TSG CTF 2019

This is the partial writeup for the challenges presented in this year’s TSG CTF.

Categories index
Forensics


Forensics

Obliterated File

Working on making a problem of TSG CTF, I noticed that I have staged and committed the flag file by mistake before I knew it. I googled and found the following commands, so I’m not sure but anyway typed them. It should be ok, right?

$ git filter-branch --index-filter "git rm -f --ignore-unmatch problem/flag" --prune-empty -- --all
$ git reflog expire --expire=now --all
$ git gc --aggressive --prune=now

Attachment: problem.zip

The archive contained a Git repo, for which the history was mangled but the commit objects might still have been there. A rather ugly one liner can help us sift through every commit regarding the “flag” file:

$ for commit in $(git rev-list --parents HEAD); do if git rev-list "$commit~1" &>/dev/null; then git --no-pager diff --name-status "$commit" "$commit~1"; fi; done | grep flag

Luckily enough that filename actually existed, so tracking its history and reverting to the moment it was added is trivial:

$ git log --full-history -- flag
$ git checkout 84128ed70713706bef35805b2a097c1e5b493277

Peeking at the code in the repo and running file on the retrieved data reveals that the flag is in fact a ZLib archive:

require "./src/*"
require "sqlite3"
require "zlib"

flag = File.open("./flag", "r") do |f|
    Zlib::Reader.open(f) do |inflate|
        inflate.gets_to_end
    end
end

`rm -rf data.db`
DB.open "sqlite3://./data.db" do |db|
    db.exec "CREATE TABLE accounts (id text primary key, pass text);"
    db.exec "INSERT INTO accounts VALUES ('admin', '#{flag}');"
end


Kemal::Session.config.secret = ENV["session_secret"]
Kemal.run
$ file ./flag
flag: zlib compressed data

Uncompressing it is just a matter of having the right utils at hand:

$ zlib-flate -uncompress < flag

🏁 TSGCTF{$_git_update-ref_-d_refs/original/refs/heads/master}

Note: this challenge was patched throughout the event, making this exact solution unfeasible but not invalidating the approach: given the low number of commits, they could all be analyzed one by one to extract the removed flag file.


*****
Written by born2scan Team on 10 May 2019