1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
We managed to get ahold of a flash drive which we think contains the decryption
keys for the ransomware that a hacker group tried to deploy on our computer
network! However, it seems like the hacker encrypted the flash drive. We know
that the organization uses passwords in the format hacker### (hacker + 3 digits)
for their disks, but a much stronger encryption password once you login. Can
you try to get access to their notes?
LUKS decryption
---------------
We are given a zip file containing an image file of the flash drive. As stated
in the problem description, it is a LUKS encrypted volume. Fortunately, the
passphrase is of a known format and we only have a small search space to guess
the three unknown digits at the end. We wrote a short shell script to
brute force the password guessing.
```
#!/bin/bash
for num in {0..1000}; do
echo "hacker${num}" | sudo cryptsetup open /dev/loop0 hackerdrive
if [ $? -eq 0 ]; then
echo "hacker${num}"
break
fi
done
```
/dev/loop0 is a loop device backed by the unzipped image. When run, this script
will eventually print the password 'hacker765' and a mapped device will be
unlocked.
Recon
-----
With the unlocked volume mounted, we performed a manual search for interesting
files. Among these were:
/note_to_self.txt
```
Note to self: delete notes and notes_normalized tables in
.config/joplin/database.sqlite when not in use; allow encrypted sync to restore
notes after
```
/.sqlite_history
```
[...]
pragma secure_delete;
select * from notes_normalized;
delete from notes_normalized;
select * from notes_normalized;
vacuum;
.exit
```
/.config/joplin/log.txt
```
[...]
2023-01-16 01:06:52: "Initializing tables..."
2023-01-16 01:06:52: "KeychainService: checking if keychain supported"
2023-01-16 01:06:52: "KeychainService: could not set test password - keychain support will be disabled"
2023-01-16 01:06:52: e2ee/utils: "Master password is not set - trying to get it from the active master key..."
2023-01-16 01:06:52: handleSyncStartupOperation: "Processing operation:", "0"
2023-01-16 01:06:52: App: "Client ID: 5250b22a001e444bbfc4b332e840dea3"
2023-01-16 01:06:52: "First start: detected locale as en_GB"
2023-01-16 01:06:52: models/Setting: "Skipping all default migrations..."
2023-01-16 01:06:52: e2ee/utils: "Trying to load 0 master keys..."
2023-01-16 01:06:52: e2ee/utils: "Loaded master keys: 0"
[...]
```
/.config/joplin/settings.json
```
{
"$schema": "https://joplinapp.org/schema/settings.json",
"locale": "en_GB",
"api.token": "5c3c596604f44ea76007d85c35e97d3a3e7307079a3f9a68e91b62a4ab66b8a8ce0da3693d1e0226709e80887b9428f8a79d281fd468c81b0385000fc6f31052",
"markdown.plugin.softbreaks": false,
"markdown.plugin.typographer": false,
"editor": "emacs",
"sync.target": 2,
"sync.2.path": "/home/h4ck3r/encrypted-notes"
}
```
Joplin
------
Joplin's website says: "Joplin is an open source note-taking app. Capture your
thoughts and securely access them from any device." After a while of studying
the files shown above, we conculded that the encrypted notes store was also
included on the hacker's flash drive, at /encrypted-notes/. Futrhermore, that
the Joplin app was configured to be capable of performing a sync automatically.
We setup a Joplin instance and manually imported the hacker's config prompting
the program to autonomously update with the content of the encrypted notes
database tables. The flag was contained within them.
|
