Writeup by iv3l for 103_spx

Mount the unzipped USB recovery to a Directory
Copy all to a folder and modify the owner to you instead of root
Check message.txt
- Crypting with password of: vgrohhfyek0wkfi5fv13anexapy3sso6
- Looking for secret.xz
Found it in the trash
Extract it: xz -d secret.xz
file secret = secret: openssl enc'd data with salted password

Either we check one by one all the crypting ssh algorhytms with this command: openssl enc -d -aes-256-cbc -in secret -out decrypted.txt -pass pass:vgrohhfyek0wkfi5fv13anexapy3sso6

Cipher commands (see the `enc' command for more details)
aes-128-cbc       aes-128-ecb       aes-192-cbc       aes-192-ecb       
aes-256-cbc       aes-256-ecb       aria-128-cbc      aria-128-cfb      
aria-128-cfb1     aria-128-cfb8     aria-128-ctr      aria-128-ecb      
aria-128-ofb      aria-192-cbc      aria-192-cfb      aria-192-cfb1     
aria-192-cfb8     aria-192-ctr      aria-192-ecb      aria-192-ofb      
aria-256-cbc      aria-256-cfb      aria-256-cfb1     aria-256-cfb8     
aria-256-ctr      aria-256-ecb      aria-256-ofb      base64            
bf                bf-cbc            bf-cfb            bf-ecb            
bf-ofb            camellia-128-cbc  camellia-128-ecb  camellia-192-cbc  
camellia-192-ecb  camellia-256-cbc  camellia-256-ecb  cast              
cast-cbc          cast5-cbc         cast5-cfb         cast5-ecb         
cast5-ofb         des               des-cbc           des-cfb           
des-ecb           des-ede           des-ede-cbc       des-ede-cfb       
des-ede-ofb       des-ede3          des-ede3-cbc      des-ede3-cfb      
des-ede3-ofb      des-ofb           des3              desx              
rc2               rc2-40-cbc        rc2-64-cbc        rc2-cbc           
rc2-cfb           rc2-ecb           rc2-ofb           rc4               
rc4-40            seed              seed-cbc          seed-cfb          
seed-ecb          seed-ofb          sm4-cbc           sm4-cfb           
sm4-ctr           sm4-ecb           sm4-ofb           zlib

…but there are a couple of them :D :D

… or we write a quick bash script

#!/bin/bash

password="vgrohhfyek0wkfi5fv13anexapy3sso6"
input_file="secret"
output_dir="decrypted_attempts"

# Create output directory
mkdir -p $output_dir

# Get a list of all available OpenSSL ciphers
algorithms=$(openssl list -cipher-algorithms)

echo "Starting mass decryption with all available algorithms..."

for algo in $algorithms; do
    output_file="$output_dir/decrypted_$algo.txt"
    echo "Trying $algo..."
    openssl enc -d -$algo -in $input_file -out $output_file -pass pass:$password 2>/dev/null
    if [ $? -eq 0 ]; then
        echo "[+] Success with $algo! Output saved to $output_file"
    fi
done

echo "Decryption complete. Check the $output_dir directory for results."

Then we just run a grep on all the results:

┌──(kali㉿kali)-[~/hack/103/.Trash-1000/files]
└─$ grep -i -a -r  lh_ *
decrypted_attempts/decrypted_AES-192-ECB.txt:flag : lh_6c31ba64e522b5f9326b7bee0abef6547f60d214