Vous avez accès à un fichier find_me qui semble renfermer un secret bien gardé, qui n’existe peut-être même plus. Retrouvez son contenu !

We have a file called find_me with a secret hidden in it, that might not even exist now.

Exploit

Let’s start by checking what kind of file we have:

magnussen@funcMyLife:~/findme$ file find_me
find_me: Linux rev 1.0 ext4 filesystem data, UUID=9c0d2dc5-184c-496a-ba8e-477309e521d9, volume name "find_me" (needs journal recovery) (extents) (64bit) (large files) (huge files)

So we have a filesystem, let’s use testdisk to check it out:

magnussen@funcMyLife:~/findme$ testdisk find_me
drwx------     0     0     12288  1-Apr-2020 21:54 lost+found
-rw-r--r--     0     0  26214400  1-Apr-2020 22:00 unlock_me
-rw-r--r--     0     0        32  1-Apr-2020 21:54 pass.b64
-r--------     0     0         2  1-Apr-2020 21:54 part00
-r--------     0     0         2  1-Apr-2020 21:54 part01
-r--------     0     0         2  1-Apr-2020 21:54 part02
-r--------     0     0         2  1-Apr-2020 21:54 part03
-r--------     0     0         2  1-Apr-2020 21:54 part04
-r--------     0     0         2  1-Apr-2020 21:54 part05
-r--------     0     0         2  1-Apr-2020 21:54 part06
-r--------     0     0         2  1-Apr-2020 21:54 part07
-r--------     0     0         2  1-Apr-2020 21:54 part08
-r--------     0     0         2  1-Apr-2020 21:54 part09
-r--------     0     0         2  1-Apr-2020 21:54 part0a
-r--------     0     0         2  1-Apr-2020 21:54 part0b
-r--------     0     0         2  1-Apr-2020 21:54 part0c
-r--------     0     0         2  1-Apr-2020 21:54 part0d
-r--------     0     0         2  1-Apr-2020 21:54 part0e
-r--------     0     0         2  1-Apr-2020 21:54 part0f
-r--------     0     0         2  1-Apr-2020 21:54 part10
-r--------     0     0         2  1-Apr-2020 21:54 part11
-r--------     0     0         2  1-Apr-2020 21:54 part12
-r--------     0     0         2  1-Apr-2020 21:54 part13
-r--------     0     0         1  1-Apr-2020 21:54 part14

We have 20 files (partX), a file call pass.b64 and a file call unlock_me.

Let’s retrieve these files (a + c in testdisk) and check their content.

magnussen@funcMyLife:~/findme$ cat part00
TW
magnussen@funcMyLife:~/findme$  cat pass.b64
nothing here. password splited!
magnussen@funcMyLife:~/findme$  file unlock_me.img
unlock_me.img: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 220745be-23df-4ef8-bff0-a36ab5cd1eff

Mmmh, the pass.b64 say that the password is splitted, the partX files seem to contain a substring in base64 and the unlock_me.img is a LUKS partition.

I bet the key of this LUKS partition is the content of the partX files.

Let’s concatenate the content of these files:

magnussen@funcMyLife:~/findme$ for i in part* ; do cat $i >> final_part; done
magnussen@funcMyLife:~/findme$ cat final_part
TWYtOVkyb01OWm5IWEtzak04cThuUlRUOHgzVWRZ
magnussen@funcMyLife:~/findme$ cat final_part | base64 -d
Mf-9Y2oMNZnHXKsjM8q8nRTT8x3UdY

Let’s mount the LUKS partition and try this password.

magnussen@funcMyLife:~/findme$ sudo cryptsetup luksOpen /dev/loop23 unlock_me.img
Enter passphrase for /dev/loop23:
magnussen@funcMyLife:~/findme$ mkdir /media/findme
magnussen@funcMyLife:~/findme$ ount /dev/mapper/unlock_me.img /media/findme/
mount: /media/findme: WARNING: device write-protected, mounted read-only.
magnussen@funcMyLife:~/findme$ ls -alh /media/findme/
total 4,0K
drwxr-xr-x 2 root root   92 avril  1 21:54 .
drwxr-xr-x 6 root root 4,0K mai    1 00:15 ..
-r-------- 1 root root   70 avril  1 21:54 .you_found_me
magnussen@funcMyLife:~/findme$ cat /media/findme/.you_found_me
FCSC{750322d61518672328c856ff72fac0a80220835b9864f60451c771ce6f9aeca1}

Nice challenge, easy forensic but still fun to do.

Thanks to the FCSC team, this was an awesome CTF, I’ve learned a lot and had a lot of fun. Congratulation for the organization, see you next year!