Download this disk image and find the flag.
Note: if you are using the webshell, download and extract the
disk image into /tmp not your home directory.
- Download compressed disk image
wget https://artifacts.picoctf.net/c/214/disk.flag.img.gz
After going through some of the directories after loading the disk image in autopsy I decided to do a keyword search for "flag.txt".
This showed me bash history and that a flag.txt.enc and flag.txt file exist.
In the bash history you can see how the encoded flag.txt to flag.txt.enc.
Now going to file search for "flag.txt" you can see that flag.txt was deleted but "flag.txt.enc" is still there.
From this point I used export in autopsy to get the file on my system. I then moved it from downloads to my working directory with "mv". I then renamed it to "flag.txt.enc"
mv vol4-3.root.flag.txt.enc flag.txt.enc
Looking at there command only some slight changes need to be made to decrypt the file:
Orginal (to encode): openssl aes256 -salt -in flag.txt -out flag.txt.enc -k unbreakablepassword1234567
Modified (to decode): openssl aes256 -salt -in flag.txt.enc -out flag.txt -k unbreakablepassword1234567 -d
After running the decoding openssl command a flag.txt file is created. All that is needed now is to do cat flag.txt and you get the flag.
Flag: picoCTF{h4un71ng_p457_1d02...}