Description
Flag.txt was encrypted into flag.txt.enc using OpenSSL AES256. Recover the password from bash history, export the encrypted file, and decrypt it locally.
Load the image into Autopsy and examine `/root/.bash_history` to learn the openssl command used for encryption (password `unbreakablepassword1234567`).
Export flag.txt.enc from the filesystem and copy it to your working directory.
Run `openssl aes256 -d` with the recovered password to obtain flag.txt.
openssl aes256 -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567 -d
cat flag.txt
Solution
- Step 1Inspect bash historyThe commands show exactly how the file was encrypted, including the password. That’s all you need to undo the process.
- Step 2Decrypt the fileRun the inverse openssl command (`-d`) on flag.txt.enc to produce flag.txt and read the picoCTF flag.
Flag
picoCTF{h4un71ng_p457_1d02...}
This teaches you to look for operational artifacts (bash history) when analyzing disk images.