> For the complete documentation index, see [llms.txt](https://encient.gitbook.io/ctf-writeups-and-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://encient.gitbook.io/ctf-writeups-and-notes/ctf-platform/skr-ctf/forensics/godam-secrets.md).

# Godam Secrets

## Description

We managed to recover part of Godam's hard drive in his house, but we couldn't find anything suspicious. We hope you can help us in finding his secret.

Attachment: `godam_hard_drive.zip`

## Solution

We were given Mozilla folder which contains the Firefox browser details. There are a lot of them, so we have to know which is the exact file that we have to investigate. This [video](https://www.youtube.com/watch?v=RKgGa6Rc2N8) tells us that we can analyze the artefacts with several information, shown below:

* Browser history: `places.sqlite`
* Browser cookies: `cookies.sqlite`
* Form data (data entered into forms and search boxes): `formhistory.sqlite`

<figure><img src="/files/iuDwc7AdrFCDiz1yeL6a" alt=""><figcaption></figcaption></figure>

We can use `sqlitebrowser` to analyze the mentioned files. We can go through the browser history in `/home/godam/.mozilla/firefox/profile/places.sqlite`. Note that there is a page with title "666 club". We know that this is related and suspicious as the secret letter (from previous steganography challenge - Secret Letter) is written by 666 club.

<figure><img src="/files/FaijetcDToQJBkj7wrkD" alt=""><figcaption></figcaption></figure>

Visiting the URL will show us an authentication page that needs a secret key. The secret key is the flag of the previous challenge which is `SKR{hidden_text_in_color_hex_code}`.

<figure><img src="/files/uLS0tKJMZkijd73xDKJU" alt=""><figcaption></figcaption></figure>

We can also get the secret key from `/home/godam/.mozilla/firefox/profile/formhistory.sqlite`.

<figure><img src="/files/P8yvExwKIjTA3XTJVMYb" alt=""><figcaption></figcaption></figure>

Once authenticated, we can see that there is a post about flag in the website. It seems like the alphabets are reversed.

<figure><img src="/files/ifIvI3VodGgpKp0TXFEe" alt=""><figcaption></figcaption></figure>

We can reverse it by using [CyberChef](https://gchq.github.io/CyberChef/) or any other online tool to read the content of the post. The flag is the combination of all the capital letters in the content of the post.
