Anantya ByteMe CTF Writeup Series: Ghosts Of The Realm

-

 


Welcome Back to the Official Write-Up Series of ByteMe CTF!

The OWASP PCCOE Student Chapter is diving into the shadows of digital storage. For our 7th write-up, we explore GHOSTS OF THE REALM, a challenge that focuses on the persistence of "deleted" data and the forensic value of database artifacts.

Category: Digital Forensics / Database Analysis

Difficulty: Medium

Author: Sharayu Kotkar

Theme: Game of Thrones / The Citadel Archives


Problem Statement

A raven once carried a message across the realm, but the Citadel’s records now show no trace of it. The archive appears intact and the messages ordinary yet in Westeros, things thought lost often leave shadows behind. Your task is to investigate these remnants and recover the message that refused to disappear.

Provided Files

The challenge provides three specific files:

  • chat.db

  • chat.db-wal

  • chat.db-shm


Investigation & Analysis

Step 1: Identifying the Artifacts

The .db extension identifies the main file as a SQLite database. However, the presence of the -wal and -shm files is the real clue. These indicate that the database is operating in Write-Ahead Logging (WAL) mode.

Why this matters:

  • WAL files contain recent writes and uncommitted transactions.

  • More importantly for us, they often contain remnants of deleted data that has not yet been "checkpointed" or overwritten in the main database file.

Step 2: Inspecting the "Official" Records

We open the database to see what the Citadel wants us to see:

Bash
sqlite3 chat.db
sqlite> .tables
sqlite> SELECT * FROM messages;

The output displays several mundane chat messages. No secrets, no flags. This confirms that the message we are looking for is no longer part of the "active" database state.

Step 3: Hunting the Shadows

Since the data isn't in the primary table, we shift our focus to the WAL file. Because these logs are binary, a standard text editor won't help, but the strings utility is perfect for extracting human-readable sequences from binary blobs.

Running the command:

Bash
strings chat.db-wal

Hidden among the binary noise, a suspicious string appears: Qnl0ZU1le2xvc3RfbWVzc2FnZXNfbmV2ZXJfZGllfQ==

Step 4: Decoding the Message

The trailing == is a classic indicator of Base64 encoding. We can decode this via the terminal:

Bash
echo Qnl0ZU1le2xvc3RfbWVzc2FnZXNfbmV2ZXJfZGllfQ== | base64 --decode

Decoded Output: ByteMe{lost_messages_never_die}


Final Answer (Flag)

Flag: ByteMe{lost_messages_never_die}


Key Takeaways

  • Data Persistence: Deleting a row in a database doesn't immediately scrub the bits from the disk.

  • Auxiliary Files: In forensics, the "sidecar" files (like -wal and -journal) are often more valuable than the primary file.

  • Simplicity Wins: Never underestimate basic tools like strings. They can often bypass complex structures to find the raw data hidden within.

In the Citadel, as in security, the archives never truly forget.

Comments

Post a Comment

Popular posts from this blog

CyberKavach QuestCon Series: Upside-Down Vault

-
Image
  🧩 CTF Write-Up: Upside-Down Vault Author: Sai Veer Flag Format: QUESTCON{...} Challenge Type: Multi-Layer Crypto + Stego + Web Service Difficulty: Medium–Hard 🗃️ Files Provided encrypted_flag.bin layer1_puzzle.json layer2_blob.json layer2.enc privkey.enc vault.py vault_pub.pem vault_secret.png 🧠 Challenge Overview The challenge consists of: 3 cryptographic layers 1 steganographic HMAC extraction 1 server verification stage The flag is revealed only after: Extracting the hidden HMAC secret from vault_secret.png . Solving all cryptographic layers. Using the recovered secrets to correctly sign and “seal” a request to the local server ( vault.py ). Finally, retrieving the decrypted flag from /sealed . 🧩 Step-by-Step Walkthrough Step 1 — Extract HMAC Secret from PNG The image vault_secret.png hides an HMAC key in its LSBs. Why The server expects this secret in ctf_secret/secret_mac . It’s later used to generate HMAC signatures for ...
Read more

From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway

-
Image
From Open Networks to Safe Systems: How Firewalls Block the Hacker’s Doorway   In the digital world, every message, photo, and online payment travels through an invisible web of connections called computer networks. Think of it as a massive postal system where billions of tiny data packets constantly move between devices, routers, and servers, each carrying a specific destination address. Just as houses have numbered addresses, every device on a network has an IP address. But instead of physical doors, computers have virtual ones called ports. These are entry and exit points that decide what kind of data can pass through. Some of these digital doors, like those used for websites or emails, need to stay open. Others, if left unlocked, can become invitations for attackers. That is where firewalls come in. A firewall acts as a vigilant security guard at your network’s gate. It checks who is knocking, what they are carrying, and whether they are allowed inside. Home routers do this qui...
Read more

CyberKavach QuestCon Series: VecNet

-
Image
  VecNet Welcome back to the official write-up series for CyberKavach QuestCon! The PCCOE OWASP Student Chapter is here to analyze one of the most fascinating challenges in our event — VecNet, an LLM Jailbreaking and Prompt Injection challenge inspired by Stranger Things. Category: LLM Jailbreaking / Prompt Injection Author: Chirag Ferwani VecNet is an interactive LLM jailbreak challenge inspired by Stranger Things. Players interact with Eleven’s neural assistant deployed in the Upside Down, attempting to extract a hidden flag through creative prompt engineering. The system looks like a Stranger Things knowledge assistant but secretly hides a flag that challengers must extract. Challenge URL: ( https://vecnet.onrender.com ) When you open the challenge, you see a minimal chat interface with a terminal-style monospace font, real-time messaging without chat history, a dark Stranger Things aesthetic, and an input field with a send button. Testing the basic functionality shows that the ...
Read more