alect096.github.io

View on GitHub

Jail Break 1, 2, 3 (Misc)

~$ cd ..

Author BorelEnzo

We spent a lot of time on the first part on this challenge, because the description of the challenge misled us. The description was an obvious reference to Matrix, when Neo chooses to follow the White Rabbit.

Part I

We were given a zip archive protected by a password. The name of the archive (5_T1m3s) was misleading as well, and we tried to guess a password related to Matrix. Wrong path, brute force gave us the solution:

$ fcrackzip -v -l 5 -u 5_T1m3s.zip 
	found file 'challenge.pdf', (size cp/uc   2961/  8046, flags 9, chk b9b6)
	found file 'instructions.asc', (size cp/uc    558/  1719, flags 9, chk b0da)
	found file 'not_yet.zip', (size cp/uc 56341557/56341545, flags 9, chk bc08)
	found file 'flag.txt', (size cp/uc     50/    38, flags 9, chk b5ab)
	checking pw C8!N~                                   

	PASSWORD FOUND!!!!: pw == C99tt

A few minutes were necessary to crack the password. In flag.txt, we got our first flag CSC{f0b487b82fee5b144808cad2e33f2898}

Part II

In the decrypted archive we also found challenge.pdf, instructions.asc, and not_yet.zip, where not_yet.zip is another password-protected archive and instructions.asc was recognized as:

$ file instructions.asc 
	instructions.asc: PGP message Public-Key Encrypted Session Key (old)

The PDF seems to be quite useless:

pdf

but by opening it with nano, we found this PDF object:

8 0 obj
<<
 /Length 3647
 /Filter /ASCIIHexDecode
 /Type /EmbeddedFile
>
stream
2d2d2d2d2d424547494e205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a56657273696f6e3a20424350472043232076312e362e312e300a0a6c514f734246785a3936674243414350594d482b6d6b68526d62776c694b754d64322b3464572b535148454a33452f71786136655948712f527a7964417877550a6753567a564b61626e76364d4c5572425274763635536e4c704d33486d6673556562617348715447354d717546446e4773625a796c41477a796651675a71694c0a69643174356657787350495754627973456f46734a3645416f68356c62576d5733726a416762624139684e756a386d413562513474697a5330622b7a6c704d410a5430555a5232704359386f31377364564e7a7552726f724e6133436955756335554c5677564642794e39446537454f3373306e486c79735747384b365a4475620a57685563772b6b3876493344516c5134684d70595169384d6743376a42463234454530344f72463359364b5049615a7a6333394e4f4f4c684c6669626b7135460a385a465173722b314f4b4b53596d56414743636130444a336f6a4e6c6933327966677a44414245424141482f41774d434a4d64475665433474627467457672330a58676e563762304874416a7461302b484834445a783456774b56672b69595a46476c4a394d6c6e70573369376865585548792b4652786c7a7734682b374159750a65515a4272755a43463132585a392f4f6a62494432706f72544e506b426c6b2b475470676d684b724e2b724b4c79314779763955744765484544707a465643460a5076334b676d4b3047654f2f583243503361564736797163782b533039583735514943387a5a68626b7965614c5a49582b6f4758486f3656566d396f387258520a5871716f4c4132326e56364f6834496352626a5969634f5334434a4275454c51786b6c422f39556d324569725965456a705062536e4d4f665a6d72596c6c656d0a58687562414836635561324f35766274736b3471414c6e6f51446b525943706c556c73584879564e7a342b653939636258616c542b626e67506d632b6b6569310a33517142556c4d3450717a526d3858377a4e5647654d66536e705a6737795350574c384864714939734448447a634b625832594e35757376383254656775596b0a502f4f456550716f766878505651617244524a396a5a484e58574253776c63337342307776444149662f45796670377030474b424d76344c597065426c5941360a735858342f5276506a732f774e3436326a7862774365492f2f6854525252376456572b3232694b345877526746533977336e736a6b70794c44635368653454370a727856676f6f58486d42737630324b563350556b715a364469537566686d4a4762616879574a7256515346626f3343616f7145694d3654476567547751325a430a4e373465614635433544796954782b386947306877696f3776534155376a3565624c386e486d712b737559695845446647445a7178646a3969333571774367740a30787878665765314644626e694d6543743850644b66692f5a76734e7733714d314b596d544d486f625836646e665071364953336d6238313659615a2f4e57610a594c4e6e6e30464a6e3971567166514863756b6d6342425a717550376e683963756a6433696a566d34586b4555423438524838354e694741596f654f4a774b570a30356250794a5243423032574332765a7557477a7a756e474b6b74492b654e4671583548546e48466555452b6c4b4854356c5250326d6b6270353061664751680a6d74364d4d714251515a3862542b714230756e57784c71623161624276786a4c34315a6a5442766d486251685a476c74615852796153356b61574672623252700a62576c30636d6c7a5147467763484a7659574e6f4c6d4a6c69514563424241424167414742514a635766656f41416f4a45503132793235502b614134472b41480a2f6a526457733477447133374679337073376451695267614b524a51706338347a79625474327354746245675342336e2f376b43716d6e31506f7074707239660a4f656d6a7956454e4f576265645777535248394e36346b7953337536312f7269664a52767a6973472b772f3632514e4746497443326f49485a545947444657640a664d79674a7a3932774b3947654f66432f39484269456b66332f6873633168445253466a706a36446b504c7269727944656850537159586279656c56566a74540a597a7838476e3230762b783536724e76347a6578377154344776482b2f365a4a6a4856694872642f35366948707a566837477176736f4e6867766c7a566c63410a4a6263625a307a707646796252383755494c6a645149454744476e65717336764d44486c3165442b31677944546e417334787373376366524834346d566e72560a4272506c6b4c754874634366686a3063384536426c30383d0a3d2b6330700a2d2d2d2d2d454e44205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a0a>
endstream
endobj

It’s a simple hex-encoding, which gave us, once decoded:

print "2d2d2d2d2d424547494e205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a56657273696f6e3a20424350472043232076312e362e312e300a0a6c514f734246785a3936674243414350594d482b6d6b68526d62776c694b754d64322b3464572b535148454a33452f71786136655948712f527a7964417877550a6753567a564b61626e76364d4c5572425274763635536e4c704d33486d6673556562617348715447354d717546446e4773625a796c41477a796651675a71694c0a69643174356657787350495754627973456f46734a3645416f68356c62576d5733726a416762624139684e756a386d413562513474697a5330622b7a6c704d410a5430555a5232704359386f31377364564e7a7552726f724e6133436955756335554c5677564642794e39446537454f3373306e486c79735747384b365a4475620a57685563772b6b3876493344516c5134684d70595169384d6743376a42463234454530344f72463359364b5049615a7a6333394e4f4f4c684c6669626b7135460a385a465173722b314f4b4b53596d56414743636130444a336f6a4e6c6933327966677a44414245424141482f41774d434a4d64475665433474627467457672330a58676e563762304874416a7461302b484834445a783456774b56672b69595a46476c4a394d6c6e70573369376865585548792b4652786c7a7734682b374159750a65515a4272755a43463132585a392f4f6a62494432706f72544e506b426c6b2b475470676d684b724e2b724b4c79314779763955744765484544707a465643460a5076334b676d4b3047654f2f583243503361564736797163782b533039583735514943387a5a68626b7965614c5a49582b6f4758486f3656566d396f387258520a5871716f4c4132326e56364f6834496352626a5969634f5334434a4275454c51786b6c422f39556d324569725965456a705062536e4d4f665a6d72596c6c656d0a58687562414836635561324f35766274736b3471414c6e6f51446b525943706c556c73584879564e7a342b653939636258616c542b626e67506d632b6b6569310a33517142556c4d3450717a526d3858377a4e5647654d66536e705a6737795350574c384864714939734448447a634b625832594e35757376383254656775596b0a502f4f456550716f766878505651617244524a396a5a484e58574253776c63337342307776444149662f45796670377030474b424d76344c597065426c5941360a735858342f5276506a732f774e3436326a7862774365492f2f6854525252376456572b3232694b345877526746533977336e736a6b70794c44635368653454370a727856676f6f58486d42737630324b563350556b715a364469537566686d4a4762616879574a7256515346626f3343616f7145694d3654476567547751325a430a4e373465614635433544796954782b386947306877696f3776534155376a3565624c386e486d712b737559695845446647445a7178646a3969333571774367740a30787878665765314644626e694d6543743850644b66692f5a76734e7733714d314b596d544d486f625836646e665071364953336d6238313659615a2f4e57610a594c4e6e6e30464a6e3971567166514863756b6d6342425a717550376e683963756a6433696a566d34586b4555423438524838354e694741596f654f4a774b570a30356250794a5243423032574332765a7557477a7a756e474b6b74492b654e4671583548546e48466555452b6c4b4854356c5250326d6b6270353061664751680a6d74364d4d714251515a3862542b714230756e57784c71623161624276786a4c34315a6a5442766d486251685a476c74615852796153356b61574672623252700a62576c30636d6c7a5147467763484a7659574e6f4c6d4a6c69514563424241424167414742514a635766656f41416f4a45503132793235502b614134472b41480a2f6a526457733477447133374679337073376451695267614b524a51706338347a79625474327354746245675342336e2f376b43716d6e31506f7074707239660a4f656d6a7956454e4f576265645777535248394e36346b7953337536312f7269664a52767a6973472b772f3632514e4746497443326f49485a545947444657640a664d79674a7a3932774b3947654f66432f39484269456b66332f6873633168445253466a706a36446b504c7269727944656850537159586279656c56566a74540a597a7838476e3230762b783536724e76347a6578377154344776482b2f365a4a6a4856694872642f35366948707a566837477176736f4e6867766c7a566c63410a4a6263625a307a707646796252383755494c6a645149454744476e65717336764d44486c3165442b31677944546e417334787373376366524834346d566e72560a4272506c6b4c754874634366686a3063384536426c30383d0a3d2b6330700a2d2d2d2d2d454e44205047502050524956415445204b455920424c4f434b2d2d2d2d2d0a0a".decode("hex")
	-----BEGIN PGP PRIVATE KEY BLOCK-----
	Version: BCPG C# v1.6.1.0

	lQOsBFxZ96gBCACPYMH+mkhRmbwliKuMd2+4dW+SQHEJ3E/qxa6eYHq/RzydAxwU
	gSVzVKabnv6MLUrBRtv65SnLpM3HmfsUebasHqTG5MquFDnGsbZylAGzyfQgZqiL
	id1t5fWxsPIWTbysEoFsJ6EAoh5lbWmW3rjAgbbA9hNuj8mA5bQ4tizS0b+zlpMA
	T0UZR2pCY8o17sdVNzuRrorNa3CiUuc5ULVwVFByN9De7EO3s0nHlysWG8K6ZDub
	WhUcw+k8vI3DQlQ4hMpYQi8MgC7jBF24EE04OrF3Y6KPIaZzc39NOOLhLfibkq5F
	8ZFQsr+1OKKSYmVAGCca0DJ3ojNli32yfgzDABEBAAH/AwMCJMdGVeC4tbtgEvr3
	XgnV7b0HtAjta0+HH4DZx4VwKVg+iYZFGlJ9MlnpW3i7heXUHy+FRxlzw4h+7AYu
	eQZBruZCF12XZ9/OjbID2porTNPkBlk+GTpgmhKrN+rKLy1Gyv9UtGeHEDpzFVCF
	Pv3KgmK0GeO/X2CP3aVG6yqcx+S09X75QIC8zZhbkyeaLZIX+oGXHo6VVm9o8rXR
	XqqoLA22nV6Oh4IcRbjYicOS4CJBuELQxklB/9Um2EirYeEjpPbSnMOfZmrYllem
	XhubAH6cUa2O5vbtsk4qALnoQDkRYCplUlsXHyVNz4+e99cbXalT+bngPmc+kei1
	3QqBUlM4PqzRm8X7zNVGeMfSnpZg7ySPWL8HdqI9sDHDzcKbX2YN5usv82TeguYk
	P/OEePqovhxPVQarDRJ9jZHNXWBSwlc3sB0wvDAIf/Eyfp7p0GKBMv4LYpeBlYA6
	sXX4/RvPjs/wN462jxbwCeI//hTRRR7dVW+22iK4XwRgFS9w3nsjkpyLDcShe4T7
	rxVgooXHmBsv02KV3PUkqZ6DiSufhmJGbahyWJrVQSFbo3CaoqEiM6TGegTwQ2ZC
	N74eaF5C5DyiTx+8iG0hwio7vSAU7j5ebL8nHmq+suYiXEDfGDZqxdj9i35qwCgt
	0xxxfWe1FDbniMeCt8PdKfi/ZvsNw3qM1KYmTMHobX6dnfPq6IS3mb816YaZ/NWa
	YLNnn0FJn9qVqfQHcukmcBBZquP7nh9cujd3ijVm4XkEUB48RH85NiGAYoeOJwKW
	05bPyJRCB02WC2vZuWGzzunGKktI+eNFqX5HTnHFeUE+lKHT5lRP2mkbp50afGQh
	mt6MMqBQQZ8bT+qB0unWxLqb1abBvxjL41ZjTBvmHbQhZGltaXRyaS5kaWFrb2Rp
	bWl0cmlzQGFwcHJvYWNoLmJliQEcBBABAgAGBQJcWfeoAAoJEP12y25P+aA4G+AH
	/jRdWs4wDq37Fy3ps7dQiRgaKRJQpc84zybTt2sTtbEgSB3n/7kCqmn1Poptpr9f
	OemjyVENOWbedWwSRH9N64kyS3u61/rifJRvzisG+w/62QNGFItC2oIHZTYGDFWd
	fMygJz92wK9GeOfC/9HBiEkf3/hsc1hDRSFjpj6DkPLriryDehPSqYXbyelVVjtT
	Yzx8Gn20v+x56rNv4zex7qT4GvH+/6ZJjHViHrd/56iHpzVh7GqvsoNhgvlzVlcA
	JbcbZ0zpvFybR87UILjdQIEGDGneqs6vMDHl1eD+1gyDTnAs4xss7cfRH44mVnrV
	BrPlkLuHtcCfhj0c8E6Bl08=
	=+c0p
	-----END PGP PRIVATE KEY BLOCK-----

Moreover, after the first %%EOF marker, some data have been added:

%BeginExifToolUpdate
... snipped ...
stream
<?xpacket begin='' id='W5M0MpCehiHzreSzNTczkc9d'?>
<x:xmpmeta xmlns:x='adobe:ns:meta/' x:xmptk='Image::ExifTool 10.10'>
<rdf:RDF xmlns:rdf='http://www.w3.org/1999/02/22-rdf-syntax-ns#'>

<rdf:Description rdf:about=''
 xmlns:dc='http://purl.org/dc/elements/1.1/'>
 <dc:description>/home/enzo/.gnupg/pubring.kbx
  <rdf:Alt>
   <rdf:li xml:lang='x-default'>Mozart is not a walking dead</rdf:li>
  </rdf:Alt>
 </dc:description>
</rdf:Description>
</rdf:RDF>
</x:xmpmeta>
... snipped ...
%EndExifToolUpdate 4747
startxref
7882
%%EOF

Using the private key, we tried to decrypt the instructions.asc, but as we tried to import the private key, a password was required. We guessed that the password could be Mozart is not a walking dead, and it was indeed a success:

$ gpg --import priv.key 
... snipped ...
$ gpg --decrypt instructions.asc
... snipped ...
Second Flag
-----------
CSC{47d9a3dffa147610f62e23ca78f5a8f7}

Zip Password
------------
Keep going you are ready for the next stagegpg: WARNING: message was not integrity protected

Last step now !

Part III

The last part was actually the longest one. There was one remaining file we didn’t use at this time, not_yet.zip. It was another protected zip file, which can be unlocked using the password Keep going you are ready for the next stage. It contained a bunch of embedded zip files, that we unpacked with this script:

import subprocess
import os

arch = "3airqiv23gkr.zip"
prev = ""
name = ""
try:
	while True:
		res = subprocess.check_output(["unzip", arch])
		prev = arch
		arch = res[res.find("extracting: ")+12:].strip()
		name += prev + "\n"
		os.system("rm " + prev)
except:
	print name

As the script ended (1h30 later), it left us with a last password-protected archive and a picture:

opensesame.jpg

We used the message given in the image as a password to decrypt the ZIP, and got this last HTML file, showing nothing in a web browser. However, but taking a look at the source code, we found:

<script>
var canvas = document.getElementById( 'canvas' ),
	ctx = canvas.getContext( '2d' ),
 	canvas2 = document.getElementById( 'canvas2' ),
	ctx2 = canvas2.getContext( '2d' ),
		// full screen dimensions
		cw = window.innerWidth,
		ch = window.innerHeight,
	charArr = ["1","0","0","0","0","1","1","0","1","0","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","1","1","1","0","1","1","0","1","1","0","0","1","1","0","0","0","1","1","0","1","0","1","0","0","1","1","0","0","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","0","0","0","1","0","0","1","1","0","0","1","1","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","1","0","0","0","0","0","1","1","0","1","1","0","0","0","1","1","1","0","0","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","1","0","0","1","0","0","1","1","0","1","1","1","0","0","1","1","0","1","1","0","0","0","1","1","0","0","0","1","0","1","1","0","0","0","1","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","0","1","1","0","0","1","1","1","0","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","0","1","1","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","0","1","1","0","0","0","0","0","1","1","1","1","1","0","1"],
	maxCharCount = 100,
	fallingCharArr = [],
	fontSize = 10,
	maxColums = cw/(fontSize);
	canvas.width = canvas2.width = cw;
	canvas.height = canvas2.height = ch;
	... snipped ...
	</script>

We didn’t spend too much time reading the code and guessed that we had to decode the charArr:

charArr = ["1","0","0","0","0","1","1","0","1","0","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","1","1","1","0","1","1","0","1","1","0","0","1","1","0","0","0","1","1","0","1","0","1","0","0","1","1","0","0","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","0","0","0","1","0","0","1","1","0","0","1","1","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","1","0","0","0","0","0","1","1","0","1","1","0","0","0","1","1","1","0","0","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","0","1","1","1","0","0","1","0","0","1","1","0","1","1","1","0","0","1","1","0","1","1","0","0","0","1","1","0","0","0","1","0","1","1","0","0","0","1","1","0","1","1","0","0","0","1","0","0","0","1","1","0","1","0","0","0","1","1","0","0","0","1","0","0","0","1","1","0","0","1","1","0","0","1","1","1","0","0","0","0","1","1","0","0","1","0","0","0","1","1","0","0","1","1","0","0","0","1","1","0","1","1","1","0","0","1","1","0","1","0","0","0","0","1","1","0","1","0","0","0","1","1","0","0","1","0","0","0","0","1","1","0","0","0","0","0","1","1","1","1","1","0","1"]
hex(int(''.join(charArr), 2))[2:-1].decode("hex")
	'CSC{f50b4134df869b49761cb4b38df744d0}'