Writeup RC3 CTF Forensics 400
CTF : RC3 CTF (https://ctf.rc3.club)
Score : 400
Actually, I’m not familar with forensics challenge, but I can’t solve the other challenges and many players have solved this one, made me want to try.
After download the image, mount it first, and looking around.
wasin:dtrump$ mount dtrump.img /mnt/dtrump wasin:dtrump$ ls -a . Desktop .gitconfig Music Templates .. .dmrc .gnupg Pictures Videos .bash_logout Documents .history .profile .viminfo .bashrc Downloads .ICEauthority Public .Xauthority .cache examples.desktop .local rr_moved .xsession-errors .config .gconf .mozilla secretfiles
“secretfiles” folder is interesting, and we see the file with gpg encryption.
wasin:secretfiles$ ls -a . .. document.txt .git README.md Workbook1.xlsx.gpg
I think flag must be somewhere in the ‘Workbook1.xlsx.gpg’, the next target is to find the ‘key’ to decrypt it. So I find out more on another file ‘document.txt’, ‘README.md’, ‘.git’ , and I found a clue in ‘.git’ folder.
wasin:secretfiles$ cd .git/ wasin:.git$ ls -a . branches config HEAD index logs refs .. COMMIT_EDITMSG description hooks info objects wasin:.git$ cat config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = https://github.com/rc3club/supersecret.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master
After followed the link ‘https://github.com/rc3club/supersecret.git', Finally we found his private key in his reposity. (https://raw.githubusercontent.com/rc3club/supersecret/master/private.key) (in reality, it is a bad idea to keep the private key publicly).
Last time I involved with gpg encrytion/decryption was in computer security class, miss it so much, and with some problem with read-only file on Ubuntu made me can’t download private key. So I switched to Windows and decrypt the file.
bash-3.1$ gpg --allow-secret-key-import --import private.key gpg: key 8FFDF6D6: secret key imported gpg: key 8FFDF6D6: public key "ThugG (lolz) <email@example.com>" imported gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1) gpg: secret keys read: 1 gpg: secret keys imported: 1 bash-3.1$ gpg -d Workbook1.xlsx.gpg > Workbook1.xlsx gpg: encrypted with 1024-bit RSA key, ID E22CB12D, created 2016-11-18 "ThugG (lolz) <firstname.lastname@example.org>"
After opened the file. it prompt for the password, what is the password?. I take a look in ‘secretfiles’ folder and doubt that password must be in ‘document.txt’ (passowrd123) or ‘README.txt’(# supersecret). Both are wrong, so I guess may be ‘passowrd123’ was mispelling from ‘password123’ and this is the right guess.
I can’t find the flag, so I decide to take a look at the other files and directorys and found nothing. The next day I get back to check this file again, finally it is not so complicated as much as I think. It is on the second sheet which I have already searched. Because It is in white color, but you can see it on function tab above.
Flag : RC3-2016-SNEAKY21