Look into the past

We've captured a snapshot of a computer, but it seems the user was able to encrypt a file before we got to it. Can you figure out what they encrypted?

Download: neverlan2020_lookpast.tar.gz

Recon

The file contains files and directories from a linux system.

In home\User\.bash_history:

cd Documents
openssl enc -aes-256-cbc -salt -in flag.txt -out flag.txt.enc -k $(cat $pass1)$pass2$pass3
steghide embed -cf doggo.jpeg -ef $pass1 
mv doggo.jpeg ~/Pictures
useradd -p '$pass2'  user
sqlite3 /opt/table.db "INSERT INTO passwords values ('1', $pass3)"
tar -zcf /opt/table.db.tar.gz /opt/table.db
rm $pass1
unset $pass2
unset $pass3
exit

So we got an encrypted flag.txt.enc in Documents which is encrypted with a pass which is splitted in 3 parts: * one hided as document with steghide in doggo.jpeg * one used as password for user user * inserted in a sqlite database

Part one from steghide:

$ steghide extract -sf doggo.jpeg 
Enter passphrase: 
wrote extracted data to "steganopayload213658.txt".
$ cat steganopayload213658.txt 
JXrTLzijLb

Part two from /etc/shadow:

$ grep user etc/shadow 
user:KI6VWx09JJ:18011:0:99999:7:::

Part three from sqlite database:

$ tar xvf table.db.tar.gz 
x table.db

$ sqlite3 table.db .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE passwords (ID INT PRIMARY KEY      NOT NULL, PASS TEXT      NOT NULL);
INSERT INTO passwords VALUES(1,'nBNfDKbP5n');
COMMIT;

Combine them and use it decrypt flag file:

$ openssl enc -d -aes-256-cbc -in libssl-flag.txt.enc -out flag.txt -k JXrTLzijLbKI6VWx09JJnBNfDKbP5n
$ cat flag.txt
flag{h1st0ry_1n_th3_m4k1ng}

Flag

flag{h1st0ry_1n_th3_m4k1ng}