We managed to get ahold of a flash drive which we think contains the decryption keys for the ransomware that a hacker group tried to deploy on our computer network! However, it seems like the hacker encrypted the flash drive. We know that the organization uses passwords in the format hacker### (hacker + 3 digits) for their disks, but a much stronger encryption password once you login. Can you try to get access to their notes? LUKS decryption --------------- We are given a zip file containing an image file of the flash drive. As stated in the problem description, it is a LUKS encrypted volume. Fortunately, the passphrase is of a known format and we only have a small search space to guess the three unknown digits at the end. We wrote a short shell script to brute force the password guessing. ``` #!/bin/bash for num in {0..1000}; do echo "hacker${num}" | sudo cryptsetup open /dev/loop0 hackerdrive if [ $? -eq 0 ]; then echo "hacker${num}" break fi done ``` /dev/loop0 is a loop device backed by the unzipped image. When run, this script will eventually print the password 'hacker765' and a mapped device will be unlocked. Recon ----- With the unlocked volume mounted, we performed a manual search for interesting files. Among these were: /note_to_self.txt ``` Note to self: delete notes and notes_normalized tables in .config/joplin/database.sqlite when not in use; allow encrypted sync to restore notes after ``` /.sqlite_history ``` [...] pragma secure_delete; select * from notes_normalized; delete from notes_normalized; select * from notes_normalized; vacuum; .exit ``` /.config/joplin/log.txt ``` [...] 2023-01-16 01:06:52: "Initializing tables..." 2023-01-16 01:06:52: "KeychainService: checking if keychain supported" 2023-01-16 01:06:52: "KeychainService: could not set test password - keychain support will be disabled" 2023-01-16 01:06:52: e2ee/utils: "Master password is not set - trying to get it from the active master key..." 2023-01-16 01:06:52: handleSyncStartupOperation: "Processing operation:", "0" 2023-01-16 01:06:52: App: "Client ID: 5250b22a001e444bbfc4b332e840dea3" 2023-01-16 01:06:52: "First start: detected locale as en_GB" 2023-01-16 01:06:52: models/Setting: "Skipping all default migrations..." 2023-01-16 01:06:52: e2ee/utils: "Trying to load 0 master keys..." 2023-01-16 01:06:52: e2ee/utils: "Loaded master keys: 0" [...] ``` /.config/joplin/settings.json ``` { "$schema": "https://joplinapp.org/schema/settings.json", "locale": "en_GB", "api.token": "5c3c596604f44ea76007d85c35e97d3a3e7307079a3f9a68e91b62a4ab66b8a8ce0da3693d1e0226709e80887b9428f8a79d281fd468c81b0385000fc6f31052", "markdown.plugin.softbreaks": false, "markdown.plugin.typographer": false, "editor": "emacs", "sync.target": 2, "sync.2.path": "/home/h4ck3r/encrypted-notes" } ``` Joplin ------ Joplin's website says: "Joplin is an open source note-taking app. Capture your thoughts and securely access them from any device." After a while of studying the files shown above, we conculded that the encrypted notes store was also included on the hacker's flash drive, at /encrypted-notes/. Futrhermore, that the Joplin app was configured to be capable of performing a sync automatically. We setup a Joplin instance and manually imported the hacker's config prompting the program to autonomously update with the content of the encrypted notes database tables. The flag was contained within them.