Description
People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I'm going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.
Setup
Hash + decrypt
Download/ssh into the drop-in directory and note checksum.txt, decrypt.sh, and files/.
Have sha256sum and openssl available (both are standard on Linux).
wget https://artifacts.picoctf.net/c_rhea/12/challenge.zip && \
unzip challenge.zip && \
cd drop-in
Solution
- Step 1Identify the correct fileRun sha256sum files/* | grep <hash> to find which file matches checksum.txt. In the provided dataset, files/00011a60 is the winner.sha256sum files/* | grep 03b52eabed517324828b9e09cbbf8a7b0911f348f76cf989ba6d51acede6d5d8
- Step 2DecryptUse the supplied script (./decrypt.sh files/00011a60) or run openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in files/00011a60 -k picoCTF manually../decrypt.sh files/00011a60
- Step 3Alternate brute-forceIf you don't want to compute hashes, loop over every file and try to decrypt each until one yields plaintext, and redirect output to flag.txt to capture the flag.for f in files/*; do openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in "$f" -k picoCTF; done > flag.txt
Flag
picoCTF{trust_but_verify_0...}
Only the file whose hash matches checksum.txt decrypts to the flag.