Tags: forensic 

Rating: 2.0

# NeverLAN CTF 2020 - Look into the past

In this challenge we are given `look_into_the_past.tar.gz`. And when uncompressed, we have a snapshot of a computer.

First, let’s take a look at the bash history.

$ cat home/User/.bash_history
cd Documents
openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k $(cat $pass1)$pass2$pass3
steghide embed -cf doggo.jpeg -ef $pass1
mv doggo.jpeg ~/Pictures
useradd -p '$pass2' user
sqlite3 /opt/table.db "INSERT INTO passwords values ('1', $pass3)"
tar -zcf /opt/table.db.tar.gz /opt/table.db
rm $pass1
unset $pass2
unset $pass3

Someone encrypted `flag.txt` with a key as `$(cat $pass1)$pass2$pass3`, and hid the key into a different places.

Lets find the `$pass1`. Seems like it’s embedded into `doggo.jpeg` using `steghide` without password.

$ steghide extract -sf home/User/Pictures/doggo.jpeg -p ""
wrote extracted data to "steganopayload213658.txt".

$ cat steganopayload213658.txt

`$(cat $pass1)` is `JXrTLzijLb`.

Now for the `$pass2`, it is added as a password to user named `user`. Passwords in are stored in `etc/shadow`.

$ cat etc/shadow | tail -5

> Here I’ve used `tail -5` to truncate the output of `cat etc/shadow`, it shows last 5 line of the `stdin`.

As shown in the last line, `$pass2` is `KI6VWx09JJ`.

Now let’s look for the `$pass3`. It is inserted into a sqlite table and the table is compressed to `tar.gz`.

Let’s extract it first.

$ tar -xf opt/table.db.tar.gz

This uncompresses the `.tar.gz` and gives us a `table.db`. Now let’s extract the data from the database.

$ sqlite3 table.db "SELECT * FROM passwords"

> Here we select all things from table `passwords`.

As the `$pass3` is inserted with `’1’`, output is `1|nBNfDKbP5n`. So we can ignore the `1`. `$pass3` is `nBNfDKbP5n`.

Now since we got all the pieces, we can interpret the encryption command as.

openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n

We can reverse the command by simply adding `-d` flag. We don’t need the `-out` flag.

$ openssl enc -aes-256-cbc -d -in home/User/Documents/flag.txt.enc -salt -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n

`FLAG: flag{h1st0ry_1n_th3_m4k1ng} `