## HACKvent 2020 - Day 18

01-01-2021 - 2 minutes, 8 seconds -

Challenge - Santa's lost home

Santa has forgotten his password and can no longer access his data. While trying to read the hard disk from another computer he also destroyed an important file. To avoid further damage he made a backup of his home partition. Can you help him recover the data.

When asked he said the only thing he remembers is that he used his name in the password... I thought this was something only a real human would do...

Backup

Hints

• It's not rock-science, it's station-science!
• Use default options

## Solution

So we have a backup image of Santa's home partition. After unpacking the image with 7zip, or mounting it directly in linux, it quickly became clear that the home directory is encrypted using eCryptfs.

While researching ecryptfs we stumbled across these two interesting articles:

A good research time later, it turns out that the first hint and the description refers to wordlists:

The first thing I read was "rockET-science" but actually it said "rock-science". "rockyou.txt" is a popular wordlist - so this one is not supposed to be it.

"station-science" probably references crackstation, and crackstation also offers a "real human" wordlist.

So we should use that list. We also know that "santa" should be in the password, so we filter the ~680MB wordlist down to about 300kB:

cat wordlist.txt | grep -i santa > wordlist_santa.txt

Since Santa unfortunately lost the wrapped-passphrase-file while trying to recover the data, we try the signatures we found in the Private.sig file and the default salt described in [1].

Content of jtr18:
$ecryptfs$0$1$0011223344556677$7b4f67408a83013e$ecryptfs$0$1$0011223344556677$422414d82edcc8e8

John Command:
john -wordlist=wordlist_santa.txt jtr18

The now very handy wordlist goes through quickly and gives us... no result.

So let's see if there are any traces of the wrapped-passphrase-file left in the image. And indeed, we see a 16 character hexadecimal string as the penultimate entry.

It strongly resembles what we were looking for. So we start a hex editor look even closer.

And lo and behold, right in front of the string we find the file-magic or version number (0x3a02, [1]) of the "wrapped-passphrase" file! With this new find we quickly start John again, and we have a password!

think-santa-lives-at-north-pole

Now that we have Santa's password, we still need to decrypt the data and extract the flag. For this we follow the instructions in [2]. Using "ecryptfs-add-passphrase -fnek" we add the keys for the file and filename encryption.

"ecryptfs-recover-private" then mounts the encrypted data for us in the /tmp/ directory.

in /tmp/ecryptfs.4iL1bDiy/ there is now one single file:

We found the Flag! HV20{a_b4ckup_of_1mp0rt4nt_f1l35_15_3553nt14l}