Operation Orchid

Challenge

Download this disk image and find the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory.

Solution

  1. 1.
    We can decompress the disk image with gunzip disk.flag.img.gz and then mount it with sudo kpartx -av disk.flag.img.
  2. 2.
    In the mounted volume, there is a file /root/flag.txt.enc and .ash_history. Looking at .ash_history we see the following:
touch flag.txt
nano flag.txt
apk get nano
apk --help
apk add nano
nano flag.txt
openssl
openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
shred -u flag.txt
ls -al
halt
  1. 1.
    So, it looks like flag.txt.enc was encrypted and salted using aes256 with key unbreakablepassword1234567.
  2. 2.
    We can decrypt the flag.txt.enc and print the flag with openssl aes256 -d -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567; cat flag.txt (notice the additional -d option).

Flag

picoCTF{h4un71ng_p457_0a710765}