Description
Flag.txt was encrypted into flag.txt.enc using OpenSSL AES256. Use Sleuth Kit to browse the disk image, find the encrypted file and bash history, then decrypt the file using the password from bash history.
Decompress the disk image: gunzip disk.flag.img.gz.
Use mmls disk.flag.img to find the main partition offset, then fls -r -o <offset> to list files.
Find flag.txt.enc and the bash history file using fls, extract both with icat.
Read bash history to recover the AES decrypt command, then run it.
gunzip disk.flag.img.gzmmls disk.flag.imgfls -r -o <OFFSET> disk.flag.img | grep -E 'flag|bash_history'icat -o <OFFSET> disk.flag.img <BASH_HISTORY_INODE>icat -o <OFFSET> disk.flag.img <FLAG_ENC_INODE> > flag.txt.encopenssl aes256 -d -in flag.txt.enc -out flag.txtcat flag.txtSolution
Walk me through it- Step 1Find files and inspect bash historyUse
fls -rto find the bash history inode, thenicatto extract it. The history shows exactly how flag.txt was encrypted, including the password. That is all you need to undo the process.Learn more
Bash history (
~/.bash_history) records every command typed in a terminal session and persists across reboots. It is one of the first places a forensic investigator examines when analyzing a disk image, because it shows exactly what commands a user ran - including commands with sensitive arguments like passwords, API keys, and file paths.The critical mistake here is passing the password directly on the command line with
-k password. This exposes the password in at least three places: the shell history file, the process list (readable by other users while the command is running viaps aux), and potentially shell log files. The safer approach is to use-pass file:keyfileor let OpenSSL prompt interactively, which keeps the password out of both history and process listings.In real forensics, bash history often reveals attacker tooling, downloaded scripts, data exfiltration commands, and privilege escalation attempts. Attackers sometimes try to clear history with
history -cor by settingHISTSIZE=0, but the on-disk.bash_historyfile may still contain entries if the session wasn't terminated cleanly. - Step 2Decrypt the fileRun the inverse openssl command (
-d) on flag.txt.enc to produce flag.txt and read the picoCTF flag.Learn more
AES-256 (Advanced Encryption Standard with a 256-bit key) is the current gold standard for symmetric encryption. It is used by governments, militaries, and commercial software worldwide. Unlike DES or 3DES, AES has no practical known attacks against the algorithm itself when used correctly - the weakness demonstrated here is entirely in key management, not the cipher.
OpenSSL's
aes256subcommand uses AES in CBC mode by default with a password-based key derivation function (EVP_BytesToKey) and a random salt (when-saltis specified). The salt is prepended to the ciphertext so that decryption can derive the same key. The-dflag switches from encryption to decryption mode.The irony of naming a password
unbreakablepassword1234567while storing it in bash history illustrates the real-world principle that the strength of encryption is only as good as the security of the key. AES-256 is mathematically unbreakable with a good key, but a key stored in plaintext in a recoverable file provides no protection at all.
Flag
picoCTF{h4un71ng_p457_1d02...}
Sister challenge to Operation Oni - same disk-image methodology, different artifact. Oni rewards you with an SSH key; here the bash history hands you the password to a locally encrypted file. Verify the encrypted blob actually decrypts (the openssl `-d` exit code is 0) before assuming you've grabbed the right file from the image.