says “realloc” for reallocated.

Disk, disk, sleuth! II

Again, download the disk image from the challenge and unencrypt using gunzip as done above.

If we then run mmls dds2-alpine.flag.img to dump the partition table, we can see that there is one main linux partition that starts at an offset of 2048 sectors.

Now we can run fls -o 2048 dds2-alpine.flag.img and see folders that are expected in the main parition.

If we then run fls -o 2048 dds2-alpine.flag.img 18290 to view the root directory, we can find a file called “down-at-the-bottom.txt”.

After this, we can run icat -o 2048 dds2-alpine.flag.img 18291 where 18921 is the inode number of the file to see it’s contents.

The contents of the file is the flag.

Operation Orchid

Repeating the same process, we download a gzip compressed disk image that we can decompress with gunzip.

We can dump the partition table and see that we have two linux partitions.

Let’s view the first partition by running the command: fls -o 2048 disk.flag.img. This partition doesn’t contain directories you would expect the user to act in such as home or root.

Let’s now view the other partition using the command: fls -o 411648 disk.flag.img.

Now we can look into the home and root partition using the following commands respectfully: fls -o 0000411648 disk.flag.img 460 and fls -o 0000411648 disk.flag.img 472.

The home partition seems to be empty but the root partition contains an encrypted “flag.txt.enc” file since the plaintext has the “.enc” file extension.

Let’s have a look at the shell history found in the file “.ash_history” using the command icat -o 411648 disk.flag.img 1875

We can see that the user first creates the “flag.txt” file, they then try to edit the file using nano but realise this it is not installed. The user then attempts to use apk get nano to install the package but this command is incorrect and so they search up the documentation using apk --help.

Finally the user realises the correct command: apk add nano and they open the flag.txt file with the nano text editor.

The user then runs the command openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567 to encrypt the flag file with the key “unbreakablepassword1234567” using OpenSSL with AES-256.

They then run the command shred -u flag.txt that overwrites the file with random data multiple times and then deleting the file from the filesystem. They then run ls -al to make sure the plaintext flag file is gone and they close the system with halt.

This command history tells us enough and now we have the key required to decrypt the encrypted flag.txt.enc file.

Let’s copy and unecrypt this file. To copy the file simply run the command: icat -o 411648 disk.flag.img 1782 > encrypted.txt that saves the output in “encrypted.txt”.

To decrypt this file we can run the command: openssl aes256 -d -in encrypted.txt -out flag.txt -k unbreakablepassword1234567.

We can then cat the flag file to get the flag.