picoCTF 'Verify' Write Up
Enumeration
Once you Unzip the given folder, you’ll find a checksum.txt
file, decrypt.sh
file, and a files
directory. There are about 300 files in the files
directory. Let’s take a look at what we have!
decrypt.sh
The main line that forms the decryption logic is the following:
openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in "/home/ctf-player/drop-in/$file_name" -k picoCTF
For good measure, let’s remove the absolute files paths on lines 14 and 20 to get `openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in $file_name -k picoCTF’.
checksum.txt
We have a checksum in plaintext, but what algorithm was used to make it? The checksum is a total length of 64 hex characters. Using a simple Google search, we can find the following:
It was most likely generated using the SHA-256 algorithm.
files
directory
The files
directory is a collection of a bunch of random plaintext files. We most likely need to figure out which of these files produces the checksum in checksum.txt
, and then we can use the decrypt.sh
script on that file to get our flag.
Finding the File
We can use the find
command along with the -exec
flag to execute a command on every file.
find files -exec sha256sum {} \;
Let’s modify the command to only find files.
find files -type f -exec sha256sum {} \;
Lastly, let’s grep the output to search for the first 5 characters of our expected checksum.
find files -exec sha256sum {} \; | grep fba9f
Let’s run it, and we find the file we’re looking for!
┌─[parrot@parrot]─[~/Downloads/home/ctf-player/drop-in]
└──╼ $find files -type f -exec sha256sum {} \; | grep fba9f
fba9f49bf22aa7188a155768ab0dfdc1f9b86c47976cd0f7c9003af2e20598f7 files/87590c24
Decrypting the File
We now know the file we need is files/87590c24
. Let’s run the decrypt.sh
script on it.
┌─[parrot@parrot]─[~/Downloads/home/ctf-player/drop-in]
└──╼ $./decrypt.sh files/87590c24
picoCTF{trust_but_verify_87590c24}
We found our flag! picoCTF{trust_but_verify_87590c24}