Verify

Challenge Description

People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I'm going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.

You can download the challenge files here:

challenge.zip

Additional details will be available after launching your challenge instance.

Solution

First start the instance and login via ssh to the given instance. We are given with two files and a folder.

The checksum.txt file contains the hash sum of some file.

The decrypt.sh file is a bash script, which tries to decrypt a file.

Next I checked the files directory. It has a lot of files. One of these files has the flag in encrypted form. We have to decrypt that file using the decrypt.sh file. We have to decrypt each file in this directory to find the flag.

I used a bash while loop to get the job done. Use the following command to get the flag.

ls -R | while read filename; do ./decrypt.sh ./files/$filename 2>/dev/null; done | grep picoCTF

Flag: picoCTF{trust_but_verify_e018b574}

PreviousScan Surprise NextCanYouSee

Last updated 7 months ago