PicoCTF: Verify

Challenge Name: Verify

Category: Forensics

Difficulty: Easy

Description: Walkthrough and learning breakdown

The challenge: find the SHA256 hashed file that matches the given SHA256 hash:

SSH into challenge machine via the supplied instructions:

Attempt to decrypt "files" but it is actually a directory. Lets see what files are in the directory "files" using the ls function (ls = list):

We have the hint that you can pipe in the grep command to limit our results. So I'll keep that in mind. Using the supplied script, we can individually run the 301 possibilities which would take a long time. According to the instructions, they want us to verify the hash and then decrypt the file. I type in the script execution function and hit tab on the keyboard to see the possibilities:

./decrypt.sh files/

I'll work my way to the final result by beginning with "find" command. Lets look at the manual to find some specific options for the find command by inputting man find

I scroll through to find the specific options I need to get the results I'm looking for. Here I specify type with "-type", using the option "f" to indicate regular file:

This is a good start. This pulls a full list of files. Now we must search through to find a file with a matching hash.

In this step, I'll pull that list of files as well as the associated SHA256 hashes by adding the find option -exec <command> {} + to incorporate the sha256sum utility. This knowledge was found using man find command to look at the find command's manual.

It then becomes:

-exec sha256sum {} +

Here you can see that now we have the complete list of hashes and this function is ready to search for the specific hash we are trying to match:

The hashed file we need must match the provided hash:

03b52eabed517324828b9e09cbbf8a7b0911f348f76cf989ba6d51acede6d5d8

Now we can add the grep command to search through this list to find the matching file. You add another command by using the pipe character "|".

We will add the following to the function we have been creating:

| grep <hashwewanttomatch>

You can see that with this function, we pulled only one file which has the matching hash. Now we can follow the instructions and use the decrypt script to find the flag. First lets backup one directory by cd (change directory) to the previous directory (..) (which becomes cd ..) which is where the script is located. Then we can use the provided script command to run the decrypt.sh script on the verified file 00011a60.

./ runs the script

decrypt.sh decrypting script in Linux Bash scripting language

files/ specifies the directory of the specific file we are decrypting

00011a60 file to be decrypted

In the current directory, using ls command, we have a file (checksum.txt), a script (decrypt.sh), and a directory (files). Now we are ready to run the script.

After running the script, we receive the flag which we can then submit to complete the challenge.

Flag = picoCTF{trust_but_verify_00011a60}

Thanks for reading!