Lost and Found — UMass Cybersecurity CTF

Description

Original task text was not preserved in the local solve artifacts.

English summary: the challenge provides a VM image with an Alpine-like filesystem. The goal is to recover what was hidden inside an XOR-obfuscated /home tree and extract the flag.

Analysis

After extracting the OVA, converting the VMDK to raw, and inspecting the ext4 filesystem, the first useful artifact was /root/.ash_history. It showed cargo install xor, git init ., later Git activity, and manual editing of .ash_history, which strongly suggested intentional filesystem tampering.

Reading the installed crate source at /root/.cargo/registry/.../xor-1.4.5 explained the layout under /home: in recursive mode, the tool XORs file contents and renames files and directories by XORing the original names and hex-encoding the result. That immediately explained the hex-looking names such as 5457501C.

Using the repeated encrypted filename for red-herring as known plaintext recovered part of the key and showed that 5457501C decrypted to .git. The full repeating 512-byte key was then recovered by XORing encrypted .git/hooks/* files against the default hook templates in /usr/share/git-core/templates/hooks/.

Solution

1. Extract the VM archive, convert the disk to raw, and inspect the ext4 filesystem.
2. Recover /root/.ash_history and identify xor plus Git usage.
3. Read the local xor crate source to confirm recursive XOR of both file contents and names.
4. Use known plaintext from the repeated red-herring filename to identify part of the key and confirm 5457501C -> .git.
5. Recover the full repeating key by matching encrypted .git/hooks/* files to the stock Git hook templates.
6. Decrypt the entire /home tree and restore the Git repository.
7. Ignore misleading extra refs and inspect .git/refs/stash directly.
8. Read the referenced stash object/log message and extract the flag.

#!/usr/bin/env python3

from pathlib import Path

...