Breaking My Security Assignments

Summary

This post was first written in March 2024, but at the time, I was asked not to publish it for reasons that will shortly become apparent. Circumstances have changed since, so I've gone ahead and published it now with some minor alterations. For the assignments in my security module this semester, we've been given a barebones virtual machine that we install updates into and complete assignments on. When each new assignment is released, we get given a file to download and run with this preinstalled piece of software on the VM. This sets the assignment up for us and from there we go on to solve it to get a token that can be submitted, capture-the-flag style. These files aren't any obviously readable type of file - they mostly look like garbage data. But without that update file, there's no trace of the assignment on the system anywhere - which also means that those update files must contain the tokens we ned to submit and the VM must somehow be able to decrypt them... so surely we can break that for our own advantage? Cracking Open the Updates Having decided that I wanted to attack this the VM to try and pull out tokens without doing exercises, the first thing I turned my attention to was installUpdate - the program that was left on the VM for us to use to install updates. Every update file that we were given took the form *.gpg, so (working on the assumption that these are encrypted blobs) the logical thing to do would be to take a poke around this executable to see if there's any way to decipher how these updates are decrypted. After getting installUpdate on my machine and checking that it wasn't a Bash script, I ran strings on it was greeted with an immediate goldmine: $ strings installUpdate ... /usr/bin/gpg --homedir /root/.gnupg --batch --pinentry-mode loopback --passphrase-file /root/.vmPassphrase --output %s/update.tgz --decrypt %s/updateArchive.gpg > /dev/null 2>&1 ... /usr/bin/tar zxf update.tgz > /dev/null 2>&1 ... Great! It looks like the update files are GP...