Download this disk image, find the key and log into the remote machine.
Note: if you are using the webshell, download and extract the disk image into /tmp not your home directory.
Download disk image
Remote machine: ssh -i key_file -p [port #] ctf-player@saturn.picoctf.net
We are given a file disk.img.gz
The .gz file extension indicates that the file is a gzip compressed file → gunzip disk.img.gz decompresses the file
SleuthKit is a useful tool for disk forensics
mmls disk.img
DOS Partition TableOffset Sector: 0Units are in 512-byte sectors
Slot Start End Length Description000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)001: ------- 0000000000 0000002047 0000002048 Unallocated002: 000:000 0000002048 0000206847 0000204800 Linux (0x83)003: 000:001 0000206848 0000471039 0000264192 Linux (0x83)Checking the first partition with fls -o 2048 disk.img
d/d 11: lost+foundr/r 12: ldlinux.sysr/r 13: ldlinux.c32r/r 15: config-virtr/r 16: vmlinuz-virtr/r 17: initramfs-virtl/l 18: bootr/r 20: libutil.c32r/r 19: extlinux.confr/r 21: libcom32.c32r/r 22: mboot.c32r/r 23: menu.c32r/r 14: System.map-virtr/r 24: vesamenu.c32V/V 25585: $OrphanFilesChecking the second partition with fls -o 206848 disk.img
d/d 458: homed/d 11: lost+foundd/d 12: bootd/d 13: etcd/d 79: procd/d 80: devd/d 81: tmpd/d 82: libd/d 85: vard/d 94: usrd/d 104: bind/d 118: sbind/d 464: mediad/d 468: mntd/d 469: optd/d 470: rootd/d 471: rund/d 473: srvd/d 474: sysV/V 33049: $OrphanFilesThe second partition looks promising.
Checking home with fls -o 206848 disk.img 458 returns nothing.
Checking root with fls -o 206848 disk.img 470 returns
r/r 2344: .ash_historyd/d 3916: .ssh.ash_history is a file (identified by r/r)
.ssh is a directory (identified by d/d)
icat -o 206848 disk.img 2344 outputs the .ash_history
ssh-keygen -t ed25519ls .ssh/haltThus, we know the directory .ssh is a result of an ssh-keygen of type ed25519
fls -o 206848 disk.img 3916 outputs the files of .ssh
r/r 2345: id_ed25519r/r 2346: id_ed25519.pubicat -o 206848 disk.img 2345 outputs the id_ed25519 file
-----BEGIN OPENSSH PRIVATE KEY-----b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZWQyNTUxOQAAACBgrXe4bKNhOzkCLWOmk4zDMimW9RVZngX51Y8h3BmKLAAAAJgxpYKDMaWCgwAAAAtzc2gtZWQyNTUxOQAAACBgrXe4bKNhOzkCLWOmk4zDMimW9RVZngX51Y8h3BmKLAAAAECItu0F8DIjWxTp+KeMDvX1lQwYtUvP2SfSVOfMOChxYGCtd7hso2E7OQItY6aTjMMyKZb1FVmeBfnVjyHcGYosAAAADnJvb3RAbG9jYWxob3N0AQIDBAUGBw==-----END OPENSSH PRIVATE KEY-----icat -o 206848 disk.img 2346 outputs the id_ed25519.pub file
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGCtd7hso2E7OQItY6aTjMMyKZb1FVmeBfnVjyHcGYos root@localhost
This appears to show the private key and public key, respectively.
icat -o 206848 disk.img 2345 > private_key saves the private key to a file in your local machine
ssh -i private_key -p [port #] ctf-player@saturn.picoctf.net returns
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions 0664 for 'private_key' are too open.It is required that your private key files are NOT accessible by others.This private key will be ignored.Load key "private_key": bad permissionsThis is telling us that private_key’s access permissions are too open since others can read and write files, which we can confirm with the command ls -ld private_key, which shows the permissions of -rw-rw-r--. Essentially, we want to modify this into -rw-------. We can do this via chmod 600 private_key. Using ls -ld private_key again confirms that the permissions of the file is now -rw-------.
ssh -i private_key -p [port #] ctf-player@saturn.picoctf.net now gets us into the file system.
ls
cat flag.txt
picoCTF{k3y_5l3u7h_339601ed}