5.9 KiB
I mounted the filesytem via:
sudo qemu-nbd --connect=/dev/nbd1 img.qcow
sudo mount /dev/nbd1 /mnt/chall1
Then I tried to look for interesting stuff.
total 140K
drwxr-xr-x 20 root root 4,0K 27. Feb 04:11 .
drwxr-xr-x 6 root root 4,0K 28. Feb 19:34 ..
drwxr-xr-x 3 root root 4,0K 27. Feb 04:11 bin
drwxr-xr-x 2 root root 4,0K 27. Feb 04:10 boot
drwxr-xr-x 4 root root 4,0K 26. Feb 20:07 .cdl_amnt
drwxr-xr-x 5 root root 20K 27. Feb 05:20 dev
drwxr-xr-x 2 root root 4,0K 26. Feb 20:06 disks
drwxr-xr-x 56 root root 4,0K 27. Feb 05:20 etc
drwxr-sr-x 3 root games 4,0K 26. Feb 20:07 home
drwxr-xr-x 2 root root 4,0K 26. Feb 20:06 initrd
drwxr-xr-x 5 root root 4,0K 27. Feb 04:11 lib
drwxr-xr-x 2 root root 48K 26. Feb 20:05 lost+found
drwxr-xr-x 6 root root 4,0K 27. Feb 05:19 mnt
drwxr-xr-x 3 500 500 4,0K 27. Feb 04:11 opt
drwxr-xr-x 2 root root 4,0K 26. Feb 20:06 proc
drwx---r-x 4 root root 4,0K 27. Feb 05:19 root
drwxr-xr-x 3 root root 4,0K 27. Feb 04:11 sbin
drwxrwxrwt 5 root root 4,0K 27. Feb 05:20 tmp
drwxr-xr-x 16 root root 4,0K 26. Feb 20:06 usr
drwxr-xr-x 15 root root 4,0K 27. Feb 04:10 var
lrwxrwxrwx 1 root root 20 26. Feb 20:06 vmlinuz -> /boot/vmlinuz-2.2.16
lrwxrwxrwx 1 root root 19 26. Feb 20:06 vmlinuz-debug -> boot/vmlinuz-2.2.16
In the initial phase I tried the easy stuff
- checking etc/passwd, etc/issue, the home directory of user davezero
- running
fd flaghoping for an easy win - tried strings img.qcow | rg srdnl
- reading bash_history of
rootanddavezerowith no special findings
Then I turned to log analysis
- syslog files
- auth files
- apache logs I found out that only root ever logged in. This explains the empty bash_history of davezero
I found nothing interesting in the log files so I snooped around the file system. The challenge stated that the hacker hid their secrets in old systems. I looked for anything that I did not recognize in modern Linux.
.cdl_amnt/is a directory special to corel but had nothing interesting in it/opt/smartmoveis a program special to corel to migrate settings from windows but seemed untouched- I found
/var/lib/dwww/quickfind.datwhich seemed interesting but i then found out that this is standard debian stuff for manuals - The
var/wwwdirectory also did not have anything special The rest of the filesystem looked pretty normal to me.
At this point I was a bit confused what to do. I returned to the log files to see if I missed anything.
Here I discovered the key to the challenge. I found the file /var/log/fc.wcm.
I thought of this as strange since .wcm is not a file ending i recognize.
Opening the file revealed this:
❯ cat fc.wcm
Application (WP; "WordPerfect"; Default; "EN")
v0 := 0
v1 := 1
v3 := 128
v4 := 7
v5 := 13
k1 := v3 - v4 - 51
k2 := k1 - v5 + v4 + v1
k3 := k1 + v4 - 2
k4 := k2 + v4 - 3
doclen := 38
docbodyLen := 38
Declare docbody[38]
docbody[1] := 206
docbody[2] := 56
docbody[3] := 8
docbody[4] := 128
docbody[5] := 209
docbody[6] := 47
docbody[7] := 2
docbody[8] := 149
docbody[9] := 202
docbody[10] := 34
docbody[11] := 95
docbody[12] := 128
docbody[13] := 226
docbody[14] := 41
docbody[15] := 92
docbody[16] := 156
docbody[17] := 142
docbody[18] := 38
docbody[19] := 51
docbody[20] := 153
docbody[21] := 137
docbody[22] := 57
docbody[23] := 51
docbody[24] := 218
docbody[25] := 211
docbody[26] := 21
docbody[27] := 88
docbody[28] := 130
docbody[29] := 201
docbody[30] := 121
docbody[31] := 30
docbody[32] := 128
docbody[33] := 137
docbody[34] := 62
docbody[35] := 93
docbody[36] := 152
docbody[37] := 142
docbody[38] := 55
rhLen := 24
Declare rh[24]
rh[1] := 80
rh[2] := 113
rh[3] := 171
rh[4] := 195
rh[5] := 17
rh[6] := 89
rh[7] := 222
rh[8] := 175
rh[9] := 32
rh[10] := 97
rh[11] := 153
rh[12] := 187
rh[13] := 68
rh[14] := 2
rh[15] := 204
rh[16] := 127
rh[17] := 136
rh[18] := 19
rh[19] := 85
rh[20] := 224
rh[21] := 250
rh[22] := 60
rh[23] := 109
rh[24] := 144
doB64 := v0
If (doB64 = v1)
Type (NToC(k3 + v5 + v4 + v1 + v1))
Type (NToC(v3 - v4))
Type (NToC(v3 - v5 - v4))
Type (NToC(v3 - v5 - v4 - v1))
Type (NToC(v3 - v5 - v4))
Type (NToC(v3 - v5 - v5 + v1 + v1))
Type (NToC(v3 - v5 - v5 + v1 + v1))
Type (NToC(v5 + v5 + v4 - v1))
EndIf
Declare kArr[4]
kArr[1] := k1
kArr[2] := k2
kArr[3] := k3
kArr[4] := k4
Type (NToC(k1 + v5 + v1))
Type (NToC(v3 - v5 - v5 + v1 + v1))
Type (NToC(v3 - v5 - v4 - v4))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(v3 - v5 - v4 - v1))
Type (NToC(v3 - v5 - v4 - v4))
Type (NToC(v3 - v4))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(k2 + k2 - v5 - v5 + v1))
Type (NToC(v3 - v5))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(k2 + k2 - v5 - v5 + v1))
Type (NToC(v3 - v5 - v4 + v1 + v1))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(v3 - v4 - v1 - v1))
Type (NToC(v3 - v5 - v5 + v1 + v1))
Type (NToC(k3 + v5 + v4 + v1 + v1))
Type (NToC(v3 - v5 + v1))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(k2 + k2 - v5 - v5 + v1))
Type (NToC(v3 - v5))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(v3 - v5 - v4))
Type (NToC(v3 - v5 - v4 - v4))
Type (NToC(k1 + v5 + v5 + v4 - v1))
Type (NToC(v3 - v5 + v1))
Type (NToC(13))
ForNext (ii; v1; doclen; v1)
bb := docbody[ii]
kb := kArr[(ii - v1) % 4 + v1]
Type (NToC((bb + kb) - 2 * (bb & kb)))
EndFor
buf := ""
ForNext (jj; v1; rhLen; v1)
kb := kArr[(jj - v1) % 4 + v1]
rb := rh[jj]
buf := buf + NToC((rb + kb) - 2 * (rb & kb))
EndFor
This looks incredibly suspicious. To get started with things I chucked the file into Claude and asked it if it can decode it.
Prompt: I found this strange looking file in a forensics CTF. Can you decode its contents? The flag format is srdnlen{*}
Sadly Claude solved it in one go generating a simple script that bruteforces the key from the known srdnlen{ flag prefix.
Flag: srdnlen{wh3n_c0r3l_w4s_4n_4lt3rn4t1v3}
Using AI in CTFs is a double edged sword because it can save you a lot of time but can take out the fun out of solving puzzles and hinders learning.