Lavender

alfactf

Task: recover an encrypted flag from a split EnCase disk image containing ransomware artifacts and an AdaptixC2 agent. Solution: extract the evidence with Sleuth Kit, identify the HFL1 hybrid format and the AdaptixC2 endpoint, exploit svcname injection to steal the correct private key, then decrypt flag.txt.GSenc.

command_injection ext4 disk_forensics sleuth_kit ransomware hybrid_encryption aes_gcm encase rsa_oaep adaptixc2

sleuthkit_artifact_extractionhfl1_format_reversingadaptixc2_infrastructure_identificationsvcname_command_injectionprivate_key_exfiltrationrsa_oaep_aes_gcm_decryption

$ ls tags/ techniques/

command_injection ext4 disk_forensics sleuth_kit ransomware hybrid_encryption aes_gcm encase rsa_oaep adaptixc2

sleuthkit_artifact_extractionhfl1_format_reversingadaptixc2_infrastructure_identificationsvcname_command_injectionprivate_key_exfiltrationrsa_oaep_aes_gcm_decryption

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Lavender — alfactf

Original task name: Хак на лавандовом
Category: forensics
Status: solved
Flag: alfa{YoU_jusT_SAved_A_c0fFeE_sHOp}

Summary

The challenge starts with a split EnCase disk image and ends with decrypting a ransomware-encrypted flag. The successful path is: extract the interesting files from CAFE.E01 / CAFE.E02 with Sleuth Kit, recognize the HFL1 / GS-encrypt hybrid format, identify the attacker infrastructure as AdaptixC2 at lab.gigashad.xyz:4321, exploit the svcname injection in AdaptixC2 v0.1, recover /DECRYPTION_KEYS/Northwind_Coffee_Roasters/private.pem, and decrypt flag.txt.GSenc with decrypt.py.

Stage 1: Extract artifacts from `CAFE.E01` / `CAFE.E02`

After unpacking the archive, the main evidence is a split EnCase image:

CAFE.E01
CAFE.E02

The useful filesystem is accessible with Sleuth Kit at offset 2048. A quick recursive listing is enough to identify the important files:

fls -o 2048 -r "CAFE.E01" | rg "flag\.txt\.GSenc|GS-encrypt|agent\.bin|journal"

The relevant artifacts are:

flag.txt.GSenc
GS-encrypt
agent.bin
journal files with execution traces

The encrypted flag can then be extracted directly by inode:

icat -o 2048 "CAFE.E01" 913947 > "flag.txt.GSenc"

This establishes that the target is not plain text inside the image: the real task is to recover the decryption key.

Stage 2: Understand the `HFL1` / `GS-encrypt` format

Reversing GS-encrypt shows that the encrypted file uses a hybrid scheme. The flag.txt.GSenc header starts with HFL1, and the format stores a wrapped symmetric key plus the data needed for AES-GCM decryption.

The structure is:

magic[4]      = "HFL1"
version       u8
keyAlgo       u8
dataAlgo      u8
wrappedKeyLen u16 BE
nonceLen      u16 BE
ciphertextLen u32 BE
wrappedKey[wrappedKeyLen]
nonce[nonceLen]
ciphertext[ciphertextLen]

The values observed during decryption are:

version=1 keyAlgo=1 dataAlgo=1 wrapped=256 nonce=12 ct=51

This corresponds to:

RSA-OAEP-SHA256 for key wrapping
AES-256-GCM for file encryption

So the remaining requirement is the correct RSA private key for the victim.

...

Lavender — alfactf

Summary

Stage 1: Extract artifacts from CAFE.E01 / CAFE.E02

Stage 2: Understand the HFL1 / GS-encrypt format

Similar writeups

Stage 1: Extract artifacts from `CAFE.E01` / `CAFE.E02`

Stage 2: Understand the `HFL1` / `GS-encrypt` format