DawgCTF 2021: Crack IFS

Crack IFS

Category: Fwn (Forensics/Web/Network)

chal

100 points

The accounts in this QNX IFS have insecure passwords. Crack them to assemble the flag.

https://www.qnx.com/developers/docs/7.0.0/#com.qnx.doc.neutrino.building/topic/intro/intro_ifs.html

DawgCTF.ifs: https://drive.google.com/file/d/1imS0_LQTWg67bwZucoSSa9US28C1uAI2/view?usp=sharing

Author: Percival

Solution

IFS is filesystem type for Blackberry devices. I didn’t want to install QNX SDK. Fortunately I found “dirty hack” alternative on github. With some corrections and tweaks in dumpIfs.sh I’ve managed to extract all the files.

find .
.
./etc
./etc/shadow
./etc/passwd
./proc
./proc/boot
./proc/boot/libcam.so.2
./proc/boot/fs-qnx6.so
./proc/boot/devu-ehci.so
./proc/boot/cam-cdrom.so
./proc/boot/fs-udf.so
./proc/boot/devu-ohci.so
./proc/boot/fs-cd.so
./proc/boot/io-hid
./proc/boot/devb-aha8
./proc/boot/procnto-instr
./proc/boot/fs-nt.so
./proc/boot/fs-dos.so
./proc/boot/fs-mac.so
./proc/boot/devb-adpu320
./proc/boot/umass-enum.cfg
./proc/boot/devb-ahci
./proc/boot/slogger
./proc/boot/libusbdi.so.2
./proc/boot/io-blk.so
./proc/boot/seedres
./proc/boot/cam-disk.so
./proc/boot/startup-script
./proc/boot/devc-con-hid
./proc/boot/devu-uhci.so
./proc/boot/pci-bios
./proc/boot/devh-usb.so
./proc/boot/fs-ext2.so
./proc/boot/fesh
./proc/boot/devh-ps2ser.so
./proc/boot/unlink_list
./proc/boot/diskboot
./proc/boot/libc.so.3
./proc/boot/devc-con
./proc/boot/devb-mvSata
./proc/boot/devb-eide
./proc/boot/io-usb
./proc/boot/libhiddi.so.1
./proc/boot/devb-umass
./proc/boot/fs-qnx4.so
./proc/boot/umass-enum

At this moment description challenge made sense to me.

cat etc/shadow
root:7BdwYWpqXnY4E:1620082957:0:0
user:J7KYxY.GQNu8Q:1620011262:0:0
guest:4J4ZDAgsm0m5M:1620011331:0:0
joe:HNPzLUBaDdJ1E:1620083038:0:0
bob:HL99o4s12Kyzo:1620083025:0:0

The goal was to break those hashes and combine the flag. To achieve it I’ve chosen John the Ripper. After first broken password I’ve stopped the execution and added password length limit of 4.

john --max-length=4 etc/shadow

After short while I’ve ended with all hashes cracked. Combined together gave the flag.

john etc/shadow --show
root:cram:1620082957:0:0
user:CTF{:1620011262:0:0
guest:ble}:1620011331:0:0
joe:un_s:1620083038:0:0
bob:Dawg:1620083025:0:0

5 password hashes cracked, 0 left

Flag

DawgCTF{un_scramble}

Privacy Policy
luc © 2021