diff options
| -rw-r--r-- | docs/writeups/2023/lactf/misc/a-hackers-notes.txt | 104 |
1 files changed, 104 insertions, 0 deletions
diff --git a/docs/writeups/2023/lactf/misc/a-hackers-notes.txt b/docs/writeups/2023/lactf/misc/a-hackers-notes.txt new file mode 100644 index 0000000..37719da --- /dev/null +++ b/docs/writeups/2023/lactf/misc/a-hackers-notes.txt @@ -0,0 +1,104 @@ +We managed to get ahold of a flash drive which we think contains the decryption +keys for the ransomware that a hacker group tried to deploy on our computer +network! However, it seems like the hacker encrypted the flash drive. We know +that the organization uses passwords in the format hacker### (hacker + 3 digits) +for their disks, but a much stronger encryption password once you login. Can +you try to get access to their notes? + + + + +LUKS decryption +--------------- +We are given a zip file containing an image file of the flash drive. As stated +in the problem description, it is a LUKS encrypted volume. Fortunately, the +passphrase is of a known format and we only have a small search space to guess +the three unknown digits at the end. We wrote a short shell script to +brute force the password guessing. + +``` +#!/bin/bash + +for num in {0..1000}; do + echo "hacker${num}" | sudo cryptsetup open /dev/loop0 hackerdrive + if [ $? -eq 0 ]; then + echo "hacker${num}" + break + fi +done +``` + +/dev/loop0 is a loop device backed by the unzipped image. When run, this script +will eventually print the password 'hacker765' and a mapped device will be +unlocked. + + + + +Recon +----- +With the unlocked volume mounted, we performed a manual search for interesting +files. Among these were: + +/note_to_self.txt +``` +Note to self: delete notes and notes_normalized tables in +.config/joplin/database.sqlite when not in use; allow encrypted sync to restore +notes after +``` + +/.sqlite_history +``` +[...] +pragma secure_delete; +select * from notes_normalized; +delete from notes_normalized; +select * from notes_normalized; +vacuum; +.exit +``` + +/.config/joplin/log.txt +``` +[...] +2023-01-16 01:06:52: "Initializing tables..." +2023-01-16 01:06:52: "KeychainService: checking if keychain supported" +2023-01-16 01:06:52: "KeychainService: could not set test password - keychain support will be disabled" +2023-01-16 01:06:52: e2ee/utils: "Master password is not set - trying to get it from the active master key..." +2023-01-16 01:06:52: handleSyncStartupOperation: "Processing operation:", "0" +2023-01-16 01:06:52: App: "Client ID: 5250b22a001e444bbfc4b332e840dea3" +2023-01-16 01:06:52: "First start: detected locale as en_GB" +2023-01-16 01:06:52: models/Setting: "Skipping all default migrations..." +2023-01-16 01:06:52: e2ee/utils: "Trying to load 0 master keys..." +2023-01-16 01:06:52: e2ee/utils: "Loaded master keys: 0" +[...] +``` + +/.config/joplin/settings.json +``` +{ + "$schema": "https://joplinapp.org/schema/settings.json", + "locale": "en_GB", + "api.token": "5c3c596604f44ea76007d85c35e97d3a3e7307079a3f9a68e91b62a4ab66b8a8ce0da3693d1e0226709e80887b9428f8a79d281fd468c81b0385000fc6f31052", + "markdown.plugin.softbreaks": false, + "markdown.plugin.typographer": false, + "editor": "emacs", + "sync.target": 2, + "sync.2.path": "/home/h4ck3r/encrypted-notes" +} +``` + + + + +Joplin +------ +Joplin's website says: "Joplin is an open source note-taking app. Capture your +thoughts and securely access them from any device." After a while of studying +the files shown above, we conculded that the encrypted notes store was also +included on the hacker's flash drive, at /encrypted-notes/. Futrhermore, that +the Joplin app was configured to be capable of performing a sync automatically. + +We setup a Joplin instance and manually imported the hacker's config prompting +the program to autonomously update with the content of the encrypted notes +database tables. The flag was contained within them. |