picoCTF Solutions
picoCTF 2022ForensicsMedium

Operation Oni

Published: July 20, 2023

Description

A disk image hides an SSH key in /root/.ssh/id_ed25519. Export the key, fix its permissions, and use it to log into the remote box and read flag.txt.

Setup

Download disk.img.gz

Mount or load the disk in Autopsy and navigate to /root/.ssh/id_ed25519.

Export the private key, rename it (e.g., key_file), and run `chmod 600 key_file`.

ssh -i key_file -p 53918 ctf-player@saturn.picoctf.net, then read flag.txt.

chmod 600 key_file
ssh -i key_file -p 53918 ctf-player@saturn.picoctf.net
cat flag.txt

Solution

  1. Step 1Recover the key
    Inside /root/.ssh is id_ed25519. Export it, and rename to match the sample command from the prompt (key_file).
    Learn more

    Autopsy is an open-source digital forensics platform built on top of The Sleuth Kit. It can mount disk images (raw, E01, VMDK, etc.) and browse their filesystem contents without booting the image - useful for examining files from a potentially compromised system without running its code. Alternatives include mount -o loop disk.img /mnt/point on Linux or tools like FTK Imager for Windows.

    Ed25519 is an elliptic-curve digital signature algorithm that generates very short (256-bit) keys with strong security properties. SSH key files in /root/.ssh/ are some of the most sensitive files on a Linux system: the private key (id_ed25519) allows authentication as root to any server that has the corresponding public key (id_ed25519.pub) in its authorized_keys file.

    In real forensics investigations, recovering SSH private keys from a disk image is a significant finding - it means the attacker may have had (or still have) access to other systems. The investigation would expand to identify which servers have the corresponding public key in their authorized_keys files.

  2. Step 2SSH into the box
    Fix permissions (`chmod 600 key_file`) and connect with the provided port. Once logged in, `ls` reveals flag.txt.
    Learn more

    SSH enforces strict permissions on private key files: if the key file is readable by anyone other than the owner, SSH refuses to use it and displays a "Permissions too open" error. chmod 600 sets read/write for owner only (rw-------), satisfying this requirement. This is a security measure - it prevents other local users from reading your private key.

    The -i key_file flag tells SSH to use a specific identity file instead of searching the default locations (~/.ssh/id_rsa, ~/.ssh/id_ed25519, etc.). The -p 53918 flag specifies a non-standard port - running SSH on a non-default port is a common practice to reduce automated scanning noise, though it provides minimal actual security since port scanners like nmap find it easily.

    This challenge combines two skills: disk forensics (extracting artifacts from an image) and SSH authentication (using a key to log in). Both appear together in real incident response scenarios where an attacker left behind persistence mechanisms like authorized SSH keys, and the investigator needs to understand what access was established.

Flag

picoCTF{k3y_5l3u7h_3396...}

This exercise reinforces basic SSH hygiene and disk forensics simultaneously.

Want more picoCTF 2022 writeups?

Browse picoCTF 2022Full library

Useful tools for Forensics

Related reading

What to try next