NeverLAN CTF - Look Into the Past
Look Into the Past was a fun challenge that gave players a zipped copy of a Linux machine's file system. The goal of this challenge was to find the flag placed in an encrypted file.
Accessing the Challenge
First, I downloaded the file from the CTF site and extracted it.
tar -zxvf look_into_the_past.tar.gz
Getting Started
My first thought after reading the challenge description was to find out which file had been encrypted. I assumed a user encrypted the file; therefore, the command would likely exist is the user's BASH history file. Which user though?
First, I changed into the home directory to see which users had home directories on the system.
Thankfully, there was just one user: User. I then looked to see if they had a BASH history file.
I looked into the .bash_history file and saw the following content.
cd Documents
openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k $(cat $pass1)$pass2$pass3
steghide embed -cf doggo.jpeg -ef $pass1
mv doggo.jpeg ~/Pictures
useradd -p '$pass2' user
sqlite3 /opt/table.db "INSERT INTO passwords values ('1', $pass3)"
tar -zcf /opt/table.db.tar.gz /opt/table.db
rm $pass1
unset $pass2
unset $pass3
exit
Looking at this output, the user used openssl to encrypt the file using three variable: $pass1, $pass2, and $pass3.
Finding $pass1
Reading the BASH history, I could tell that $pass1 was a file given that the password used cat on the variable to read its content for the openssl password. Then, it was embedded in a file named doggo.jpeg, which was moved into the Pictures directory.
I tried various passphrases at first using steghide to extract the file from doggo.jpeg, all to no avail. Finally, I tried using steghide without a passphrase and it worked!
steghide extract -sf User/Pictures/doggo.jpeg
Enter passphrase:
wrote extracted data to "steganopayload213658.txt"
Reading the contents of the file gave me the value of $pass1: JXrTLzijLb
cat steganopayload213658.txt
JXrTLzijLb
Finding $pass2
Next, I proceeded to find $pass2. According to the BASH history, $pass2 was used as a password during the creation of a new user. If you read the help content for useradd, it'll say that the -p option is used to provide an encrypted password of a new account. This means that whatever value you give for the password is assumed to already be encrypted. The password is then stored in /etc/shadow for the user.
I read the contents of the shadow file; the password is stored after the username and delimited by colons.
cat ../etc/shadow
...
user:KI6VWx09JJ:18011:0:99999:7:::
The password for user - and the value of $pass2 - was KI6VWx09JJ.
Finding $pass3
Now onto the last variable. According to the BASH history, the value of this variable was inserted into table.db in the opt directory. The file was then compressed using tar.
First, I copied the tar file into the /tmp directory and extracted it.
cp ../opt/table.db.tar.gz /tmp
cd /tmp
tar -zxvf table.db.tar.gz
Now with the database file extracted in the /tmp directory, I used sqlite3 to query the database.
sqlite3 table.db
sqlite3> SELECT * FROM password;
1|nBNfDKbP5n
There we have it; $pass3 was nBNfDKbP5n. Now, I had all the pieces to decrypt the file and find the flag.
Decrypting the Flag File
I knew from the BASH history that the password was a concatenation of $pass1, $pass2, and $pass3, making the password JXrTLzijLbKI6VWx09JJnBNfDKbP5n.
I used openssl to decrypt the file and find the flag.
openssl enc -aes-256-cbc -d -in flag.txt.enc -out flag.txt
When prompted, I gave the password: JXrTLzijLbKI6VWx09JJnBNfDKbP5n. The decrypted file flag.txt appeared. Reading the contents of the file gave me the flag.
flag{h1st0ry_1n_th3_m4k1ng}
Conclusion
This challenge was a lot of fun. I'm not sure that I would ever expect to see anyone secure their files in this manner by splitting up the password; nonetheless, it was a lot of fun to tackle.