Home HackyEaster 2022 Ghost in a Shell 3
Writeup
Cancel

Ghost in a Shell 3

Challenge

1
2
3
4
5
6
7
8
9
10
  _, _,_  _,  _, ___   _ _, _    _,    _, _,_ __, _,  _,    ,  ,  ,
 / _ |_| / \ (_   |    | |\ |   /_\   (_  |_| |_  |   |     |  |  |
 \ / | | \ / , )  |    | | \|   | |   , ) | | |   | , | ,   |  |  |
  ~  ~ ~  ~   ~   ~    ~ ~  ~   ~ ~    ~  ~ ~ ~~~ ~~~ ~~~   ~  ~  ~
______________________________________________________________________
 ,--.     ,--.     ,--.
| oo |   | oo |   | oo |
| ~~ |   | ~~ |   | ~~ |   o  o  o  o  o  o  o  o  o  o  o  o  o  o  o
|/\/\|   |/\/\|   |/\/\|
______________________________________________________________________

Connect to the server, snoop around, and find the flag!

  • ssh DOCKER_HOST -p 2203 -l pinky
  • password is: !speedy!

Solution

1
2
276c642cc2e4:/opt/bannerkoder$ cat /var/spool/cron/crontabs/root
* * * * * /opt/bannerkoder/cipher.sh > /dev/null 2>&1

Found this (via the crontab, weirdly)

1
2
3
4
276c642cc2e4:/opt/bannerkoder$ cat cipher.sh
#!/bin/bash
date +%s | md5sum | base64 | head -c 32 > /tmp/7367111C2875730D00686C13B98E7F36
openssl enc -aes-256-cbc -e -in /home/pinky/flag.txt -out /home/pinky/flag.enc -kfile /tmp/7367111C2875730D00686C13B98E7F36276c642cc2e4:/opt/bannerkoder$

Ok, so we just need to loop over the +%s for that minute to decrypt

1
while true; do openssl enc -aes-256-cbc -d -in flag.enc -k "$(date +%s | md5sum | base64 | head -c 32)"; sleep 0.5; done;

and bingo!

Flag

he2022{0p3n-35-35-37-f0r-pr0fit}