Try   HackMD

Mess_Up NEW YEAR CTF CHALLENGE -CyberTalents

RECON

challenge Point Type
mess_me 200 Digital Forensic

First, This was cool and New challenge on my Eyes because whenever i get the zip file with password all i am thinking is to find the password but this one was NO THAT WAY!

at recon i had to give a try with john as alway

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ zip2john Challange.zip > hash                  
ver 2.0 Challange.zip/flag.jpg PKZIP Encr: cmplen=6589, decmplen=8184, crc=3FDDC4E2
ver 2.0 Challange.zip/oracle.vdi PKZIP Encr: cmplen=108, decmplen=96, crc=F63E7666
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

then

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ john hash --wordlist=/home/malware/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:07 DONE (2020-12-29 18:04) 0g/s 1838Kp/s 1838Kc/s 1838KC/s !jonaluz28!..*7¡Vamos!
Session completed

ITS WEIRD and Nothing interest!!!
after a while i got idea why not trying to google the other way to crack Encrypted zip file

i found something about Known Plaintext attack
well then i got lead on the tool called PKCRACK but i could not get to understand well how to use so i moved on and found new tool called BKCRACK with help of friend @ByamB4 after cloned and compiled it then was seems to work properly so lets the CRACK BEGIN

USING BKCRACK TOOL
Let us see what is inside.
Open a terminal in the our folder and ask unzip to give us information about it.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ unzip -Z Challange.zip

We get the following output.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ unzip -Z Challange.zip
Archive:  Challange.zip
Zip file size: 6979 bytes, number of entries: 2
-rw-a--     6.3 fat     8184 Bx defN 20-Dec-16 16:46 flag.jpg
-rw-a--     6.3 fat       96 Bx stor 20-Dec-16 16:38 oracle.vdi
2 files, 8280 bytes uncompressed, 6673 bytes compressed:  19.4%

The zip file contains two files: flag.jpg and oracle.vdi.
The capital letter in the fifth field shows the files are encrypted.
We also see that flag.jpg is deflated whereas oracle.vdi is stored uncompressed.

Guessing plaintext

To run the attack, we must guess at least 12 bytes of plaintext.
On average, the more plaintext we guess, the faster the attack will be.

The easy way: stored file

We can guess from its extension that oracle.vdi probably starts with the string <<< Oracle VM VirtualBox Disk Image >>>.

We are so lucky that this file is stored uncompressed in the zip file.
So we have 40 bytes of plaintext, which is more than enough.

The not so easy way: deflated file

Let us assume the zip file did not contain the uncompressed oracle.vdi.

Then, to guess some plaintext, we can guess the first bytes of the original flag.jpg file from its extension.
The problem is that this file is compressed.
To run the attack, one would have to guess how those first bytes are compressed, which is difficult without knowing the entire file.

In this example, this approach is not practical.
It can be practical if the original file can easily be found online, like a .dll file for example.
Then, one would compress it using various compression software and compression levels to try and generate the correct plaintext.

Free additional byte from CRC

In this example, we guessed the first 40 bytes of oracle.vdi. and i hope the attack will be more faster

In addition, as explained in the ZIP file format specification, a 12-byte encryption header in prepended to the data in the archive.
The last byte of the encryption header is the most significant byte of the file's CRC.

We can get the CRC with unzip.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ unzip -Z -v Challange.zip oracle.vdi | grep CRC
  32-bit CRC value (hex):                         f63e7666

So we know the byte just before the plaintext (i.e. at offset -1) is 0xF6.

Running the attack

Let us write the plaintext we guessed in a file.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ echo -n -e '\xf6<<< Oracle VM virtualBox Disk Image >>>' > plain.txt

We are now ready to run the attack.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ ./bkcrack -C Challange.zip -c oracle.vdi -p plain.txt -o -1

After a little while, the keys will appear

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ ./bkcrack -C Challange.zip -c oracle.vdi -p plain.txt -o -1      
bkcrack 1.0.0 - 2020-12-25
Generated 4194304 Z values.
[15:32:22] Z reduction using 32 bytes of known plaintext
100.0 % (32 / 32)
238606 values remaining.
[15:32:26] Attack on 238606 Z values at index 6
Keys: be17a2b4 30cbf569 8b83cb3a
36.5 % (87056 / 238606)
[15:48:22] Keys
be17a2b4 30cbf569 8b83cb3a

Recovering the original files

Once we have the keys, we can decipher the files.
We assume that the same keys were used for all the files in the zip file.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ ./bkcrack -C Challange.zip -c oracle.vdi -k be17a2b4 30cbf569 8b83cb3a -d oracle_decrypted.vdi
bkcrack 1.0.0 - 2020-12-25
Wrote deciphered text.

The file oracle.vdi was stored uncompressed so we are done.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ ./bkcrack -C Challange.zip -c flag.jpg -k be17a2b4 30cbf569 8b83cb3a -d flag_decrypted.deflate
bkcrack 1.0.0 - 2020-12-25
Wrote deciphered text.

The file flag.jpg was compressed with the deflate algorithm in the zip file, so we now have to uncompressed it.

A python script is provided for this purpose in the tools folder.

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ python3 inflate.py < flag_decrypted.deflate > flag.jpg

but i opened it but file corrupted ehh so i had to check it with file command to see if its real aJPG file or

┌──(malware㉿kali)-[~/Downloads/newyearctf/forensic/mess]
└─$ file flag.jpg                                        
flag.jpg: PNG image data, 720 x 350, 8-bit/color RGBA, non-interlaced

BOOOM ITS NOT
so i had to change just a file extension from .jpg to .png it worked I GOT FLAG

Image Not Showing Possible Reasons
  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported
Learn More →

in summary : The attack is a known plaintext attack, which means you have to know part of the encrypted data in order to break the cipher. thats all i could have cracked it in two hours but guess what i spent a day to figuring out where i was missing and reliaze that i was using small letter v in <<< Oracle VM virtualBox Disk Image >>> instead of capital letter V damn this means this plaintext things is Case-Sensitive

HAPPY NEW YEAR CTFiers

Last changed by 
LyMo
fast L3ARNER | Tanzanian | cYBER
0
2
2450

Read more

NAHAMCON CTF 2022 - UDOM CYBER CLUB

THE COMPETITION ORGANIZED BY JOHN HAMMOND WITH MANY SPONSORS CHALLENGES JOHNKS Name Points Authored By johnks

Apr 30, 2022
URCHINSEC CTF MMXXII WRITEUP

i avoided to be an organizer so i could play on this CTF after finishing a UE :grinning::grinning::grinning::grinning: so here are my solves DISCORD CHALLENGES WELCOME [50 Points] solution joined the server under #urchinsec-ctf-rules! channel we flag : urchin{welcome_hacker!!}

Mar 6, 2022
Read more from LyMo
Published on HackMD