picoCTF 2022 | Operation Orchid Write-up

Challenge description

Download this disk image and find the flag. Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory.

Category: Forensics


Following the same steps as from the previous challenge of this type, Operation Oni, I extracted the disk image. First, I tried to find a flag-related file with find | grep flag.

And to my surprise, there was

Navigating to the folder above, flag.txt.enc seemed to be the only thing there. But I felt that there was more to be seen.

Let’s try ls -la to list out even hidden files and directories.

.ash_history contains the history of commands ran at the location

This could be an important clue, let’s see.

This gave us all we needed. The original flag was encrypted with openssl aes256. We also know the password, unbreakablepassword1234567. After encrypting, the original flag was disposed of with shred to ensure we cannot recover it easily, if at all. But that doesn’t matter, as we can simply decode the file we do have:

Just remember to reverse the original command’s input and output files

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: