Files
ctf/2026/srdnlen_quals/forensic/chapter1/writeup.md
2026-02-28 21:36:17 +01:00

5.9 KiB
Raw Blame History

I mounted the filesytem via:

sudo qemu-nbd --connect=/dev/nbd1 img.qcow
sudo mount /dev/nbd1 /mnt/chall1

Then I tried to look for interesting stuff.

total 140K
drwxr-xr-x 20 root root  4,0K 27. Feb 04:11 .
drwxr-xr-x  6 root root  4,0K 28. Feb 19:34 ..
drwxr-xr-x  3 root root  4,0K 27. Feb 04:11 bin
drwxr-xr-x  2 root root  4,0K 27. Feb 04:10 boot
drwxr-xr-x  4 root root  4,0K 26. Feb 20:07 .cdl_amnt
drwxr-xr-x  5 root root   20K 27. Feb 05:20 dev
drwxr-xr-x  2 root root  4,0K 26. Feb 20:06 disks
drwxr-xr-x 56 root root  4,0K 27. Feb 05:20 etc
drwxr-sr-x  3 root games 4,0K 26. Feb 20:07 home
drwxr-xr-x  2 root root  4,0K 26. Feb 20:06 initrd
drwxr-xr-x  5 root root  4,0K 27. Feb 04:11 lib
drwxr-xr-x  2 root root   48K 26. Feb 20:05 lost+found
drwxr-xr-x  6 root root  4,0K 27. Feb 05:19 mnt
drwxr-xr-x  3  500   500 4,0K 27. Feb 04:11 opt
drwxr-xr-x  2 root root  4,0K 26. Feb 20:06 proc
drwx---r-x  4 root root  4,0K 27. Feb 05:19 root
drwxr-xr-x  3 root root  4,0K 27. Feb 04:11 sbin
drwxrwxrwt  5 root root  4,0K 27. Feb 05:20 tmp
drwxr-xr-x 16 root root  4,0K 26. Feb 20:06 usr
drwxr-xr-x 15 root root  4,0K 27. Feb 04:10 var
lrwxrwxrwx  1 root root    20 26. Feb 20:06 vmlinuz -> /boot/vmlinuz-2.2.16
lrwxrwxrwx  1 root root    19 26. Feb 20:06 vmlinuz-debug -> boot/vmlinuz-2.2.16

In the initial phase I tried the easy stuff

  • checking etc/passwd, etc/issue, the home directory of user davezero
  • running fd flag hoping for an easy win
  • tried strings img.qcow | rg srdnl
  • reading bash_history of root and davezero with no special findings

Then I turned to log analysis

  • syslog files
  • auth files
  • apache logs I found out that only root ever logged in. This explains the empty bash_history of davezero

I found nothing interesting in the log files so I snooped around the file system. The challenge stated that the hacker hid their secrets in old systems. I looked for anything that I did not recognize in modern Linux.

  • .cdl_amnt/ is a directory special to corel but had nothing interesting in it
  • /opt/smartmove is a program special to corel to migrate settings from windows but seemed untouched
  • I found /var/lib/dwww/quickfind.dat which seemed interesting but i then found out that this is standard debian stuff for manuals
  • The var/www directory also did not have anything special The rest of the filesystem looked pretty normal to me.

At this point I was a bit confused what to do. I returned to the log files to see if I missed anything.

Here I discovered the key to the challenge. I found the file /var/log/fc.wcm. I thought of this as strange since .wcm is not a file ending i recognize.

Opening the file revealed this:

 cat fc.wcm
Application (WP; "WordPerfect"; Default; "EN")

v0 := 0
v1 := 1
v3 := 128
v4 := 7
v5 := 13

k1 := v3 - v4 - 51
k2 := k1 - v5 + v4 + v1
k3 := k1 + v4 - 2
k4 := k2 + v4 - 3

doclen := 38
docbodyLen := 38
Declare docbody[38]
docbody[1] := 206
docbody[2] := 56
docbody[3] := 8
docbody[4] := 128
docbody[5] := 209
docbody[6] := 47
docbody[7] := 2
docbody[8] := 149
docbody[9] := 202
docbody[10] := 34
docbody[11] := 95
docbody[12] := 128
docbody[13] := 226
docbody[14] := 41
docbody[15] := 92
docbody[16] := 156
docbody[17] := 142
docbody[18] := 38
docbody[19] := 51
docbody[20] := 153
docbody[21] := 137
docbody[22] := 57
docbody[23] := 51
docbody[24] := 218
docbody[25] := 211
docbody[26] := 21
docbody[27] := 88
docbody[28] := 130
docbody[29] := 201
docbody[30] := 121
docbody[31] := 30
docbody[32] := 128
docbody[33] := 137
docbody[34] := 62
docbody[35] := 93
docbody[36] := 152
docbody[37] := 142
docbody[38] := 55

rhLen := 24
Declare rh[24]
rh[1] := 80
rh[2] := 113
rh[3] := 171
rh[4] := 195
rh[5] := 17
rh[6] := 89
rh[7] := 222
rh[8] := 175
rh[9] := 32
rh[10] := 97
rh[11] := 153
rh[12] := 187
rh[13] := 68
rh[14] := 2
rh[15] := 204
rh[16] := 127
rh[17] := 136
rh[18] := 19
rh[19] := 85
rh[20] := 224
rh[21] := 250
rh[22] := 60
rh[23] := 109
rh[24] := 144

doB64 := v0
If (doB64 = v1)
    Type (NToC(k3 + v5 + v4 + v1 + v1))
    Type (NToC(v3 - v4))
    Type (NToC(v3 - v5 - v4))
    Type (NToC(v3 - v5 - v4 - v1))
    Type (NToC(v3 - v5 - v4))
    Type (NToC(v3 - v5 - v5 + v1 + v1))
    Type (NToC(v3 - v5 - v5 + v1 + v1))
    Type (NToC(v5 + v5 + v4 - v1))
EndIf

Declare kArr[4]
kArr[1] := k1
kArr[2] := k2
kArr[3] := k3
kArr[4] := k4

Type (NToC(k1 + v5 + v1))
Type (NToC(v3 - v5 - v5 + v1 + v1))
Type (NToC(v3 - v5 - v4 - v4))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(v3 - v5 - v4 - v1))
Type (NToC(v3 - v5 - v4 - v4))
Type (NToC(v3 - v4))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(k2 + k2 - v5 - v5 + v1))
Type (NToC(v3 - v5))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(k2 + k2 - v5 - v5 + v1))
Type (NToC(v3 - v5 - v4 + v1 + v1))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(v3 - v4 - v1 - v1))
Type (NToC(v3 - v5 - v5 + v1 + v1))
Type (NToC(k3 + v5 + v4 + v1 + v1))
Type (NToC(v3 - v5 + v1))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(k2 + k2 - v5 - v5 + v1))
Type (NToC(v3 - v5))
Type (NToC(v5 + v5 + v4 - v1))
Type (NToC(v3 - v5 - v4))
Type (NToC(v3 - v5 - v4 - v4))
Type (NToC(k1 + v5 + v5 + v4 - v1))
Type (NToC(v3 - v5 + v1))
Type (NToC(13))

ForNext (ii; v1; doclen; v1)
    bb   := docbody[ii]
    kb   := kArr[(ii - v1) % 4 + v1]
    Type (NToC((bb + kb) - 2 * (bb & kb)))
EndFor

buf := ""
ForNext (jj; v1; rhLen; v1)
    kb    := kArr[(jj - v1) % 4 + v1]
    rb    := rh[jj]
    buf := buf + NToC((rb + kb) - 2 * (rb & kb))
EndFor

This looks incredibly suspicious. To get started with things I chucked the file into Claude and asked it if it can decode it. Prompt: I found this strange looking file in a forensics CTF. Can you decode its contents? The flag format is srdnlen{*} Sadly Claude solved it in one go generating a simple script that bruteforces the key from the known srdnlen{ flag prefix.

Flag: srdnlen{wh3n_c0r3l_w4s_4n_4lt3rn4t1v3}

Using AI in CTFs is a double edged sword because it can save you a lot of time but can take out the fun out of solving puzzles and hinders learning.