Jail Break 1, 2, 3 (Misc)
~$ cd ..
Author: BorelEnzo
We spent a lot of time on the first part on this challenge, because the description of the challenge misled us. The description was an obvious reference to Matrix, when Neo chooses to follow the White Rabbit.
Part I
We were given a zip archive protected by a password. The name of the archive (5_T1m3s) was misleading as well, and we tried to guess a password related to Matrix. Wrong path, brute force gave us the solution:
$ fcrackzip -v -l 5 -u 5_T1m3s.zip found file 'challenge.pdf', (size cp/uc 2961/ 8046, flags 9, chk b9b6) found file 'instructions.asc', (size cp/uc 558/ 1719, flags 9, chk b0da) found file 'not_yet.zip', (size cp/uc 56341557/56341545, flags 9, chk bc08) found file 'flag.txt', (size cp/uc 50/ 38, flags 9, chk b5ab) checking pw C8!N~ PASSWORD FOUND!!!!: pw == C99tt
A few minutes were necessary to crack the password. In flag.txt, we got our first flag CSC{f0b487b82fee5b144808cad2e33f2898}
Part II
In the decrypted archive we also found challenge.pdf, instructions.asc, and not_yet.zip, where
not_yet.zip is another password-protected archive and instructions.asc was recognized as:
$ file instructions.asc instructions.asc: PGP message Public-Key Encrypted Session Key (old)
The PDF seems to be quite useless:
but by opening it with nano, we found this PDF object:
8 0 obj << /Length 3647 /Filter /ASCIIHexDecode /Type /EmbeddedFile > stream 2d2d2d2d2d424547494e205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a56657273696f6e3a20424350472043232076312e362e312e300a0a6c514f734246785a3936674243414350594d482b6d6b68526d62776c694b754d64322b3464572b535148454a33452f71786136655948712f527a7964417877550a6753567a564b61626e76364d4c5572425274763635536e4c704d33486d6673556562617348715447354d717546446e4773625a796c41477a796651675a71694c0a69643174356657787350495754627973456f46734a3645416f68356c62576d5733726a416762624139684e756a386d413562513474697a5330622b7a6c704d410a5430555a5232704359386f31377364564e7a7552726f724e6133436955756335554c5677564642794e39446537454f3373306e486c79735747384b365a4475620a57685563772b6b3876493344516c5134684d70595169384d6743376a42463234454530344f72463359364b5049615a7a6333394e4f4f4c684c6669626b7135460a385a465173722b314f4b4b53596d56414743636130444a336f6a4e6c6933327966677a44414245424141482f41774d434a4d64475665433474627467457672330a58676e563762304874416a7461302b484834445a783456774b56672b69595a46476c4a394d6c6e70573369376865585548792b4652786c7a7734682b374159750a65515a4272755a43463132585a392f4f6a62494432706f72544e506b426c6b2b475470676d684b724e2b724b4c79314779763955744765484544707a465643460a5076334b676d4b3047654f2f583243503361564736797163782b533039583735514943387a5a68626b7965614c5a49582b6f4758486f3656566d396f387258520a5871716f4c4132326e56364f6834496352626a5969634f5334434a4275454c51786b6c422f39556d324569725965456a705062536e4d4f665a6d72596c6c656d0a58687562414836635561324f35766274736b3471414c6e6f51446b525943706c556c73584879564e7a342b653939636258616c542b626e67506d632b6b6569310a33517142556c4d3450717a526d3858377a4e5647654d66536e705a6737795350574c384864714939734448447a634b625832594e35757376383254656775596b0a502f4f456550716f766878505651617244524a396a5a484e58574253776c63337342307776444149662f45796670377030474b424d76344c597065426c5941360a735858342f5276506a732f774e3436326a7862774365492f2f6854525252376456572b3232694b345877526746533977336e736a6b70794c44635368653454370a727856676f6f58486d42737630324b563350556b715a364469537566686d4a4762616879574a7256515346626f3343616f7145694d3654476567547751325a430a4e373465614635433544796954782b386947306877696f3776534155376a3565624c386e486d712b737559695845446647445a7178646a3969333571774367740a30787878665765314644626e694d6543743850644b66692f5a76734e7733714d314b596d544d486f625836646e665071364953336d6238313659615a2f4e57610a594c4e6e6e30464a6e3971567166514863756b6d6342425a717550376e683963756a6433696a566d34586b4555423438524838354e694741596f654f4a774b570a30356250794a5243423032574332765a7557477a7a756e474b6b74492b654e4671583548546e48466555452b6c4b4854356c5250326d6b6270353061664751680a6d74364d4d714251515a3862542b714230756e57784c71623161624276786a4c34315a6a5442766d486251685a476c74615852796153356b61574672623252700a62576c30636d6c7a5147467763484a7659574e6f4c6d4a6c69514563424241424167414742514a635766656f41416f4a45503132793235502b614134472b41480a2f6a526457733477447133374679337073376451695267614b524a51706338347a79625474327354746245675342336e2f376b43716d6e31506f7074707239660a4f656d6a7956454e4f576265645777535248394e36346b7953337536312f7269664a52767a6973472b772f3632514e4746497443326f49485a545947444657640a664d79674a7a3932774b3947654f66432f39484269456b66332f6873633168445253466a706a36446b504c7269727944656850537159586279656c56566a74540a597a7838476e3230762b783536724e76347a6578377154344776482b2f365a4a6a4856694872642f35366948707a566837477176736f4e6867766c7a566c63410a4a6263625a307a707646796252383755494c6a645149454744476e65717336764d44486c3165442b31677944546e417334787373376366524834346d566e72560a4272506c6b4c754874634366686a3063384536426c30383d0a3d2b6330700a2d2d2d2d2d454e44205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a0a> endstream endobj
It’s a simple hex-encoding, which gave us, once decoded:
print "2d2d2d2d2d424547494e205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a56657273696f6e3a20424350472043232076312e362e312e300a0a6c514f734246785a3936674243414350594d482b6d6b68526d62776c694b754d64322b3464572b535148454a33452f71786136655948712f527a7964417877550a6753567a564b61626e76364d4c5572425274763635536e4c704d33486d6673556562617348715447354d717546446e4773625a796c41477a796651675a71694c0a69643174356657787350495754627973456f46734a3645416f68356c62576d5733726a416762624139684e756a386d413562513474697a5330622b7a6c704d410a5430555a5232704359386f31377364564e7a7552726f724e6133436955756335554c5677564642794e39446537454f3373306e486c79735747384b365a4475620a57685563772b6b3876493344516c5134684d70595169384d6743376a42463234454530344f72463359364b5049615a7a6333394e4f4f4c684c6669626b7135460a385a465173722b314f4b4b53596d56414743636130444a336f6a4e6c6933327966677a44414245424141482f41774d434a4d64475665433474627467457672330a58676e563762304874416a7461302b484834445a783456774b56672b69595a46476c4a394d6c6e70573369376865585548792b4652786c7a7734682b374159750a65515a4272755a43463132585a392f4f6a62494432706f72544e506b426c6b2b475470676d684b724e2b724b4c79314779763955744765484544707a465643460a5076334b676d4b3047654f2f583243503361564736797163782b533039583735514943387a5a68626b7965614c5a49582b6f4758486f3656566d396f387258520a5871716f4c4132326e56364f6834496352626a5969634f5334434a4275454c51786b6c422f39556d324569725965456a705062536e4d4f665a6d72596c6c656d0a58687562414836635561324f35766274736b3471414c6e6f51446b525943706c556c73584879564e7a342b653939636258616c542b626e67506d632b6b6569310a33517142556c4d3450717a526d3858377a4e5647654d66536e705a6737795350574c384864714939734448447a634b625832594e35757376383254656775596b0a502f4f456550716f766878505651617244524a396a5a484e58574253776c63337342307776444149662f45796670377030474b424d76344c597065426c5941360a735858342f5276506a732f774e3436326a7862774365492f2f6854525252376456572b3232694b345877526746533977336e736a6b70794c44635368653454370a727856676f6f58486d42737630324b563350556b715a364469537566686d4a4762616879574a7256515346626f3343616f7145694d3654476567547751325a430a4e373465614635433544796954782b386947306877696f3776534155376a3565624c386e486d712b737559695845446647445a7178646a3969333571774367740a30787878665765314644626e694d6543743850644b66692f5a76734e7733714d314b596d544d486f625836646e665071364953336d6238313659615a2f4e57610a594c4e6e6e30464a6e3971567166514863756b6d6342425a717550376e683963756a6433696a566d34586b4555423438524838354e694741596f654f4a774b570a30356250794a5243423032574332765a7557477a7a756e474b6b74492b654e4671583548546e48466555452b6c4b4854356c5250326d6b6270353061664751680a6d74364d4d714251515a3862542b714230756e57784c71623161624276786a4c34315a6a5442766d486251685a476c74615852796153356b61574672623252700a62576c30636d6c7a5147467763484a7659574e6f4c6d4a6c69514563424241424167414742514a635766656f41416f4a45503132793235502b614134472b41480a2f6a526457733477447133374679337073376451695267614b524a51706338347a79625474327354746245675342336e2f376b43716d6e31506f7074707239660a4f656d6a7956454e4f576265645777535248394e36346b7953337536312f7269664a52767a6973472b772f3632514e4746497443326f49485a545947444657640a664d79674a7a3932774b3947654f66432f39484269456b66332f6873633168445253466a706a36446b504c7269727944656850537159586279656c56566a74540a597a7838476e3230762b783536724e76347a6578377154344776482b2f365a4a6a4856694872642f35366948707a566837477176736f4e6867766c7a566c63410a4a6263625a307a707646796252383755494c6a645149454744476e65717336764d44486c3165442b31677944546e417334787373376366524834346d566e72560a4272506c6b4c754874634366686a3063384536426c30383d0a3d2b6330700a2d2d2d2d2d454e44205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a0a".decode("hex") -----BEGIN PGP PRIVATE KEY BLOCK----- Version: BCPG C# v1.6.1.0 lQOsBFxZ96gBCACPYMH+mkhRmbwliKuMd2+4dW+SQHEJ3E/qxa6eYHq/RzydAxwU gSVzVKabnv6MLUrBRtv65SnLpM3HmfsUebasHqTG5MquFDnGsbZylAGzyfQgZqiL id1t5fWxsPIWTbysEoFsJ6EAoh5lbWmW3rjAgbbA9hNuj8mA5bQ4tizS0b+zlpMA T0UZR2pCY8o17sdVNzuRrorNa3CiUuc5ULVwVFByN9De7EO3s0nHlysWG8K6ZDub WhUcw+k8vI3DQlQ4hMpYQi8MgC7jBF24EE04OrF3Y6KPIaZzc39NOOLhLfibkq5F 8ZFQsr+1OKKSYmVAGCca0DJ3ojNli32yfgzDABEBAAH/AwMCJMdGVeC4tbtgEvr3 XgnV7b0HtAjta0+HH4DZx4VwKVg+iYZFGlJ9MlnpW3i7heXUHy+FRxlzw4h+7AYu eQZBruZCF12XZ9/OjbID2porTNPkBlk+GTpgmhKrN+rKLy1Gyv9UtGeHEDpzFVCF Pv3KgmK0GeO/X2CP3aVG6yqcx+S09X75QIC8zZhbkyeaLZIX+oGXHo6VVm9o8rXR XqqoLA22nV6Oh4IcRbjYicOS4CJBuELQxklB/9Um2EirYeEjpPbSnMOfZmrYllem XhubAH6cUa2O5vbtsk4qALnoQDkRYCplUlsXHyVNz4+e99cbXalT+bngPmc+kei1 3QqBUlM4PqzRm8X7zNVGeMfSnpZg7ySPWL8HdqI9sDHDzcKbX2YN5usv82TeguYk P/OEePqovhxPVQarDRJ9jZHNXWBSwlc3sB0wvDAIf/Eyfp7p0GKBMv4LYpeBlYA6 sXX4/RvPjs/wN462jxbwCeI//hTRRR7dVW+22iK4XwRgFS9w3nsjkpyLDcShe4T7 rxVgooXHmBsv02KV3PUkqZ6DiSufhmJGbahyWJrVQSFbo3CaoqEiM6TGegTwQ2ZC N74eaF5C5DyiTx+8iG0hwio7vSAU7j5ebL8nHmq+suYiXEDfGDZqxdj9i35qwCgt 0xxxfWe1FDbniMeCt8PdKfi/ZvsNw3qM1KYmTMHobX6dnfPq6IS3mb816YaZ/NWa YLNnn0FJn9qVqfQHcukmcBBZquP7nh9cujd3ijVm4XkEUB48RH85NiGAYoeOJwKW 05bPyJRCB02WC2vZuWGzzunGKktI+eNFqX5HTnHFeUE+lKHT5lRP2mkbp50afGQh mt6MMqBQQZ8bT+qB0unWxLqb1abBvxjL41ZjTBvmHbQhZGltaXRyaS5kaWFrb2Rp bWl0cmlzQGFwcHJvYWNoLmJliQEcBBABAgAGBQJcWfeoAAoJEP12y25P+aA4G+AH /jRdWs4wDq37Fy3ps7dQiRgaKRJQpc84zybTt2sTtbEgSB3n/7kCqmn1Poptpr9f OemjyVENOWbedWwSRH9N64kyS3u61/rifJRvzisG+w/62QNGFItC2oIHZTYGDFWd fMygJz92wK9GeOfC/9HBiEkf3/hsc1hDRSFjpj6DkPLriryDehPSqYXbyelVVjtT Yzx8Gn20v+x56rNv4zex7qT4GvH+/6ZJjHViHrd/56iHpzVh7GqvsoNhgvlzVlcA JbcbZ0zpvFybR87UILjdQIEGDGneqs6vMDHl1eD+1gyDTnAs4xss7cfRH44mVnrV BrPlkLuHtcCfhj0c8E6Bl08= =+c0p -----END PGP PRIVATE KEY BLOCK-----
Moreover, after the first %%EOF marker, some data have been added:
%BeginExifToolUpdate ... snipped ... stream <?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?> <x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 10.10'> <rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'> <rdf:Description rdf:about='' xmlns:dc='http://purl.org/dc/elements/1.1/'> <dc:description>/home/enzo/.gnupg/pubring.kbx <rdf:Alt> <rdf:li xml:lang='x-default'>Mozart is not a walking dead</rdf:li> </rdf:Alt> </dc:description> </rdf:Description> </rdf:RDF> </x:xmpmeta> ... snipped ... %EndExifToolUpdate 4747 startxref 7882 %%EOF
Using the private key, we tried to decrypt the instructions.asc, but as we tried to import the private key, a password was required.
We guessed that the password could be Mozart is not a walking dead, and it was indeed a success:
$ gpg --import priv.key ... snipped ... $ gpg --decrypt instructions.asc ... snipped ... Second Flag ----------- CSC{47d9a3dffa147610f62e23ca78f5a8f7} Zip Password ------------ Keep going you are ready for the next stagegpg: WARNING: message was not integrity protected
Last step now !
Part III
The last part was actually the longest one. There was one remaining file we didn’t use at this time, not_yet.zip. It was another protected zip file, which
can be unlocked using the password Keep going you are ready for the next stage. It contained a bunch of embedded zip files, that we unpacked with this script:
import subprocess import os arch = "3airqiv23gkr.zip" prev = "" name = "" try: while True: res = subprocess.check_output(["unzip", arch]) prev = arch arch = res[res.find("extracting: ")+12:].strip() name += prev + "\n" os.system("rm " + prev) except: print name
As the script ended (1h30 later), it left us with a last password-protected archive and a picture:
We used the message given in the image as a password to decrypt the ZIP, and got this last HTML file, showing nothing in a web browser. However, by taking a look at the source code, we found:
<script> var canvas = document.getElementById( 'canvas' ), ctx = canvas.getContext( '2d' ), canvas2 = document.getElementById( 'canvas2' ), ctx2 = canvas2.getContext( '2d' ), // full screen dimensions cw = window.innerWidth, ch = window.innerHeight, charArr = ["1","0","0","0","0","1","1","0","1","0","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","1","1","1","0","1","1","0","1","1","0","0","1","1","0","0","0","1","1","0","1","0","1","0","0","1","1","0","0","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","0","0","0","1","0","0","1","1","0","0","1","1","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","1","0","0","0","0","0","1","1","0","1","1","0","0","0","1","1","1","0","0","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","1","0","0","1","0","0","1","1","0","1","1","1","0","0","1","1","0","1","1","0","0","0","1","1","0","0","0","1","0","1","1","0","0","0","1","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","0","1","1","0","0","1","1","1","0","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","0","1","1","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","0","1","1","0","0","0","0","0","1","1","1","1","1","0","1"], maxCharCount = 100, fallingCharArr = [], fontSize = 10, maxColums = cw/(fontSize); canvas.width = canvas2.width = cw; canvas.height = canvas2.height = ch; ... snipped ... </script>
We didn’t spend too much time reading the code and guessed that we had to decode the charArr:
charArr = ["1","0","0","0","0","1","1","0","1","0","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","1","1","1","0","1","1","0","1","1","0","0","1","1","0","0","0","1","1","0","1","0","1","0","0","1","1","0","0","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","0","0","0","1","0","0","1","1","0","0","1","1","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","1","0","0","0","0","0","1","1","0","1","1","0","0","0","1","1","1","0","0","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","1","0","0","1","0","0","1","1","0","1","1","1","0","0","1","1","0","1","1","0","0","0","1","1","0","0","0","1","0","1","1","0","0","0","1","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","0","1","1","0","0","1","1","1","0","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","0","1","1","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","0","1","1","0","0","0","0","0","1","1","1","1","1","0","1"] hex(int(''.join(charArr), 2))[2:-1].decode("hex") 'CSC{f50b4134df869b49761cb4b38df744d0}'