Vous avez accès à un fichier find_me qui semble renfermer un secret bien gardé, qui n’existe peut-être même plus. Retrouvez son contenu !
We have a file called find_me with a secret hidden in it, that might not even exist now.
Exploit
Let’s start by checking what kind of file we have:
magnussen@funcMyLife:~/findme$ file find_me
find_me: Linux rev 1.0 ext4 filesystem data, UUID=9c0d2dc5-184c-496a-ba8e-477309e521d9, volume name "find_me" (needs journal recovery) (extents) (64bit) (large files) (huge files)
So we have a filesystem, let’s use testdisk
to check it out:
magnussen@funcMyLife:~/findme$ testdisk find_me
drwx------ 0 0 12288 1-Apr-2020 21:54 lost+found
-rw-r--r-- 0 0 26214400 1-Apr-2020 22:00 unlock_me
-rw-r--r-- 0 0 32 1-Apr-2020 21:54 pass.b64
-r-------- 0 0 2 1-Apr-2020 21:54 part00
-r-------- 0 0 2 1-Apr-2020 21:54 part01
-r-------- 0 0 2 1-Apr-2020 21:54 part02
-r-------- 0 0 2 1-Apr-2020 21:54 part03
-r-------- 0 0 2 1-Apr-2020 21:54 part04
-r-------- 0 0 2 1-Apr-2020 21:54 part05
-r-------- 0 0 2 1-Apr-2020 21:54 part06
-r-------- 0 0 2 1-Apr-2020 21:54 part07
-r-------- 0 0 2 1-Apr-2020 21:54 part08
-r-------- 0 0 2 1-Apr-2020 21:54 part09
-r-------- 0 0 2 1-Apr-2020 21:54 part0a
-r-------- 0 0 2 1-Apr-2020 21:54 part0b
-r-------- 0 0 2 1-Apr-2020 21:54 part0c
-r-------- 0 0 2 1-Apr-2020 21:54 part0d
-r-------- 0 0 2 1-Apr-2020 21:54 part0e
-r-------- 0 0 2 1-Apr-2020 21:54 part0f
-r-------- 0 0 2 1-Apr-2020 21:54 part10
-r-------- 0 0 2 1-Apr-2020 21:54 part11
-r-------- 0 0 2 1-Apr-2020 21:54 part12
-r-------- 0 0 2 1-Apr-2020 21:54 part13
-r-------- 0 0 1 1-Apr-2020 21:54 part14
We have 20 files (partX), a file call pass.b64 and a file call unlock_me.
Let’s retrieve these files (a + c in testdisk) and check their content.
magnussen@funcMyLife:~/findme$ cat part00
TW
magnussen@funcMyLife:~/findme$ cat pass.b64
nothing here. password splited!
magnussen@funcMyLife:~/findme$ file unlock_me.img
unlock_me.img: LUKS encrypted file, ver 1 [aes, xts-plain64, sha256] UUID: 220745be-23df-4ef8-bff0-a36ab5cd1eff
Mmmh, the pass.b64 say that the password is splitted, the partX files seem to contain a substring in base64 and the unlock_me.img is a LUKS partition.
I bet the key of this LUKS partition is the content of the partX files.
Let’s concatenate the content of these files:
magnussen@funcMyLife:~/findme$ for i in part* ; do cat $i >> final_part; done
magnussen@funcMyLife:~/findme$ cat final_part
TWYtOVkyb01OWm5IWEtzak04cThuUlRUOHgzVWRZ
magnussen@funcMyLife:~/findme$ cat final_part | base64 -d
Mf-9Y2oMNZnHXKsjM8q8nRTT8x3UdY
Let’s mount the LUKS partition and try this password.
magnussen@funcMyLife:~/findme$ sudo cryptsetup luksOpen /dev/loop23 unlock_me.img
Enter passphrase for /dev/loop23:
magnussen@funcMyLife:~/findme$ mkdir /media/findme
magnussen@funcMyLife:~/findme$ ount /dev/mapper/unlock_me.img /media/findme/
mount: /media/findme: WARNING: device write-protected, mounted read-only.
magnussen@funcMyLife:~/findme$ ls -alh /media/findme/
total 4,0K
drwxr-xr-x 2 root root 92 avril 1 21:54 .
drwxr-xr-x 6 root root 4,0K mai 1 00:15 ..
-r-------- 1 root root 70 avril 1 21:54 .you_found_me
magnussen@funcMyLife:~/findme$ cat /media/findme/.you_found_me
FCSC{750322d61518672328c856ff72fac0a80220835b9864f60451c771ce6f9aeca1}
Nice challenge, easy forensic but still fun to do.
Thanks to the FCSC team, this was an awesome CTF, I’ve learned a lot and had a lot of fun. Congratulation for the organization, see you next year!