Rating: 5.0
## Forensics/skat's SD card (86 solves)
Created by: `skat`
> "Do I love being manager? I love my kids. I love real estate. I love ceramics. I love chocolate. I love computers. I love trains."
Looking through the file we are given its an image of a linux file system.
Once mounted with fuse (mac moment) we see `/home/skat` as a directory.
Looking around a few things catch my eye:
```
.bash_history
.mozilla/
.ssh/
```
Reading `.bash_history` there is a cloning of a git repo: `[email protected]:IrisSec/skats-interesting-things.git`.
Looking online this seems we lack authorisation to clone/view it.
Looking in `.ssh/` we can see `id_rsa`, due to the git clone command from `.bash_history` it's likely that these SSH creds authorise us to clone that repo.
The SSH has a password so we can crack the password with `john` and `ssh2john`.
```
$ ssh2john id_rsa > id_rsa.hash
$ john id_rsa --wordlist=rockyou.txt
password
```
Well, thats a secure password lmao.
Once we use the password with the SSH cred we can clone the repo locally.
Looking at the contents none of the files jump out at me, mostly just txt files of documentation and a very useless README. But, inside the `.git` folder are some pack files. Using `packfile_reader` we can extract the data to some text files.
`packfile_reader -e -o . pack-7359dfb3974f6464a5b192bba2d05f89f0b3aa4a.pack`
Then using `grep -r ‘{‘ .` I searched for the flag.
Found it! `irisctf{0h_cr4p_ive_left_my_k3ys_out_4nd_ab0ut}`
**Files:** [skats-sd-card.tar.gz](https://web.archive.org/web/20240107230452/https://cdn.2024.irisc.tf/skats-sd-card.tar.gz)
