picoCTF Verify- Forensics Challenge- Walkthrough

This challenge is about verifying file integrity using SHA-256 and decrypting a file to get the flag.

Site URL: https://play.picoctf.org/practice/challenge/450?category=4&difficulty=1&page=1&search=

Description

People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I’m going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate. ssh -p 59633 ctf-player@rhea.picoctf.net Using the password 6dd28e9b. Accept the fingerprint with yes, and ls once connected to begin. Remember, in a shell, passwords are hidden!

• Checksum: 03b52eabed517324828b9e09cbbf8a7b0911f348f76cf989ba6d51acede6d5d8
• To decrypt the file once you’ve verified the hash, run ./decrypt.sh files/<file>.

Hints

1. Checksums let you tell if a file is complete and from the original distributor. If the hash doesn’t match, it’s a different file.
2. You can create a SHA checksum of a file with sha256sum <file> or all files in a directory with sha256sum <directory>/*.
3. Remember you can pipe the output of one command to another with |. Try practicing with the 'First Grep' challenge if you're stuck!

Solution

Open PowerShell and connect to the a remote computer (server) using SSH.

ssh -p 59633 ctf-player@rhea.picoctf.net

- If you see a message asking to confirm the connection, type `yes` and press Enter.
- This step allows us to access the server where the challenge files are stored.

yes

When asked for a password, enter:

6dd28e9b

We successfully connected to the challenge server using SSH.

Once connected, we need to list the available files

ls

We can see the following files in the current directory:

checksum.txt (probably contains the reference SHA-256 hash)
decrypt.sh (a script to decrypt the correct file)
files/ (a directory containing possible flag files)

Let’s see the contents of checksum.txt to confirm the reference SHA-256 hash:

cat checksum.txt

We have successfully retrieved the SHA-256 hash from checksum.txt

03b52eabed517324828b9e09cbbf8a7b0911f348f76cf989ba6d51acede6d5d8

Listing Files Inside files/ Directory

ls files/

We see all the files inside the files/ directory. Since there are many files, we need to find the correct one by comparing their SHA-256 hashes.

Running the Hash Check with Filtering

sha256sum files/* | grep 03b52eabed517324828b9e09cbbf8a7b0911f348f76cf989ba6d51acede6d5d8

We found the correct file: files/00011a60

Now we will run the Decryption Script

./decrypt.sh files/00011a60

flag: picoCTF{trust_but_verify_00011a60}

Final Thoughts

This challenge was a great exercise in verifying file integrity using SHA-256 checksums and practicing basic Linux commands.

By following a structured approach, we successfully:

• Connected to the remote server via SSH.
• Listed available files and examined their contents.
• Compared SHA-256 hashes to find the correct file.
• Decrypted the correct file to retrieve the flag.

This method ensures that we are working with an authentic and unmodified file before decryption, reinforcing the importance of checksums in cybersecurity.

Stay cautious, verify everything, and never trust a file without checking its integrity — because in cybersecurity, trust is a vulnerability