N
Back to writeup archive
LIGA CTF 2026 (Week 2 Boot2Root)

Chain of Attacks - III BONUS: The VMDK Ghost Flag

I want to be fully transparent. The official rules state that mounting, modifying, or directly accessing the VM disk / box files outside the challenge environment is not an intended method.

Boot2Root - Forensic AppendixMarkdown + PDFBonussolved2 minread·477words
route
/TryN3rr0r/writeups/liga-ctf-2026-week-2-boot2root/chain-of-attacks-iii-bonus-the-vmdk-ghost-flag
archive index
10 / 16
read mode
parsed markdown
Writeup loaded.

Chain of Attacks - III BONUS: The VMDK Ghost Flag

challenge brief
target profile, scoring, and execution stack
verified solve
target
192.168.1.21 (Chain of Attacks VMDK)
category
Boot2Root - Forensic Appendix
points
N/A (not scored - build artifact)
difficulty
Bonus
flag format
OWASPKL{xxx}
tools used
findstrgrep
final flag
OWASPKL{ch41n_0f_4tt4cks_p4rt_1}
reveal and copy from section 5
PDF evidence frame 01

0. Disclaimer to the Organizers (please read first)

I want to be fully transparent. The official rules state that mounting, modifying, or directly accessing the VM disk / box files outside the challenge environment is not an intended method.

In my own words:

> "After solving Part 1 and Part 2, I could not find the Part 3 challenge flag on the live environment, so the only way I could get it was to extract the flag from the VMDK."

I am not claiming points for this. I am submitting it only as a forensic appendix because it documents a leftover build-time string, and I would rather disclose exactly how I found it than hide it. If this conflicts with the rules, please disregard it entirely. The scored Part I and Part II flags were obtained through the intended live attack paths (see those writeups). I apologize if reaching for the disk image overstepped. It was a last resort after I could not locate the live Part III path.

1. Challenge Overview

Offline inspection of the target VMDK revealed a third flag-like string, OWASPKL{ch41n_0f_4tt4cks_p4rt_1}. It is not present as a live flag file on the running target; it survives only as a build-time configuration residue.

2. Initial Reconnaissance

2.1 String search on the raw VMDK

bash1 lines
1findstr /C:"OWASPKL{" "Chain Of Attack Machine-disk1.vmdk"
PDF evidence frame 02

3. Analysis / Forensics Path

3.1 Trace the string to Qlipper history

The matches sat inside Qlipper (Lubuntu clipboard manager) history for the user chain:

ini1 lines
1/home/chain/.config/Qlipper/qlipper.ini

The entry records the operator copy-pasting the original leetspeak flag during the VM build:

bash1 lines
1echo "OWASPKL{ch41n_0f_4tt4cks_p4rt_1}" > /var/www/local.txt

4. Exploitation / Recovery

4.1 Same residue is readable from a live root shell

For completeness, once root is obtained through the intended Part II path, the same string can be read live (no disk access needed):

bash1 lines
1grep -aoE 'OWASPKL{[^}]+}' /home/chain/.config/Qlipper/qlipper.ini

This confirms the author originally used a leetspeak flag, later replaced by the MD5 flag before deployment.

5. Flag

OWASPKL{ch41n_0f_4tt4cks_p4rt_1} (build artifact only — not submitted for points)

6. Summary of Approach & Key Takeaways

Linear string scan (findstr) on the raw VMDK surfaced a third OWASPKL{...} string.

Traced it to Qlipper clipboard history for user chain.

Same residue is also readable live from qlipper.ini once root is held.

Clipboard managers leak build-time secrets and operator history.

VM builders should clear user config/app caches (e.g. Qlipper) before exporting images.

Disclosed in full, not claimed for points — the intended live paths cover the scored flags.