CTF Shell Club

Collection of CTF write ups made with <3.

© 2019. All rights reserved.

WPICTF - wannasigh

14 Apr 2019

description: My computer was hacked after I opened a calc file! Please help me get my stuff back. I should have made a backup…

category: Linux - 200

wpi_wannasigh.png

The file downloaded is an .ova, we can import it in virtualbox and access to the VM.

In the VM, we see a yout-stuff.zip file containing the flag but we do not have the password to unzip it. Let’s investigate quickly:

wpi_wannasigh_thumbnails.png

The .thumbnails directory contains the file icons. We cannot see the flag tho…

Ok let’s keep going !

As you see in the previous screenshot, Gimp is installed, does it contain interesting things ? like temp files ?

wpi_wannasigh_gimp.png

Arf… nothing again…

Then I decided to open the browser (his computer has been hacked by a calc file that he must have downloaded right ?)

wpi_wannasigh_firefox.png

There is some stuff here ! There is the blank flag and other things.

Let’s try the history:

wpi_wannasigh_history.png

This Gitlab repository seems fishy (the latest version contains and .odt saying that you’ve been hacked):

wpi_wannasigh_gitlab.png

Going through the commits I hound this:

wpi_wannasigh_commits.png

so all we have to do is to get the zip creation date and apply the maths:

wpi_wannasigh_flag.png

YEAH ! flag is WPI{Macros can kill} even if we did not see the macro itself ;)


Related Posts