HACKvent 2020 - Day 18

01-01-2021 - 2 minutes, 8 seconds - CTF

Challenge - Santa's lost home

Santa has forgotten his password and can no longer access his data. While trying to read the hard disk from another computer he also destroyed an important file. To avoid further damage he made a backup of his home partition. Can you help him recover the data.

When asked he said the only thing he remembers is that he used his name in the password... I thought this was something only a real human would do...



  • It's not rock-science, it's station-science!
  • Use default options


So we have a backup image of Santa's home partition. After unpacking the image with 7zip, or mounting it directly in linux, it quickly became clear that the home directory is encrypted using eCryptfs.

While researching ecryptfs we stumbled across these two interesting articles:

A good research time later, it turns out that the first hint and the description refers to wordlists:

The first thing I read was "rockET-science" but actually it said "rock-science". "rockyou.txt" is a popular wordlist - so this one is not supposed to be it.

"station-science" probably references crackstation, and crackstation also offers a "real human" wordlist.

So we should use that list. We also know that "santa" should be in the password, so we filter the ~680MB wordlist down to about 300kB:

cat wordlist.txt | grep -i santa > wordlist_santa.txt

Since Santa unfortunately lost the wrapped-passphrase-file while trying to recover the data, we try the signatures we found in the Private.sig file and the default salt described in [1].

Content of jtr18:

John Command:
john -wordlist=wordlist_santa.txt jtr18

The now very handy wordlist goes through quickly and gives us... no result.

So let's see if there are any traces of the wrapped-passphrase-file left in the image. And indeed, we see a 16 character hexadecimal string as the penultimate entry.

Traces of the wrapped-passphrase-file

It strongly resembles what we were looking for. So we start a hex editor look even closer.

file-magic or version number of the wrapped-passphrase-file

And lo and behold, right in front of the string we find the file-magic or version number (0x3a02, [1]) of the "wrapped-passphrase" file! With this new find we quickly start John again, and we have a password!


Now that we have Santa's password, we still need to decrypt the data and extract the flag. For this we follow the instructions in [2]. Using "ecryptfs-add-passphrase -fnek" we add the keys for the file and filename encryption.

"ecryptfs-recover-private" then mounts the encrypted data for us in the /tmp/ directory.

Output of ecryptfs-recover-private

in /tmp/ecryptfs.4iL1bDiy/ there is now one single file:

The decrypted backup with the flag

We found the Flag! HV20{a_b4ckup_of_1mp0rt4nt_f1l35_15_3553nt14l}

Next Post Previous Post