PicoCTF-2022 Writeup
  • README
  • Binary Exploitation
    • buffer overflow 1
    • buffer overflow 2
    • buffer overflow 3
    • flag leak
    • function overwrite
    • ropfu
    • stack cache
    • x-sixty-what
  • Cryptography
    • basic-mod1
    • basic-mod2
    • diffie-hellman
    • morse-code
    • NSA Backdoor
    • Sequences
    • substitution
    • Sum-O-Primes
    • Very Smooth
  • Forensics
    • Operation Oni
    • Operation Orchid
    • SideChannel
    • St3g0
    • Torrent Analyze
  • Reverse Engineering
    • Bbbbloat
    • Keygenme
    • unpackme
    • Wizardlike
  • Web Exploitation
    • Forbidden Paths
    • noted
    • Roboto Sans
    • SQLiLite
Powered by GitBook
On this page
  • Challenge
  • Solution
  • Flag

Was this helpful?

Edit on GitHub
  1. Forensics

Operation Orchid

PreviousOperation OniNextSideChannel

Last updated 3 years ago

Was this helpful?

Challenge

Download this disk image and find the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory.

  • ()

Solution

  1. We can decompress the disk image with gunzip disk.flag.img.gz and then mount it with sudo kpartx -av disk.flag.img.

  2. In the mounted volume, there is a file /root/flag.txt.enc and .ash_history. Looking at .ash_history we see the following:

touch flag.txt
nano flag.txt 
apk get nano
apk --help
apk add nano
nano flag.txt 
openssl
openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
shred -u flag.txt
ls -al
halt
  1. So, it looks like flag.txt.enc was encrypted and salted using aes256 with key unbreakablepassword1234567.

  2. We can decrypt the flag.txt.enc and print the flag with openssl aes256 -d -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567; cat flag.txt (notice the additional -d option).

Flag

picoCTF{h4un71ng_p457_0a710765}

Download compressed disk image
Archive