picoCTF 'Verify' Write Up

Enumeration

Once you Unzip the given folder, you’ll find a checksum.txt file, decrypt.sh file, and a files directory. There are about 300 files in the files directory. Let’s take a look at what we have!

decrypt.sh

The main line that forms the decryption logic is the following:

openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in "/home/ctf-player/drop-in/$file_name" -k picoCTF

For good measure, let’s remove the absolute files paths on lines 14 and 20 to get `openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in $file_name -k picoCTF’.

checksum.txt

We have a checksum in plaintext, but what algorithm was used to make it? The checksum is a total length of 64 hex characters. Using a simple Google search, we can find the following:

Checksum Google search

It was most likely generated using the SHA-256 algorithm.

files directory

The files directory is a collection of a bunch of random plaintext files. We most likely need to figure out which of these files produces the checksum in checksum.txt, and then we can use the decrypt.sh script on that file to get our flag.

Finding the File

We can use the find command along with the -exec flag to execute a command on every file.

find files -exec sha256sum {} \;

Let’s modify the command to only find files.

find files -type f -exec sha256sum {} \;

Lastly, let’s grep the output to search for the first 5 characters of our expected checksum.

find files -exec sha256sum {} \; | grep fba9f

Let’s run it, and we find the file we’re looking for!

┌─[parrot@parrot]─[~/Downloads/home/ctf-player/drop-in]
└──╼ $find files -type f -exec sha256sum {} \; | grep fba9f
fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7  files/87590c24

Decrypting the File

We now know the file we need is files/87590c24. Let’s run the decrypt.sh script on it.

┌─[parrot@parrot]─[~/Downloads/home/ctf-player/drop-in]
└──╼ $./decrypt.sh files/87590c24
picoCTF{trust_but_verify_87590c24}

We found our flag! picoCTF{trust_but_verify_87590c24}