# RIFTctf2020
## Forensic 3
```
Value: 300 points
File Names for the challenge: flag003.zip and readme.txt
Message:
1. identify the file format.
2. read about the file format.
3. see which properties this particular file has.
4. and fix the file to get the flag.
5. brute-forcing won't help but you can do whatever you want.
6. flag format ritsCTF{<---flag-here--->}.
Good Luck!
author - X3eRo0
```
For this chall we have 2 files, a readme.txt and zip file
```
cat readme.txt
README_FOR_CHALL_2_PLS_READ_CAREFULLY_AND_PROCESS_:)__
```
The .txt is jsute some word nothings else :/
Folowing the message, we read about the file format and explore the second file
```
unzip flag003.zip
Archive: flag003.zip
[flag003.zip] readme.txt password:
```
a zip with passowrd arf /:
```
file flag003.zip
flag003.zip: Zip archive data, at least v2.0 to extract
binwalk flag003.zip
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 Zip archive data, encrypted at least v2.0 to extract, compressed size: 66, uncompressed size: 54, name: readme.txt
122 0x7A Zip archive data, encrypted at least v2.0 to extract, compressed size: 54, uncompressed size: 40, name: flag.txt
412 0x19C End of Zip archive, footer length: 22
strings flag003.zip
readme.txt
)CqS8W
spP_BRT6
flag.txt
a`nNyi
_BRT6
readme.txt
spP_BRT6
flag.txt
LOL YOU CANT READ THE FLAG LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLO
```
Thank's to binwalk and strings we can see the zip contain a flag.txt, we need to open the zipfile to read the flag but .. we don't have the keys and "WE CAN READ THE FAG LOLLLOLOLO" :p
But this zipfile contain also a readme.txt, maybe it's the same file that we have ;)
And like other crypto chall we can make a knowplaintext attack, i know if it's possible at this moment
Few google search later i found several post on this attack, with pkcracker tool.
In order to make this attack we need several files
* the cypher file (our zip fil with password)
* the pleintext file
* the pleintext file ziped
* name of ouput zip
Now we need to create the same file as flag.zip so we need to know exactly the file format, let's do that with **xxd**
Let's explore the file :
```
xxd flag003.zip
00000000: 504b 0304 1400 0900 0800 837e 7050 1883 PK.........~pP..
00000010: e814 4200 0000 3600 0000 0a00 0000 7265 ..B...6.......re
00000020: 6164 6d65 2e74 7874 943c 6031 fbe9 5e4a adme.txt.<`1..^J
00000030: a6c0 2318 c24f 5e3f cbb5 6cdc 922b b57c ..#..O^?..l..+.|
00000040: 5ee4 c158 5993 cae9 d125 e7a6 b172 91f3 ^..XY....%...r..
00000050: 2943 7153 3857 a343 f728 1c2d 32a6 6878 )CqS8W.C.(.-2.hx
00000060: 1b09 4e8b 16aa ed0a b234 504b 0708 1883 ..N......4PK....
00000070: e814 4200 0000 3600 0000 504b 0304 1400 ..B...6...PK....
00000080: 0900 0800 a073 7050 5f42 5254 3600 0000 .....spP_BRT6...
00000090: 2800 0000 0800 0000 666c 6167 2e74 7874 (.......flag.txt
000000a0: 14d3 f8b4 6160 6e4e 7969 0fee 41b2 fd09 ....a`nNyi..A...
000000b0: 19e7 eb3e 06d5 baf4 db08 c1d2 ee0b 7ec4 ...>..........~.
000000c0: 037c acec ddc3 e20d 7887 a7e3 7651 c8ca .|......x...vQ..
000000d0: 8de6 fa2d a0ec 504b 0708 5f42 5254 3600 ...-..PK.._BRT6.
000000e0: 0000 2800 0000 504b 0102 1f00 1400 0900 ..(...PK........
000000f0: 0800 837e 7050 1883 e814 4200 0000 3600 ...~pP....B...6.
00000100: 0000 0a00 2400 0000 0000 0000 2000 0000 ....$....... ...
00000110: 0000 0000 7265 6164 6d65 2e74 7874 0a00 ....readme.txt..
00000120: 2000 0000 0000 0100 1800 0fbf b7be 7cfb .............|.
00000130: d501 0fbf b7be 7cfb d501 7801 02ac 7cfb ......|...x...|.
00000140: d501 504b 0102 1f00 1400 0900 0800 a073 ..PK...........s
00000150: 7050 5f42 5254 3600 0000 2800 0000 0800 pP_BRT6...(.....
00000160: 2400 0000 0000 0000 2000 0000 7a00 0000 $....... ...z...
00000170: 666c 6167 2e74 7874 0a00 2000 0000 0000 flag.txt.. .....
00000180: 0100 1800 bda8 f122 71fb d501 bda8 f122 ......."q......"
00000190: 71fb d501 626e 39ec 70fb d501 504b 0506 q...bn9.p...PK..
000001a0: 0000 0000 0200 0200 b600 0000 e600 0000 ................
000001b0: 0000 4c4f 4c20 594f 5520 4341 4e54 2052 ..LOL YOU CANT R
000001c0: 4541 4420 5448 4520 464c 4147 204c 4f4c EAD THE FLAG LOL
000001d0: 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f LOLOLOLOLOLOLOLO
000001e0: 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f LOLOLOLOLOLO
```
Thank's to the magic number, we identify the file format
00000000: **504b 0304** 1400 0900 0800 837e 7050 1883
Thanks that we can repoduce a zip with the same format
I found this github with severeal tool
![](https://i.imgur.com/2D3k2yQ.png)
https://github.com/keyunluo/pkcrack/tree/master/bin
The first attempt was with my KaliVM machine, but it's midnight and there won't be enough time before the end of the CTF.
![](https://i.imgur.com/GXeEGRY.png)
So i switched on my Shadow windows machine and wait ...
![](https://i.imgur.com/4TcDrdN.png)
TADA ! We have our cracked.zip
![](https://i.imgur.com/r9aKfcn.png)
Yes this attack was succced, thanks the knowpleinext he uncipher the other file flag.txt
![](https://i.imgur.com/dSAIpTb.png)