Tags: misc forensics 


# Penguins

We have a zip archive `2020-06-29-173949.zip`. On extracting, the tree looks like

0:24 ctf/rgbCTF2020/penguins git:(master) tree -a -L 2 2020-06-29-173949
└── git
├── 1yeet
├── 2yeet
├── 3penguin
├── flag
└── .git

2 directories, 4 files


Its a git repository. The flag is probably hidden in some previous commits.
We can see all history using

git reflog

We see

27440c5 (HEAD -> master) HEAD@{0}: checkout: moving from fascinating to master
800bcb9 HEAD@{1}: commit: some things are not needed
57adae7 HEAD@{2}: commit: relevant file
fb70ca3 HEAD@{3}: commit: probably not relevant
5dcac0e HEAD@{4}: commit: another perhaps relevant file
cfd97cd HEAD@{5}: commit: add content to irrelevant file
d14fcbf HEAD@{6}: commit: an irrelevant file
b474ae1 HEAD@{7}: checkout: moving from b474ae165218fec38ac9fb8d64f452c1270e68ea to fascinating
b474ae1 HEAD@{8}: checkout: moving from master to b474ae1
27440c5 (HEAD -> master) HEAD@{9}: commit (merge): Merge branch 'feature1'
102b03d HEAD@{10}: commit: some more changes
b474ae1 HEAD@{11}: commit: some new info
8ee6237 HEAD@{12}: commit: added an interesting file
1117a33 HEAD@{13}: checkout: moving from feature1 to master
7d6997a (feature1) HEAD@{14}: commit: cooler bird
955eeb7 HEAD@{15}: commit: add content
1117a33 HEAD@{16}: checkout: moving from master to feature1
1117a33 HEAD@{17}: commit: birds are cool
9dcf170 HEAD@{18}: commit (initial): first commit

Let's checkout at commit `57adae7`, before the deletion.

git checkout 57adae7

We see some new files

1yeet 2yeet 3parakeet flag irrelevant_file perhaps_relevant perhaps_relevant_v2 relevant

`perhaps_relevant_v2` contains a string which looks like a base64 string

If we decode it

base64 -d < perhaps_relevant_v2

we get the flag

as yoda once told me "reward you i must"
and then he gave me this ----

Original writeup (https://github.com/goswami-rahul/ctf/tree/master/rgbCTF2020/penguins).