Crack IFS
Category: Fwn (Forensics/Web/Network)
100 points
The accounts in this QNX IFS have insecure passwords. Crack them to assemble the flag.
https://www.qnx.com/developers/docs/7.0.0/#com.qnx.doc.neutrino.building/topic/intro/intro_ifs.html
DawgCTF.ifs: https://drive.google.com/file/d/1imS0_LQTWg67bwZucoSSa9US28C1uAI2/view?usp=sharing
Author: Percival
Solution
IFS is filesystem type for Blackberry devices. I didn’t want to install QNX SDK. Fortunately I found “dirty hack”
alternative on github. With some corrections and tweaks in dumpIfs.sh
I’ve
managed to extract all the files.
find .
.
./etc
./etc/shadow
./etc/passwd
./proc
./proc/boot
./proc/boot/libcam.so.2
./proc/boot/fs-qnx6.so
./proc/boot/devu-ehci.so
./proc/boot/cam-cdrom.so
./proc/boot/fs-udf.so
./proc/boot/devu-ohci.so
./proc/boot/fs-cd.so
./proc/boot/io-hid
./proc/boot/devb-aha8
./proc/boot/procnto-instr
./proc/boot/fs-nt.so
./proc/boot/fs-dos.so
./proc/boot/fs-mac.so
./proc/boot/devb-adpu320
./proc/boot/umass-enum.cfg
./proc/boot/devb-ahci
./proc/boot/slogger
./proc/boot/libusbdi.so.2
./proc/boot/io-blk.so
./proc/boot/seedres
./proc/boot/cam-disk.so
./proc/boot/startup-script
./proc/boot/devc-con-hid
./proc/boot/devu-uhci.so
./proc/boot/pci-bios
./proc/boot/devh-usb.so
./proc/boot/fs-ext2.so
./proc/boot/fesh
./proc/boot/devh-ps2ser.so
./proc/boot/unlink_list
./proc/boot/diskboot
./proc/boot/libc.so.3
./proc/boot/devc-con
./proc/boot/devb-mvSata
./proc/boot/devb-eide
./proc/boot/io-usb
./proc/boot/libhiddi.so.1
./proc/boot/devb-umass
./proc/boot/fs-qnx4.so
./proc/boot/umass-enum
At this moment description challenge made sense to me.
cat etc/shadow
root:7BdwYWpqXnY4E:1620082957:0:0
user:J7KYxY.GQNu8Q:1620011262:0:0
guest:4J4ZDAgsm0m5M:1620011331:0:0
joe:HNPzLUBaDdJ1E:1620083038:0:0
bob:HL99o4s12Kyzo:1620083025:0:0
The goal was to break those hashes and combine the flag. To achieve it I’ve chosen John the Ripper
. After first
broken password I’ve stopped the execution and added password length limit of 4.
john --max-length=4 etc/shadow
After short while I’ve ended with all hashes cracked. Combined together gave the flag.
john etc/shadow --show
root:cram:1620082957:0:0
user:CTF{:1620011262:0:0
guest:ble}:1620011331:0:0
joe:un_s:1620083038:0:0
bob:Dawg:1620083025:0:0
5 password hashes cracked, 0 left
Flag
DawgCTF{un_scramble}