Having done all the usual and relevant checks of the web server and come up with nothing of interest, I turned my attention to the iscsi port. This was interesting because I knew nothing about what to do with this prior to starting.

Using the following links, I managed to get an idea of what should be going on:

Armed with knowledge (and after installing the relevant tool) I did discovery on the port which resulted in discovery! I claim thee in the name of things and stuff, and subsequently logged into the SCSI device.

Once I had done that, and marvelled at my own expertise, I mounted it in the file system to let me browse the contents. It contained one flag (Yay), an empty directory and one .dsk file

cat the flag for the flag!

I then did a straight ‘cat’ against the dsk file. That’s right ‘cat’ as in concatenate, as in to join things together, but without actually joining it to anything. I know, off the rails lunacy, the file was so shocked by this turn of events it dumped loads of rubbish but also some human readable goodness and flag2 to boot.

root@kali:/tmp/media# cat bobsdisk.dsk

Xd�<}Kd ����XF��X��S�S;�X

�8�� �� ^��SE�/media/bobsdisk�]��NBI��4Y�Q�6(

f� S;�X���!!!�@@@�aaa������������������!!!�@@@�```����� `�� `�� `�� `�� `�� — - SNIP — - G’day Alice, You know what really annoys me? How you and I ended up being used, like some kind of guinea pigs, by the RSA crypto wonks as actors in their designs for public key crypto… I don’t recall ever being asked if that was ok? I never got even one cent of royalties from them!? RSA have made Millions on our backs, and it’s time we took a stand! Starting now, today, immediately, I’m never using asymmetric key encryption again, and it’s all symmetric keys from here on out. All my files and documents will be encrypted with that popular symmetric crypto algorithm. Uh. Yeah, I can’t pronounce its original name. I don’t even know what the letters in its other name stand for — but really — that’s not important. A bloke at my local hackerspace says its the beez kneez, ridgy-didge, real-deal, the best there is when it comes to symmetric key crypto, he has heaps of stickers on his laptop so I guess it means he knows, right? Anyway, he said it won some big important competition among crypto geeks in October 2000? Lucky Y2K didn’t happen then, I suppose or that would have been one boring party! Anyway this algorithm sounded good to me. I used the updated version that won the competition. You know what happened to me this morning? My kids, the little darlings, had spilled their fancy 256 bit Lego kit all over the damn floor. Sigh. Of course I trod on it making my coffee, the level of pain really does ROCKYOU to the core when it happens! It’s hard to stay mad though, I really love Lego, the way those blocks chain togeather really does make them work brilliantly. Anyway, given I’m not not using asymmetric crypto any longer, I destroyed my private key, so the public key you have for me may as well be deleted. I’ve got some notes for you which might help in your current case, I’ve encrypted it using my new favourite symmetric key crypto algorithm, it should be on the disk with this note. Give me a shout when you’re down this way again, we’ll catch up for coffee (once the Lego is removed from my foot) :) Cheers, Bob. PS: Oh, before I forget, the hacker-kid who told me how to use this new algorithm, said it was very important I used the command option -md sha256 when decrypting. Why? Who knows? He said something about living on the bleeding-edge… PPS: flag2{054738a5066ff56e0a4fc9eda6418478d23d3a7f} — - SNIP — -

I’ve put the things in bold that I felt were important from the body of the text because I have the option of making things bold if I want, I nearly went and italicised it too, but I was worried some older readers may have ‘complications’ with such a flagrant disregard for style and etiquette. For the lazy out there that don’t want to scroll up, here’s what I found in a list format.

Rockyou, I am guessing this is in reference to /usr/share/wordlists/rockyou.txt on a standard kali build.

-md sha256, how it was encrypted.

flag, it’s already been indicated some of the flags mean something somewhere!

Passing bobsdisk.dsk through binwalk to extract the contents generated some further content to investigate

and sifting through that we find the ToAlice.eml, which is just the human readable content we have already seen as above, and also an openssl encrypted file with a salted password! That also makes the -md sha256 switch make more sense.

I tried quite a few things for quite a while at this point. I started by trying to use a standard bash for loop to pass the values of rockyou as the password for the encrypted file, it was slow, noisy because the fans really kicked in on my laptop and after about 30 minutes of whirring away, I decided it must be the wrong approach, plus my crotch was getting unreasonably warm.