BYUCTF 2023 Write-up
MI6configuration
Description
1
2
3
4
5
We recently acquired a computer at MI6 and it seems like they might have made some mistakes. Can you hack it using their misconfigurations and get all their important data? (Download the VM file and power it on. Find the IP address and start hacking!)
*Note - there are 3 flags, flag2 does not exist*
https://byu.app.box.com/s/kqlgq3h7t43jqm7k0q124a1eivkonqln
Solution
After downloading this VM, I converted to Hyper V machine (personal purpose 🙄). Upon running it, the operating system requested the sda5_crypt password to decrypt the volume.
I attempted various approaches, but none of them seemed to make sense, I tried an alternative method: decrypting the disk and mounting it directly.
As the disk was encrypted with LUKS, I did the following commands
1
2
3
4
5
6
7
sudo modprobe nbd
sudo qemu-nbd -r -c /dev/nbd1 ./MI6-disk001.vmdk
ls -al /dev/nbd1p*
brw-rw---- 1 root disk 43, 33 May 23 15:57 /dev/nbd1p1
brw-rw---- 1 root disk 43, 34 May 23 15:57 /dev/nbd1p2
brw-rw---- 1 root disk 43, 37 May 23 15:57 /dev/nbd1p5
Checking the nbd device:
1
2
3
4
5
6
7
8
9
10
sudo lsblk -f
...
nbd1
├─nbd1p1
│ ext4 1.0 0072b51f-0b99-4ea8-b302-0953b3da6902
├─nbd1p2
│
└─nbd1p5
crypto 1 5d8f8ed9-1a74-42fe-b13b-0f5a35565115
...
The nbd1p5 partition had the label crypto, which might be the disk we wanted to decrypt.
Using cryptsetup, we got
1
2
3
4
5
6
7
8
sudo cryptsetup luksOpen /dev/nbd1p5 luks_device
sudo vgchange -ay
sudo lvdisplay
--- Logical volume ---
LV Path /dev/MI6-vg/root
LV Name root
The Logical Volume path was /dev/MI6-vg/root, so I mounted it
1
2
3
4
5
sudo mount -o ro,noload /dev/MI6-vg/root /mnt
ls /mnt
bin dev ftp initrd.img lib lost+found mnt proc run srv tmp var vmlinuz.old
boot etc home initrd.img.old lib64 media opt root sbin sys usr vmlinuz
Found flag using grep
1
2
3
4
grep -r "byuctf" .
./root/flag4.txt:byuctf{sudo_mi6configured}
./home/q/flag3.txt:byuctf{cronjobzz}
./ftp/flag1.txt:byuctf{anonymous_ftp}