UnforgottenBits

Description

Solution

1. Step 1Read the IRC logs
   Open /3/home/yone/irclogs/01/04/#avidreader13.log in Autopsy. It reveals the steghide password `akalibardzyratrundle` and the AES-256-CBC parameters: salt=0f3fa17eeacd53a9, key=58593a...d508, iv=7a12fd...91.
   Learn more

   Autopsyis an open-source digital forensics platform built on top of The Sleuth Kit (TSK). It provides a graphical interface for analyzing disk images - browsing the file system, recovering deleted files, viewing file metadata, searching for keywords, and examining timeline data. It's widely used by law enforcement and security researchers for forensic investigations.

   IRC (Internet Relay Chat) logs are plain-text records of chat conversations stored on the user's machine. IRC was the dominant real-time text communication protocol before Slack, Discord, and similar platforms. IRC clients like WeeChat and irssi store logs in structured directory trees organized by server, channel, and date - exactly the path structure seen here (irclogs/01/04/).

   Finding credentials in communication logs is a classic forensic technique. People often share passwords, keys, or other sensitive data in private chats, assuming the conversation is ephemeral. In reality, IRC clients log everything by default, and those logs persist on disk - even after the user thinks they've "deleted" the conversation.

2. Step 2Extract from 1.bmp, 2.bmp, 3.bmp (steghide)
   Export the four BMPs from /3/home/yone/gallery/ and run steghide on each. 1.bmp, 2.bmp, and 3.bmp yield frankenstein.txt.enc, dracula.txt.enc, and les-mis.txt.enc. Decrypt each with the IRC-provided AES params - these are red herrings; they contain classic literature, not the flag.

   steghide extract -sf 1.bmp -p akalibardzyratrundle

   Copied!

   steghide extract -sf 2.bmp -p akalibardzyratrundle

   Copied!

   steghide extract -sf 3.bmp -p akalibardzyratrundle

   Copied!

   openssl enc -aes-256-cbc -d -S 0f3fa17eeacd53a9 -K 58593a7522257f2a95cce9a68886ff78546784ad7db4473dbd91aecd9eefd508 -iv 7a12fd4dc1898efcd997a1b9496e7591 -in frankenstein.txt.enc -out frankenstein.txt

   Copied!
   Learn more

   steghideis a steganography tool that hides data inside image and audio files. It embeds secret data in the least significant bits of pixel values (for BMP/JPEG) or audio samples (for WAV/AU), optionally encrypting the hidden data with a passphrase. The host image's visual appearance is imperceptibly altered. steghide uses AES-128 encryption internally to protect the embedded data, in addition to the image-level hiding.

   Red herringsare deliberate distractions in CTF challenges - they look like progress but don't lead to the flag. The encrypted classic literature files here are designed to consume time and make you question whether you have the right password or decryption parameters. Recognizing red herrings requires methodically tracking what you've tried and what the challenge description actually says to find.

   AES-256-CBC (Advanced Encryption Standard, 256-bit key, Cipher Block Chaining mode) is one of the most common symmetric encryption configurations. The openssl enc command performs both encryption and decryption using standard algorithms. The parameters here - salt, key, and IV - fully specify the decryption; all three must be correct for decryption to succeed.

3. Step 3Find the partial password in notes
   Browse /3/home/yone/notes/. 3.txt reads: "I keep forgetting this, but it starts like: yasuoaatrox...". This is the beginning of the steghide password for 7.bmp - `yasuo` and `aatrox` are two League of Legends champions.
   Learn more

   Notes files on a user's machine are goldmines for forensic investigators. People frequently write down passwords, reminder hints, or partial credentials in plain-text notes, to-do files, or sticky note applications. Even a partial password like "it starts like: yasuoaatrox..." dramatically reduces the search space for a brute-force attack.

   This clue reveals that the password follows the XKCD #936 "correct horse battery staple"philosophy - using multiple common words concatenated together. The words are League of Legends champion names, which the user apparently knows by heart and uses as a memorable but complex password. The challenge design cleverly ties the user's hobby (gaming) to their password strategy, which is realistic forensic behavior.

4. Step 4Email forensics - recover the password strategy
   Use Autopsy's Keyword Search for `yone786@` to surface deleted emails. An email chain between yone786@gmail.com and azerite17@gmail.com references the XKCD #936 password philosophy (four strong words from a favorite game). Since the IRC logs show Yone loves League of Legends, the full password is `yasuoaatrox` + two more LoL champion names.
   Learn more

   Deleted file recoveryis a cornerstone of digital forensics. When a file is "deleted," the operating system typically just marks the space as available - the actual data remains on disk until overwritten. Forensic tools like Autopsy, FTK, and Recuva can recover these "deleted" files by scanning for intact file system metadata or known file headers.

   Email forensics on a disk image involves searching for email client database files (Thunderbird's .mbox and .sqlite files, Outlook's .pst/.ost, Evolution's local mail store). Email metadata - sender, recipient, timestamp, subject - often survives even when the body is partially overwritten. Keyword searching for email addresses like yone786@ can surface relevant messages quickly.

   XKCD #936("Password Strength") is the famous comic arguing that four random common words concatenated (like "correct horse battery staple") provide more entropy and memorability than complex passwords with symbols substituting letters. The math checks out - but as this challenge shows, the strategy fails if the word universe is small (only ~160 LoL champions) and the attacker knows your interests.

5. Step 5Generate a wordlist and stegcrack 7.bmp
   Build a Python script that prepends `yasuoaatrox` to every pair of lowercase champion names and writes the combos to output.txt. Feed that list into stegcracker. After ~1259 attempts it finds the password `yasuoaatroxashecassiopeia` and extracts 7.bmp.out.

   python3 - <<'PY'
   arr = open('leagueOfLegendsChampions.txt').readlines()
   with open('output.txt', 'w') as f:
       for i in arr:
           for j in arr:
               f.write('yasuoaatrox' + i.strip() + j.strip() + '\n')
   PY

   Copied!

   stegcracker 7.bmp output.txt

   Copied!
   Learn more

   stegcracker is a brute-force tool for steghide that tries passwords from a wordlist. It automates what would otherwise be a tedious manual process of running steghide extract repeatedly. The key insight here is that the password space - while large in theory - is severely constrained by the known prefix (yasuoaatrox) and the known word universe (LoL champion names), reducing it to approximately 160 × 160 = 25,600 combinations.

   Custom wordlist generation is often more effective than generic wordlists like rockyou.txt when the attacker has information about the target's interests or habits. The nested loop approach here generates all pairwise combinations of champion names - a form of combinatorial generation. Real-world tools like CeWL (Custom Word List generator) scrape websites related to a target to build tailored wordlists for password attacks.

   The fact that only ~1259 attempts are needed (out of 25,600) suggests the password was found early alphabetically - ashe and cassiopeia are both early in the champion list. This illustrates why password cracking with a targeted wordlist is far more efficient than brute-force: domain knowledge dramatically reduces the search space.

6. Step 6Locate the second key in slack space
   Open the disk in the Windows version of Autopsy (or any tool that exposes slack space). Under Settings → Hide slack files, uncheck both boxes. Inspect 1.txt-slack - it contains encoded data. The browser history in the disk shows research into Golden Ratio Base (φ-base) encoding. Decode the slack data using a golden-ratio-base decoder to obtain a new salt, key, and iv.
   Learn more

   Slack space (also called file slack) is unused space within the last cluster allocated to a file. File systems allocate disk space in fixed-size clusters (e.g., 4096 bytes). If a file is 100 bytes, the entire 4096-byte cluster is still allocated, but 3996 bytes go unused - this gap is the slack space. Data previously written to those sectors may remain there even after the file is overwritten, making slack space a rich source of forensic evidence.

   Golden Ratio Base (Phinary / φ-base)is a non-integer positional numeral system using the golden ratio φ ≈ 1.618 as its base. Every positive integer can be represented in this base using only 0s and 1s (the Zeckendorf representation). It's a highly unusual encoding with no practical cryptographic purpose, but its obscurity makes it a clever CTF clue - the browser history pointing to research on "golden ratio base" is the key hint that tells you which decoder to use.

   The challenge design here exemplifies multi-layer forensic investigation: you must find data hidden in slack space, recognize an unusual encoding from a contextual clue (browser history), decode it to recover crypto parameters, and then use those parameters in another decryption step. Each layer builds on the previous one, requiring both technical skills and careful attention to the narrative clues embedded throughout the disk.

7. Step 7Final AES decryption
   Decrypt 7.bmp.out with the second set of AES parameters recovered from the slack space. Run `cat finallyReleased.txt` to read the flag.

   openssl enc -aes-256-cbc -d -S 2350e88cbeaf16c9 -K a9f86b874bd927057a05408d274ee3a88a83ad972217b81fdc2bb8e8ca8736da -iv 908458e48fc8db1c5a46f18f0feb119f -in 7.bmp.out -out finallyReleased.txt

   Copied!

   cat finallyReleased.txt | grep picoCTF

   Copied!
   Learn more

   AES-256-CBC with an explicit key and IV (as used here with -K and -iv) bypasses the password-based key derivation step that -pass would use. This means the key material must match exactly - not just the password, but the raw hex key bytes. The -S flag specifies the salt used during key derivation, but when -K and -iv are supplied directly, the salt is ignored in some OpenSSL versions. Supplying all three gives you full control over the cipher state.

   CBC (Cipher Block Chaining) mode processes data in fixed-size blocks (16 bytes for AES). Each plaintext block is XORed with the previous ciphertext block before encryption, chaining them together. The IV (Initialization Vector)is used as the "previous block" for the first block, ensuring that identical plaintexts with the same key but different IVs produce different ciphertexts. Without a random IV, AES-CBC leaks information about repeated message prefixes.

   The grep picoCTF at the end accounts for the possibility that finallyReleased.txtcontains a lot of text (the decrypted content might be a long document). Piping to grep quickly isolates the flag line. This "needle in a haystack" pattern - decrypting a large file and then searching it - is a common forensics pattern when the flag is embedded in a larger document.

Related guides

Flag

picoCTF{f473_53413d_de...}

Every clue lives on the disk: IRC logs expose the first AES key, deleted emails reveal the LoL-champion password strategy, and slack space hides the second AES key in golden-ratio-base encoding.