Writeup LACTF 2023 / A hacker's notes

Signed-off-by: Malfurious <m@lfurio.us>

1 files changed, 104 insertions, 0 deletions

diff --git a/docs/writeups/2023/lactf/misc/a-hackers-notes.txt b/docs/writeups/2023/lactf/misc/a-hackers-notes.txt
new file mode 100644
index 0000000..37719da
--- /dev/null
+++ b/docs/writeups/2023/lactf/misc/a-hackers-notes.txt
@@ -0,0 +1,104 @@
+We managed to get ahold of a flash drive which we think contains the decryption
+keys for the ransomware that a hacker group tried to deploy on our computer
+network!  However, it seems like the hacker encrypted the flash drive.  We know
+that the organization uses passwords in the format hacker### (hacker + 3 digits)
+for their disks, but a much stronger encryption password once you login.  Can
+you try to get access to their notes?
+
+
+
+
+LUKS decryption
+---------------
+We are given a zip file containing an image file of the flash drive.  As stated
+in the problem description, it is a LUKS encrypted volume.  Fortunately, the
+passphrase is of a known format and we only have a small search space to guess
+the three unknown digits at the end.  We wrote a short shell script to
+brute force the password guessing.
+
+```
+#!/bin/bash
+
+for num in {0..1000}; do
+    echo "hacker${num}" | sudo cryptsetup open /dev/loop0 hackerdrive
+    if [ $? -eq 0 ]; then
+        echo "hacker${num}"
+        break
+    fi
+done
+```
+
+/dev/loop0 is a loop device backed by the unzipped image.  When run, this script
+will eventually print the password 'hacker765' and a mapped device will be
+unlocked.
+
+
+
+
+Recon
+-----
+With the unlocked volume mounted, we performed a manual search for interesting
+files.  Among these were:
+
+/note_to_self.txt
+```
+Note to self: delete notes and notes_normalized tables in
+.config/joplin/database.sqlite when not in use; allow encrypted sync to restore
+notes after
+```
+
+/.sqlite_history
+```
+[...]
+pragma secure_delete;
+select * from notes_normalized;
+delete from notes_normalized;
+select * from notes_normalized;
+vacuum;
+.exit
+```
+
+/.config/joplin/log.txt
+```
+[...]
+2023-01-16 01:06:52: "Initializing tables..."
+2023-01-16 01:06:52: "KeychainService: checking if keychain supported"
+2023-01-16 01:06:52: "KeychainService: could not set test password - keychain support will be disabled"
+2023-01-16 01:06:52: e2ee/utils: "Master password is not set - trying to get it from the active master key..."
+2023-01-16 01:06:52: handleSyncStartupOperation: "Processing operation:", "0"
+2023-01-16 01:06:52: App: "Client ID: 5250b22a001e444bbfc4b332e840dea3"
+2023-01-16 01:06:52: "First start: detected locale as en_GB"
+2023-01-16 01:06:52: models/Setting: "Skipping all default migrations..."
+2023-01-16 01:06:52: e2ee/utils: "Trying to load 0 master keys..."
+2023-01-16 01:06:52: e2ee/utils: "Loaded master keys: 0"
+[...]
+```
+
+/.config/joplin/settings.json
+```
+{
+    "$schema": "https://joplinapp.org/schema/settings.json",
+    "locale": "en_GB",
+    "api.token": "5c3c596604f44ea76007d85c35e97d3a3e7307079a3f9a68e91b62a4ab66b8a8ce0da3693d1e0226709e80887b9428f8a79d281fd468c81b0385000fc6f31052",
+    "markdown.plugin.softbreaks": false,
+    "markdown.plugin.typographer": false,
+    "editor": "emacs",
+    "sync.target": 2,
+    "sync.2.path": "/home/h4ck3r/encrypted-notes"
+}
+```
+
+
+
+
+Joplin
+------
+Joplin's website says: "Joplin is an open source note-taking app. Capture your
+thoughts and securely access them from any device."  After a while of studying
+the files shown above, we conculded that the encrypted notes store was also
+included on the hacker's flash drive, at /encrypted-notes/.  Futrhermore, that
+the Joplin app was configured to be capable of performing a sync automatically.
+
+We setup a Joplin instance and manually imported the hacker's config prompting
+the program to autonomously update with the content of the encrypted notes
+database tables.  The flag was contained within them.