$ cat writeup.md…

forensicsfreemedium

Lavender

alfactf

Task: recover an encrypted flag from a split EnCase disk image containing ransomware artifacts and an AdaptixC2 agent. Solution: extract the evidence with Sleuth Kit, identify the HFL1 hybrid format and the AdaptixC2 endpoint, exploit svcname injection to steal the correct private key, then decrypt flag.txt.GSenc.

command_injection ext4 disk_forensics sleuth_kit ransomware hybrid_encryption aes_gcm encase rsa_oaep adaptixc2

sleuthkit_artifact_extractionhfl1_format_reversingadaptixc2_infrastructure_identificationsvcname_command_injectionprivate_key_exfiltrationrsa_oaep_aes_gcm_decryption

$ ls tags/ techniques/

command_injection ext4 disk_forensics sleuth_kit ransomware hybrid_encryption aes_gcm encase rsa_oaep adaptixc2

sleuthkit_artifact_extractionhfl1_format_reversingadaptixc2_infrastructure_identificationsvcname_command_injectionprivate_key_exfiltrationrsa_oaep_aes_gcm_decryption

Lavender — alfactf

Original task name: Хак на лавандовом
Category: forensics
Status: solved
Flag: alfa{YoU_jusT_SAved_A_c0fFeE_sHOp}

Summary

The challenge starts with a split EnCase disk image and ends with decrypting a ransomware-encrypted flag. The successful path is: extract the interesting files from CAFE.E01 / CAFE.E02 with Sleuth Kit, recognize the HFL1 / GS-encrypt hybrid format, identify the attacker infrastructure as AdaptixC2 at lab.gigashad.xyz:4321, exploit the svcname injection in AdaptixC2 v0.1, recover /DECRYPTION_KEYS/Northwind_Coffee_Roasters/private.pem, and decrypt flag.txt.GSenc with decrypt.py.

Stage 1: Extract artifacts from `CAFE.E01` / `CAFE.E02`

After unpacking the archive, the main evidence is a split EnCase image:

CAFE.E01
CAFE.E02

The useful filesystem is accessible with Sleuth Kit at offset 2048. A quick recursive listing is enough to identify the important files:

fls -o 2048 -r "CAFE.E01" | rg "flag\.txt\.GSenc|GS-encrypt|agent\.bin|journal"

The relevant artifacts are:

flag.txt.GSenc
GS-encrypt
agent.bin
journal files with execution traces

The encrypted flag can then be extracted directly by inode:

icat -o 2048 "CAFE.E01" 913947 > "flag.txt.GSenc"

This establishes that the target is not plain text inside the image: the real task is to recover the decryption key.

Stage 2: Understand the `HFL1` / `GS-encrypt` format

Reversing GS-encrypt shows that the encrypted file uses a hybrid scheme. The flag.txt.GSenc header starts with HFL1, and the format stores a wrapped symmetric key plus the data needed for AES-GCM decryption.

The structure is:

magic[4]      = "HFL1"
version       u8
keyAlgo       u8
dataAlgo      u8
wrappedKeyLen u16 BE
nonceLen      u16 BE
ciphertextLen u32 BE
wrappedKey[wrappedKeyLen]
nonce[nonceLen]
ciphertext[ciphertextLen]

The values observed during decryption are:

version=1 keyAlgo=1 dataAlgo=1 wrapped=256 nonce=12 ct=51

This corresponds to:

RSA-OAEP-SHA256 for key wrapping
AES-256-GCM for file encryption

So the remaining requirement is the correct RSA private key for the victim.

Stage 3: Identify AdaptixC2 and the endpoint

The extracted agent.bin links the incident to AdaptixC2. The reproduced analysis identifies the relevant teamserver as:

lab.gigashad.xyz:4321

The version matters: this is AdaptixC2 v0.1, which is vulnerable in the agent generation flow. That turns the investigation from passive forensics into active key recovery.

Stage 4: Exploit `svcname` injection in AdaptixC2 v0.1

The vulnerable behavior is in the agent generation endpoint, where svcname is passed into a shell command. Because the value is not safely handled, it is possible to break out of the intended context and execute arbitrary commands.

The payload concept is:

'; (CMD) 1>&2; false; #

This works because it:

breaks the quoted svcname value,
runs attacker-controlled shell code,
redirects output into the error path so it can be read back.

The first useful probe is to verify command execution and inspect the directory that stores decryption keys:

python3 "alfactf2026-writeups/lavender/artifacts/exploit.py" "id; uname -a; pwd; ls -la /DECRYPTION_KEYS"

That confirms both RCE and the presence of the key store.

Stage 5: Extract the correct private key

The needed key is the one for Northwind Coffee Roasters. It can be exfiltrated directly from the server with:

python3 "alfactf2026-writeups/lavender/artifacts/exploit.py" "cat /DECRYPTION_KEYS/Northwind_Coffee_Roasters/private.pem; echo __END__"

The recovered key is saved locally as private.pem. This is the critical bridge between the disk image and the attacker infrastructure: the encrypted file from the image can now be decrypted with the private key stolen from the C2 environment.

Stage 6: Decrypt `flag.txt.GSenc`

With both files available locally:

flag.txt.GSenc
private.pem

the final step is:

python3 "alfactf2026-writeups/lavender/artifacts/decrypt.py" "flag.txt.GSenc" "private.pem"

The script parses the HFL1 envelope, unwraps the symmetric key with RSA-OAEP, and decrypts the ciphertext with AES-GCM.

The plaintext is:

alfa{YoU_jusT_SAved_A_c0fFeE_sHOp}

Final Flag

alfa{YoU_jusT_SAved_A_c0fFeE_sHOp}

Notes

The writeup was normalized to the local house format used in this repository.
The solution flow is fully consistent with the extracted disk artifacts and the reproduced AdaptixC2 exploitation path.

Lavender — alfactf

Summary

Stage 1: Extract artifacts from CAFE.E01 / CAFE.E02

Stage 2: Understand the HFL1 / GS-encrypt format