Blind Infection 1

blind-infection-1

Blind Infection 1

Author: Battlemonger
Category: Forensics
Points: 470
Solves: 23
Files: chall.zip
Flag: SEKAI{R3m3b3r_k1Dz_@lway5_84cKUp}

Investigator: It looks like your files were encrypted — do you have a backup?
Me: Online, yes, but even the backup links got encrypted. Can you help me find anything?

Warning

Warning: This payload contains ransomware. Consider using a fresh virtual machine, as you may risk losing your data. Although surface analysis is safe (and the ransomware is user-triggered), proceed with caution.

Reconnaissance

$ tree
.
├── etc
├── home
├── root
└── snap

Unzipping the provided .zip provides us with four Linux directories: etc/, home/, root/, and snap/. Let’s start off with a little bit of reconnaissance.

A good habit with these types of challenges is to check etc/passwd, a list of system accounts. If we grep for those with root permission, we find that the user sekaictf was a superuser:

$ cat etc/passwd | grep 'bash'
root:x:0:0:root:/root:/bin/bash
sekaictf:x:1000:1000:sekaictf,,,:/home/sekaictf:/bin/bash

Although it isn’t necessarily pertinent to the challenge, make sure you check home/sekaictf/.bash_history alongside grep -r "SEKAI{ - they can be pretty handy sometimes!

Document Recovery

Next, we’ll look for user files. The Documents/ and Pictures/ folder of the sekaictf user has them, but everything seems to be encrypted with no indication of the encryption method used.

The description talks about having a backup for the encrypted files in the form of links, meaning we should be looking for browser-related content (i.e. search history). Ubuntu 22 stores Firefox as a SnapCraft app in snap/ by default — we can also grep for the term 'firefox' for its location:

home/sekaictf$ tree | grep -C 5 firefox
│   ├── german.png
│   ├── ginger.png
│   └── meme.png
├── Public
├── snap
│   ├── firefox
│   │   ├── 1551
│   │   ├── 1589
│   │   ├── common
│   │   └── current
│   └── snapd-desktop-integration

Firefox is located in home/sekaictf/snap/firefox/, while the profile information of the user is located at firefox/common/.mozilla/firefox/p3zapakd.default/. p3zapakd is the name of the user.

Firefox stores your visit history in the places.sqlite SQLite database (read more about how Firefox stores your information here). You can use an online tool or sqlite3 to view it! The table we need is moz_places, which is a hefty piece of work with more than 750+ URLs:

Screenshot of the moz_places table in places.sqlite

Yes, it’s super meticulous, but a true forensics investigator would champ it through! Scrolling through the table, we notice that the user follows a certain trend, as following:

The user searches about a topic on Google
The user visits that appear in the search results
The user visits the URL https://paste.c-net.org with a subdirectory consisting of two random words (possibly to bookmark them for later)

Visiting any of these pastes and recognizing that the content should be the same as encrypted files in the Documents/ folder is key to Part 1. This is further facilitated by the fact that names of the encrypted files in Documents/ are very descriptive:

home/sekaictf/Documents$ ls
aes.txt           ippsec.txt       python.txt         warandpeace12.txt
assignment.txt    jokes.txt        roblox.txt         warandpeace13.txt
billionaires.txt  joke.txt         robomagellan.txt   warandpeace14.txt
brainteasers.txt  jsinterview.txt  rsa.txt            warandpeace15.txt
countries.txt     juggle.txt       science.txt        warandpeace1.txt
ctfwins.txt       katana.txt       sekai.txt          warandpeace2.txt
elements.txt      leetcode.txt     shakespeare.txt    warandpeace3.txt
excuses.txt       loi.txt          song.txt           warandpeace4.txt
flag.txt          maths.txt        sql.txt            warandpeace5.txt
fortnite.txt      oscp.txt         tools.txt          warandpeace6.txt
ginger.txt        overflow.txt     volatility.txt     warandpeace7.txt
girlfriend.txt    privesc.txt      warandpeace10.txt  warandpeace8.txt
graphql.txt       program.txt      warandpeace11.txt  warandpeace9.txt

Instinctively, we would want to visit all these pastes.

There are 50 instances of the URL https://paste.c-net.org in the table and visiting them one-by-one isn’t very 1337 h4xx0r. We can execute some simple SQL on the table to extract all instances:

1
SELECT url FROM 'moz_places' WHERE URL like '%paste%'

Screenshot of the SQL query

Let’s write a simple curl script with Python:

1
import requests
2

3
urls = [
4
    "https://paste.c-net.org/HitchedGlaser",
5
    "https://paste.c-net.org/HavingGaining",
6
    "https://paste.c-net.org/ElevenRejected",
7
    "https://paste.c-net.org/LovedCyborg",
8
    "https://paste.c-net.org/DictateSplinter",
9
    "https://paste.c-net.org/WagonsClips",
10
    "https://paste.c-net.org/BegunCarols",
11
    "https://paste.c-net.org/SweptReport",
12
    "https://paste.c-net.org/DetectedParanoid",
13
    "https://paste.c-net.org/RomanovBaptiste",
14
    "https://paste.c-net.org/GluttonyBamboo",
15
    "https://paste.c-net.org/WoodsCochran",
16
    "https://paste.c-net.org/YellingShelf",
17
    "https://paste.c-net.org/ServesTerrence",
18
    "https://paste.c-net.org/ChaperonDouche",
19
    "https://paste.c-net.org/WestleyCompany",
20
    "https://paste.c-net.org/DiagnoseEgypt",
21
    "https://paste.c-net.org/InquireExplicit",
22
    "https://paste.c-net.org/RubbleAcute",
23
    "https://paste.c-net.org/MilnerFantasy",
24
    "https://paste.c-net.org/ArticleOutdoors",
25
    "https://paste.c-net.org/DigitAccosted",
26
    "https://paste.c-net.org/DaylightMaguire",
27
    "https://paste.c-net.org/GaugeComposed",
28
    "https://paste.c-net.org/OlympusSeminar",
29
    "https://paste.c-net.org/LackeysEternity",
30
    "https://paste.c-net.org/CoachedBarks",
31
    "https://paste.c-net.org/StungFarted",
32
    "https://paste.c-net.org/BlisterQuebec",
33
    "https://paste.c-net.org/BiancaShanghai",
34
    "https://paste.c-net.org/ReboundStopping",
35
    "https://paste.c-net.org/EmptyPaste",
36
    "https://paste.c-net.org/ToursForks",
37
    "https://paste.c-net.org/GuineaShovel",
38
    "https://paste.c-net.org/LettinAverage",
39
    "https://paste.c-net.org/CuveeBouncer",
40
    "https://paste.c-net.org/CraziesCritique",
41
    "https://paste.c-net.org/QuitterTasks",
42
    "https://paste.c-net.org/MashburnEdmund",
43
    "https://paste.c-net.org/PollsFenwick",
44
    "https://paste.c-net.org/FillsTaunt",
45
    "https://paste.c-net.org/RussiansEstimate",
46
    "https://paste.c-net.org/HughesRecant",
47
    "https://paste.c-net.org/CelloFilmed",
48
    "https://paste.c-net.org/CrushMalcolm",
49
    "https://paste.c-net.org/ProphecyWestside",
50
    "https://paste.c-net.org/GardenOccur",
51
    "https://paste.c-net.org/QuittingPeterson",
52
    "https://paste.c-net.org/BainesPouty",
53
]
54

55
for url in urls:
56
    r = requests.get(url)
57
    if "SEKAI{" in r.text:
58
        print(r.text)

Running the script:

$ python3 solve.py
SEKAI{R3m3b3r_k1Dz_@lway5_84cKUp}