Description
People keep trying to trick my players with imitation flags. I want to make sure they get the real thing! I’m going to provide the SHA-256 hash and a decrypt script to help you know that my flags are legitimate.ssh -p 60563 ctf-player@rhea.picoctf.netUsing the password 84b12bae. Accept the fingerprint with yes, and ls once connected to begin. Remember, in a shell, passwords are hidden!
- Checksum: 3ad37ed6c5ab81d31e4c94ae611e0adf2e9e3e6bee55804ebc7f386283e366a4
- To decrypt the file once you’ve verified the hash, run
./decrypt.sh files/<file>.
🧩 Challenge Description
In this challenge, we are given access to a remote instance containing multiple files.
The goal is to identify the correct file using its SHA-256 hash and then decrypt it to find the flag.
🖥 Step 1: Connect to the remote instance via SSH
We start by connecting to the instance using SSH:
$ ssh -p 60563 ctf-player@rhea.picoctf.net
✅ Explanation:
sshis used to securely connect to a remote machine.-p 60563specifies the port number.ctf-player@rhea.picoctf.netis the username and host of the CTF server.
🔎 Step 2: Calculate SHA-256 hashes of all files
Next, we want to verify the integrity of each file in the files directory by calculating their SHA-256 checksums:
$ sha256sum files/* | grep "3ad"
✅ Explanation:
sha256sum files/*computes the SHA-256 hash of every file in thefilesdirectory.grep "3ad"filters only the lines containing"3ad"— this helps us narrow down the correct file.
The output looks like this:
807309a496177fd97eae436d0158e21cc5f15ee43adc6a0275015e8785c7e4e1 files/3PmKbHhH 1cab1cc63f4d3a7c8b49a04288a89dd2b4816ab7fa73173db013ad624a5e0c47 files/49qfB01x 125e6103e1930c8286453d9d7e838d9b3e0fa583bc23ade55679b5f27e3df1f3 files/BkMRgk48 112a82c06cb2a4ecc7bda0777c1d0fc3ad27a96ec8ba156209d7fdf805da83d5 files/PUt9VRoX 8493b7d798eea027966f17687afffe3272bccdf898ef181a43ad7cf09c448e81 files/b47rxTge 973396c4c421e34b1dab9bd85173577e8e14ed9f4450ca88ae04573ad0780d24 files/dVJ9IeAT 3ad37ed6c5ab81d31e4c94ae611e0adf2e9e3e6bee55804ebc7f386283e366a4 files/e018b574 d77823df18c19f85988b023cb62bea63ade2cbda854df07684d2d03644bfbc67 files/ruWv5GEU
From this, we see that the file files/e018b574 matches the hash starting with "3ad".
🗝 Step 3: Decrypt the file
Now that we have identified the correct file, we can use the provided decrypt.sh script to extract the flag:
$ ./decrypt.sh files/e018b574
✅ Explanation:
./decrypt.shis a shell script provided in the challenge.- We pass the filename as an argument, and the script performs decryption.
Output:
picoCTF{trust_but_verify_e018b574}
🏁 Step 4: Capture the Flag
picoCTF{trust_but_verify_e018b574}
🧠 Summary
| Step | Command | Purpose | Key Finding |
|---|---|---|---|
| 1 | ssh | Connect to remote instance | Accessed CTF server |
| 2 | sha256sum + grep | Identify file by SHA-256 hash | File e018b574 matched |
| 3 | ./decrypt.sh | Decrypt file | Revealed flag |
💡 Beginner Tips
- SHA-256 is a cryptographic hash function used to verify file integrity.
grepis useful to filter specific strings from output.- Always check for matching hashes before decrypting — it ensures you are using the correct file.