MITRE CTF 2013 – For200

For this challenge we're given a ~700mb archive that contains a virtual machine image. It's named Ubuntu, and booting it we get an "X11 failed to initialize" message. I mounted my Arch iso as the CD drive, booted off of it, and attempted to get any textual data off the disk. We knew flags start with MCA, and grep -r "MCA" returned nothing interesting other than a binary hit in one of the Ubuntu Book images. So, the only thing left to do is fix X11. chrooting to the Ubuntu disk, we deleted /etc/X11/xorg.conf and inserted a standard VMware config. We do a passwd to change root and ctf user passwords, and reboot the VM.

Now that we're in the machine, we have to read the mind of the person who wrote this challenge. Quickly going through and opening all the applications(GIMP, some media player, browser, etc.) we find nothing when investigating their histories. When we had the system mounted on our livecd, we noticed the ctf user had a symlink in their home to the Ubuntu Book folder, which comes with ubuntu. This is the most obvious route, so I spent a good hour looking for any flag in the ubuntu book. This is not a flag

This attempt was fruitless, and eventually I noticed there were extremely discrete black numbers in the menu icons.

Unintended red herrings are a waste of time and decrease CTF quality greatlyUbuntu is a terrible distrib. to choose for this challenge

We tried several orderings of these hexadecimal characters as the flag, to no result. After whining to an oper about how disproportionate this is for a 200 point challenge, we went through and looked at every single application. The first one in the list is the Alacarte Menu Editor. The icon ordering on the left hand side produced the key, with some duplicate characters on the end.

yeah this is a real forensics challenge OK buddy

Any other distribution would have made this a much better forensics challenge. Having to look through a ton of dotfiles and redherrings that come with a bloated operating system is a pretty low quality challenge.