Verify

this challenge asks us to analyze a directory. in the challenge description, we are given a SHA-256 hash value and a decrypt script to help us find the flags.

there is a zipped folder and we will not use an instance to resolve it, but use the given zipped folder

description of Verify challange

I used the wget command to download the zip folder

$ wget https://artifacts.picoctf.net/c_rhea/11/challenge.zip

so you can see that the challange.zip has been downloaded. I will unzip the folder using the unzip command

$ unzip challenge.zip

after unzipping, I went directly to the home directory to see the contents of the folder. immediately, I used the cd command to enter the directory

$ cd home/ctf-player/drop-in

after arriving at the drop-in directory, there are 2 files and 1 folder with the names checksum.txt, decrypt.sh, and files

drop-in directory view

in the checksum.txt file, there is a SHA-256 hash value that will be used to find the file containing the hash value

$ cat checksum.txt
5848768e56185707f76c1d74f34f4e03fb0573ecc1ca7b11238007226654bcda

then, there is a decrypt.sh file, which is a shell script to get the flags. this skip will be called to run certain files that have hash values in them. you can using vim to open this file

$ vim decrypt.sh

 #!/bin/bash

        # Check if the user provided a file name as an argument
        if [ $# -eq 0 ]; then
            echo "Expected usage: decrypt.sh <filename>"
            exit 1
        fi

        # Store the provided filename in a variable
        file_name="$1"

        # Check if the provided argument is a file and not a folder
        if [ ! -f "/home/ctf-player/drop-in/$file_name" ]; then
            echo "Error: '$file_name' is not a valid file. Look inside the 'files' folder with 'ls -R'!"
            exit 1
        fi

        # If there's an error reading the file, print an error message
        if ! openssl enc -d -aes-256-cbc -pbkdf2 -iter 100000 -salt -in "/home/ctf-player/drop-in/$file_name" -k picoCTF; then
            echo "Error: Failed to decrypt '$file_name'. This flag is fake! Keep looking!"
        fi

note! if you want to execute the shell inside the drop-in directory, just remove the /home/ctf-player/drop-in/ parameter and leave only $file_name.

next, i'm going to check the contents of the files folder and there are a lot of files that we can't possibly check one by one. so, we need the grep command to find files that match the SHA-256 hash value.

contents of the files folder

after looking through the contents of the challange.zip folder and reading the description and read the hints given of the challenge, it was time for me to look for the flag!

first, based on the hint given, we will use the sha256sum command to decrypt the matching file. since there are many files in the files folder, I will use the grep command to find which file contains the hash value of SHA-256

$ sha256sum files/* | grep 5848768e56185707f76c1d74f34f4e03fb0573ecc1ca7b11238007226654bcda
5848768e56185707f76c1d74f34f4e03fb0573ecc1ca7b11238007226654bcda  files/8eee7195

obtained that the file that uses the hash of the checksum.txt file is files/8eee7195. after that, i will run the decrypt.sh script to get the desired flags.

$ ./decrypt.sh files/8eee7195                                                              
picoCTF{trust_but_verify_8eee7195}

and Voilla!! the flag was successfully obtained. don't forget to send the flag to the picoCTF platform. happy and enjoy!