Our EXPLOIT THIS CTF is tailored to those hackers and enthusiasts alike, that share a passion for all things embedded, IoT or hardware related.
Squashed is an 100 point CTF challenge brought to you by Exploit Security. This and other CTF challenges can be found https://exploitthis.ctfd.io.
In our last blog we stepped through "Demystifying Debunked" challenge, now we will take a look at a two step challenge using a similar approach in this CTF Writeup. It is our belief that using a systematic methodology, this helps to build better technical capability when applying such knowledge to real-world technical challenges.
Task: This challenge calls for the participant to Examine the given file ... extract ... then find the flag !
As always let's start by first examining the binary using the *nix FILE utility. As shown in our previous blog post the FILE utility can be used to ascertain the file type. As seen below we are dealing with a Squashfs filesystem archive.
What is Squashfs
Squashfs is a read-only file system designed for compressing entire file systems or specific directories. It maximizes storage efficiency in tiny-sized and embedded Linux systems, making it ideal for IoT devices and minimalist computing environments. With its modular and compact design, Squashfs offers unparalleled performance and flexibility for archiving massive amounts of data. Whether you're crafting a lean embedded system or building a media archive, Squashfs is the go-to solution for unlocking new levels of storage efficiency.
Enter unsquashfs. Unsquashfs is a *nix utility that is used to umcompress squashfs filesystems. Its usage can be seen below:
unsquashfs [OPTIONS] FILESYSTEM [directories or files to extract]Let's use the unsquashfs utility to uncompress our challenge file.
We now have at our disposal, what looks to be a squashfs root filesystem.
Let's have an explore of our newly founded root filesystem using the ls *nix utility.
Nothing out of the ordinary, within the root directory, however if we simply just include the -a switch to our previous command we see a different picture.
We notice a .hidden_key directory. Within *nix dotfiles are normally used for configuration files that are typically used by other programs and are normally hidden by default. This is why the first ls -l (long listing) command did not list the full contents of the directory and why ls -al (long listing, all files) proved to be successful in uncovering our hidden directory.
Moving into the .hidden_key directory and running another long listing with all files uncovers two more hidden files.
Let's examine both files in an attempt to work out what we are dealing with here. We will call upon the *nix FILE utility for this task.
We notice that the first file .pass.txt is of ascii text format so a simple cat .pass.txt should suffice. When doing so we now have access to some secret stash.
The second file .private.pem seems to indicate that the file might be a private key (also indicative of this format type is the .pem extension, which refers to a Privacy Enhanced Mail file type). These types of file types i.e. Public Key Infrastructure filetypes are normally used for encrypting files using a asynchronous key encryption. This type of encryption uses a private and public key pair, used for encrypting and decrypting data.
Let's take a closer look at the .pem file.
Upon inspection, using a simple cat command, we notice the following format. The format used here is well known PKCS 8, originally developed by RSA Laboratory (co-founders Ron Rivest, Adi Shamir and Leonard Adleman) and is typically used alongside a passphrase, which we may seem to have in the form of the .pass.txt file found earlier.
Great, so what do we know ? We can infer from these two files, that something within this file system uses a PKCS 8 formatted private key alongside a secret key to encrypt something within our squashfs filesystem. Let's go on the hunt for that target !!
Not looking very far, we find our potential target file.
Let's examine the file using the usual set of *nix utilities FILE and CAT
Examining the output we notice its file type as 'data'. If we set our minds back to our previous blog post we remember that a file type of data denotes any files that are either binary or non-printable. Encrypted files also fit into the non-printable category. One step closer to our goal ! Only question left now is how we use our harvested private key and passphrase in an attempt to decrypt our flag ?
One such utility, that can be used to decrypt such files i.e. RSA key encrypted files is the *nix OPENSSL utility.
rsautl: The rsautl command can be used to sign, verify, encrypt and decrypt data using the RSA algorithm
-decrypt: This option is used to specify decryption or the input data using an RSA private key
-inkey: Specifies the input private key
-in: Specifies the file to be decrypted
-out: Specifies the file to output the decrypted contents
We are then prompted to enter the pass phrase, this is found in the .pass.txt file discovered earlier.
Flag revealed !
The Security Team at Exploit Security hope that this simple walk-through has illuminated some concepts that will be useful for you !