Tags: forensic 

Rating: 2.0

# NeverLAN CTF 2020 - Look into the past

In this challenge we are given `look_into_the_past.tar.gz`. And when uncompressed, we have a snapshot of a computer.

First, let’s take a look at the bash history.

```bash
$ cat home/User/.bash_history
_____________________________
cd Documents
openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k $(cat $pass1)$pass2$pass3
steghide embed -cf doggo.jpeg -ef $pass1
mv doggo.jpeg ~/Pictures
useradd -p '$pass2' user
sqlite3 /opt/table.db "INSERT INTO passwords values ('1', $pass3)"
tar -zcf /opt/table.db.tar.gz /opt/table.db
rm $pass1
unset $pass2
unset $pass3
exit
```

Someone encrypted `flag.txt` with a key as `$(cat $pass1)$pass2$pass3`, and hid the key into a different places.

Lets find the `$pass1`. Seems like it’s embedded into `doggo.jpeg` using `steghide` without password.

```bash
$ steghide extract -sf home/User/Pictures/doggo.jpeg -p ""
______________________________
wrote extracted data to "steganopayload213658.txt".
```

```bash
$ cat steganopayload213658.txt
______________________________
JXrTLzijLb
```

`$(cat $pass1)` is `JXrTLzijLb`.

Now for the `$pass2`, it is added as a password to user named `user`. Passwords in are stored in `etc/shadow`.

```bash
$ cat etc/shadow | tail -5
_________________
sslh:!:18011:0:99999:7:::
pulse:*:18011:0:99999:7:::
colord:*:18011:0:99999:7:::
lightdm:*:18011:0:99999:7:::
user:KI6VWx09JJ:18011:0:99999:7:::
```

> Here I’ve used `tail -5` to truncate the output of `cat etc/shadow`, it shows last 5 line of the `stdin`.

As shown in the last line, `$pass2` is `KI6VWx09JJ`.

Now let’s look for the `$pass3`. It is inserted into a sqlite table and the table is compressed to `tar.gz`.

Let’s extract it first.

```bash
$ tar -xf opt/table.db.tar.gz
```

This uncompresses the `.tar.gz` and gives us a `table.db`. Now let’s extract the data from the database.

```bash
$ sqlite3 table.db "SELECT * FROM passwords"
________________________
1|nBNfDKbP5n
```

> Here we select all things from table `passwords`.

As the `$pass3` is inserted with `’1’`, output is `1|nBNfDKbP5n`. So we can ignore the `1`. `$pass3` is `nBNfDKbP5n`.

Now since we got all the pieces, we can interpret the encryption command as.

```bash
openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n
```

We can reverse the command by simply adding `-d` flag. We don’t need the `-out` flag.

```bash
$ openssl enc -aes-256-cbc -d -in home/User/Documents/flag.txt.enc -salt -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n
________________________________
flag{h1st0ry_1n_th3_m4k1ng}
```

`FLAG: flag{h1st0ry_1n_th3_m4k1ng} `