Operation Orchid


Download this disk image and find the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory.


  1. We can decompress the disk image with gunzip disk.flag.img.gz and then mount it with sudo kpartx -av disk.flag.img.

  2. In the mounted volume, there is a file /root/flag.txt.enc and .ash_history. Looking at .ash_history we see the following:

touch flag.txt
nano flag.txt 
apk get nano
apk --help
apk add nano
nano flag.txt 
openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
shred -u flag.txt
ls -al
  1. So, it looks like flag.txt.enc was encrypted and salted using aes256 with key unbreakablepassword1234567.

  2. We can decrypt the flag.txt.enc and print the flag with openssl aes256 -d -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567; cat flag.txt (notice the additional -d option).



Last updated