AnhTvBlog
← Blog
#CTF #BYUCTF

BYUCTF 2023 Write-up

Writeup các challenges từ BYUCTF 2023.

· 1 min read

BYUCTF 2023 Write-up

MI6configuration

Description

We recently acquired a computer at MI6 and it seems like they might have made some mistakes. Can you hack it using their misconfigurations and get all their important data? (Download the VM file and power it on. Find the IP address and start hacking!)


*Note - there are 3 flags, flag2 does not exist*


https://byu.app.box.com/s/kqlgq3h7t43jqm7k0q124a1eivkonqln

Solution

After downloading this VM, I converted to Hyper V machine (personal purpose 🙄). Upon running it, the operating system requested the sda5_crypt password to decrypt the volume.

I attempted various approaches, but none of them seemed to make sense, I tried an alternative method: decrypting the disk and mounting it directly.

As the disk was encrypted with LUKS, I did the following commands

Terminal window
sudo modprobe nbd
sudo qemu-nbd -r -c /dev/nbd1 ./MI6-disk001.vmdk
ls -al /dev/nbd1p*


brw-rw---- 1 root disk 43, 33 May 23 15:57 /dev/nbd1p1
brw-rw---- 1 root disk 43, 34 May 23 15:57 /dev/nbd1p2
brw-rw---- 1 root disk 43, 37 May 23 15:57 /dev/nbd1p5

Checking the nbd device:

Terminal window
sudo lsblk -f
...
nbd1
├─nbd1p1
    ext4   1.0                0072b51f-0b99-4ea8-b302-0953b3da6902
├─nbd1p2
└─nbd1p5
     crypto 1                  5d8f8ed9-1a74-42fe-b13b-0f5a35565115
...

The nbd1p5 partition had the label crypto, which might be the disk we wanted to decrypt.

Using cryptsetup, we got

Terminal window
sudo cryptsetup luksOpen /dev/nbd1p5 luks_device
sudo vgchange -ay
sudo lvdisplay


--- Logical volume ---
  LV Path                /dev/MI6-vg/root
  LV Name                root

The Logical Volume path was /dev/MI6-vg/root, so I mounted it

sudo mount -o ro,noload /dev/MI6-vg/root /mnt
ls /mnt


bin   dev  ftp   initrd.img      lib    lost+found  mnt  proc  run   srv  tmp  var      vmlinuz.old
boot  etc  home  initrd.img.old  lib64  media       opt  root  sbin  sys  usr  vmlinuz

Found flag using grep

Terminal window
grep -r "byuctf" .
./root/flag4.txt:byuctf{sudo_mi6configured}
./home/q/flag3.txt:byuctf{cronjobzz}
./ftp/flag1.txt:byuctf{anonymous_ftp}

Comments

💬 Giscus is not configured — fill in repo / repoId / categoryId in src/components/GiscusComments.astro (get them from giscus.app ).