Ego Hostium

• Category: Cryptogrepy
• 150 points
• Solved (late) by JCTF Team

Description

Solution

Ego Hostium was a strange "crypto" challenge. It was classified under crypto, but in fact, only the question was related to cryptography. The answer was borderline forensics. Or in the words of the author himself:

The file we got was a Windows 10 VM, that was just hit by a ransomware. The ransomware itself was Crypter, an open source ransomware builder written in python, intended for educational and research purposes only. We analyzed the binary of the ransomware to check if it has been changed from the original Crypter, looked for cryptographic holes, and a lot of other things that cost tons of time.

Out of desperation, we just searched in the huge ~25GB file for the flag. It was there, in plain text, in a file found in "System Volume Information". We missed it the first time since the flag was not in the "official" format ( BSidesTLV{ or BSidesTLV2020{ ) but all uppercase.

So the shortest full solution could have been (be careful, it's a huge download and starves your disk to death):

wget http://bsidesctf.s3-website.eu-central-1.amazonaws.com/EgoHostium.7z
7z x EgoHostium.7z
7z x -y EgoHostium-disk1.vmdk
strings * | grep -i BsidesTLV2020{

BSIDESTLV2020{SiVisPacemParaBellum}

PS: This challenge entry was removed from the list of challenges by the organization team, after the CTF ended. We can only suppose it was because of the number of complaints around it.