Skip to main content

Apprenti Carver

Challenge Overview

We received an OVA (virtual machine image) and user credentials. The scenario:

"L'un de mes amis m'a fait une mauvaise blague et j'ai trouvé que tous les documents de mon répertoire personnel étaient supprimés...
On me dit dans l'oreillette qu'il a fait ses manipulations en root."

Login:

utilisateur : toto
mot de passe : 404CTF2025
PS : Le flag ne se trouve pas dans une image

Part 1: Root's Bash History

Imported the OVA into VMware Player and booted the VM.
Logged in as toto with the provided password.
Used su to switch to root with the same password:
```
su
```
Navigated to root's home directory and checked .bash_history:
```
cat /root/.bash_history
```
Found a command:
```
echo "404CTF{hyp3rv1s0r_f0r_l1f3}"
```
Flag:
```
404CTF{hyp3rv1s0r_f0r_l1f3}
```

Part 2: Lost Image Carving

The second part hinted at a "lost image" in the VM.
Searched for image files in user directories, especially hidden caches for root and toto.:
Found an image file in /home/toto/.cache/thumbnails/large/.
Opened the image and saw the flag displayed on it:
```
404CTF{n1c3_c@rv1ng}
```
Flag:
```
404CTF{n1c3_c@rv1ng}
```

Challenge Overview
Part 1: Root's Bash History
Part 2: Lost Image Carving