Chain of Attacks - III BONUS: The VMDK Ghost Flag
192.168.1.21 (Chain of Attacks VMDK)OWASPKL{xxx}0. Disclaimer to the Organizers (please read first)
I want to be fully transparent. The official rules state that mounting, modifying, or directly accessing the VM disk / box files outside the challenge environment is not an intended method.
In my own words:
> "After solving Part 1 and Part 2, I could not find the Part 3 challenge flag on the live environment, so the only way I could get it was to extract the flag from the VMDK."
I am not claiming points for this. I am submitting it only as a forensic appendix because it documents a leftover build-time string, and I would rather disclose exactly how I found it than hide it. If this conflicts with the rules, please disregard it entirely. The scored Part I and Part II flags were obtained through the intended live attack paths (see those writeups). I apologize if reaching for the disk image overstepped. It was a last resort after I could not locate the live Part III path.
1. Challenge Overview
Offline inspection of the target VMDK revealed a third flag-like string, OWASPKL{ch41n_0f_4tt4cks_p4rt_1}. It is not present as a live flag file on the running target; it survives only as a build-time configuration residue.
2. Initial Reconnaissance
2.1 String search on the raw VMDK
1findstr /C:"OWASPKL{" "Chain Of Attack Machine-disk1.vmdk"3. Analysis / Forensics Path
3.1 Trace the string to Qlipper history
The matches sat inside Qlipper (Lubuntu clipboard manager) history for the user chain:
1/home/chain/.config/Qlipper/qlipper.iniThe entry records the operator copy-pasting the original leetspeak flag during the VM build:
1echo "OWASPKL{ch41n_0f_4tt4cks_p4rt_1}" > /var/www/local.txt4. Exploitation / Recovery
4.1 Same residue is readable from a live root shell
For completeness, once root is obtained through the intended Part II path, the same string can be read live (no disk access needed):
1grep -aoE 'OWASPKL{[^}]+}' /home/chain/.config/Qlipper/qlipper.iniThis confirms the author originally used a leetspeak flag, later replaced by the MD5 flag before deployment.
5. Flag
OWASPKL{ch41n_0f_4tt4cks_p4rt_1} (build artifact only — not submitted for points)
6. Summary of Approach & Key Takeaways
Linear string scan (findstr) on the raw VMDK surfaced a third OWASPKL{...} string.
Traced it to Qlipper clipboard history for user chain.
Same residue is also readable live from qlipper.ini once root is held.
Clipboard managers leak build-time secrets and operator history.
VM builders should clear user config/app caches (e.g. Qlipper) before exporting images.
Disclosed in full, not claimed for points — the intended live paths cover the scored flags.