# RIFTctf2020 ## Forensic 3 ``` Value: 300 points File Names for the challenge: flag003.zip and readme.txt Message: 1. identify the file format. 2. read about the file format. 3. see which properties this particular file has. 4. and fix the file to get the flag. 5. brute-forcing won't help but you can do whatever you want. 6. flag format ritsCTF{<---flag-here--->}. Good Luck! author - X3eRo0 ``` For this chall we have 2 files, a readme.txt and zip file ``` cat readme.txt README_FOR_CHALL_2_PLS_READ_CAREFULLY_AND_PROCESS_:)__ ``` The .txt is jsute some word nothings else :/ Folowing the message, we read about the file format and explore the second file ```  unzip flag003.zip Archive: flag003.zip [flag003.zip] readme.txt password: ``` a zip with passowrd arf /: ```  file flag003.zip flag003.zip: Zip archive data, at least v2.0 to extract  binwalk flag003.zip DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 Zip archive data, encrypted at least v2.0 to extract, compressed size: 66, uncompressed size: 54, name: readme.txt 122 0x7A Zip archive data, encrypted at least v2.0 to extract, compressed size: 54, uncompressed size: 40, name: flag.txt 412 0x19C End of Zip archive, footer length: 22  strings flag003.zip readme.txt )CqS8W spP_BRT6 flag.txt a`nNyi _BRT6 readme.txt spP_BRT6 flag.txt LOL YOU CANT READ THE FLAG LOLLOLOLOLOLOLOLOLOLOLOLOLOLOLO ``` Thank's to binwalk and strings we can see the zip contain a flag.txt, we need to open the zipfile to read the flag but .. we don't have the keys and "WE CAN READ THE FAG LOLLLOLOLO" :p But this zipfile contain also a readme.txt, maybe it's the same file that we have ;) And like other crypto chall we can make a knowplaintext attack, i know if it's possible at this moment Few google search later i found several post on this attack, with pkcracker tool. In order to make this attack we need several files * the cypher file (our zip fil with password) * the pleintext file * the pleintext file ziped * name of ouput zip Now we need to create the same file as flag.zip so we need to know exactly the file format, let's do that with **xxd** Let's explore the file : ```  xxd flag003.zip 00000000: 504b 0304 1400 0900 0800 837e 7050 1883 PK.........~pP.. 00000010: e814 4200 0000 3600 0000 0a00 0000 7265 ..B...6.......re 00000020: 6164 6d65 2e74 7874 943c 6031 fbe9 5e4a adme.txt.<`1..^J 00000030: a6c0 2318 c24f 5e3f cbb5 6cdc 922b b57c ..#..O^?..l..+.| 00000040: 5ee4 c158 5993 cae9 d125 e7a6 b172 91f3 ^..XY....%...r.. 00000050: 2943 7153 3857 a343 f728 1c2d 32a6 6878 )CqS8W.C.(.-2.hx 00000060: 1b09 4e8b 16aa ed0a b234 504b 0708 1883 ..N......4PK.... 00000070: e814 4200 0000 3600 0000 504b 0304 1400 ..B...6...PK.... 00000080: 0900 0800 a073 7050 5f42 5254 3600 0000 .....spP_BRT6... 00000090: 2800 0000 0800 0000 666c 6167 2e74 7874 (.......flag.txt 000000a0: 14d3 f8b4 6160 6e4e 7969 0fee 41b2 fd09 ....a`nNyi..A... 000000b0: 19e7 eb3e 06d5 baf4 db08 c1d2 ee0b 7ec4 ...>..........~. 000000c0: 037c acec ddc3 e20d 7887 a7e3 7651 c8ca .|......x...vQ.. 000000d0: 8de6 fa2d a0ec 504b 0708 5f42 5254 3600 ...-..PK.._BRT6. 000000e0: 0000 2800 0000 504b 0102 1f00 1400 0900 ..(...PK........ 000000f0: 0800 837e 7050 1883 e814 4200 0000 3600 ...~pP....B...6. 00000100: 0000 0a00 2400 0000 0000 0000 2000 0000 ....$....... ... 00000110: 0000 0000 7265 6164 6d65 2e74 7874 0a00 ....readme.txt.. 00000120: 2000 0000 0000 0100 1800 0fbf b7be 7cfb .............|. 00000130: d501 0fbf b7be 7cfb d501 7801 02ac 7cfb ......|...x...|. 00000140: d501 504b 0102 1f00 1400 0900 0800 a073 ..PK...........s 00000150: 7050 5f42 5254 3600 0000 2800 0000 0800 pP_BRT6...(..... 00000160: 2400 0000 0000 0000 2000 0000 7a00 0000 $....... ...z... 00000170: 666c 6167 2e74 7874 0a00 2000 0000 0000 flag.txt.. ..... 00000180: 0100 1800 bda8 f122 71fb d501 bda8 f122 ......."q......" 00000190: 71fb d501 626e 39ec 70fb d501 504b 0506 q...bn9.p...PK.. 000001a0: 0000 0000 0200 0200 b600 0000 e600 0000 ................ 000001b0: 0000 4c4f 4c20 594f 5520 4341 4e54 2052 ..LOL YOU CANT R 000001c0: 4541 4420 5448 4520 464c 4147 204c 4f4c EAD THE FLAG LOL 000001d0: 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f LOLOLOLOLOLOLOLO 000001e0: 4c4f 4c4f 4c4f 4c4f 4c4f 4c4f LOLOLOLOLOLO ``` Thank's to the magic number, we identify the file format 00000000: **504b 0304** 1400 0900 0800 837e 7050 1883 Thanks that we can repoduce a zip with the same format I found this github with severeal tool ![](https://i.imgur.com/2D3k2yQ.png) https://github.com/keyunluo/pkcrack/tree/master/bin The first attempt was with my KaliVM machine, but it's midnight and there won't be enough time before the end of the CTF. ![](https://i.imgur.com/GXeEGRY.png) So i switched on my Shadow windows machine and wait ... ![](https://i.imgur.com/4TcDrdN.png) TADA ! We have our cracked.zip ![](https://i.imgur.com/r9aKfcn.png) Yes this attack was succced, thanks the knowpleinext he uncipher the other file flag.txt ![](https://i.imgur.com/dSAIpTb.png)
Last changed by  
Suric4t3
442

Read more

Analyse d'un fichier Excel Malveillant

Analyse du fichier recuperé par mail 1 file, 27258 bytes (27 KiB) root@kali   ~/Desktop/SANDBOX  ls Documentation.7z Documentation.xls Identification de la charge active root@kali   ~/Desktop/SANDBOX  file Documentation.xls Documentation.xls: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1252, Author: Windows-Benutzer, Last Saved By: Windows User, Name of Creating Application: Microsoft Excel, Create Time/Date: Tue Oct 22 08:10:34 2019, Last Saved Time/Date: Thu May 7 06:40:53 2020, Security: 0 root@kali   ~/Desktop/SANDBOX  unzip Documentation.xls Archive: Documentation.xls

5/11/2020
NDH 2019

Voici l'énonce du challenge : Au service de la france - partie 1 context Vous êtes Jean-Michel, barbouze aguerrie de notre cher Pays. Vu que vous n'êtes pas très doué en langues étrangères, vous vous êtes spécialisé en informatique. Vous êtes devenu le Kev (Mitnick, pas Adams) de l'agence, et aujourd'hui le travail hardu, c'est pour vous... a propos Ce challenge est le premier d'une série de quatre challenges, qui vous permettra de récupérer suffisamment d'information pour contrer une attaque russe contre la France! Chaque challenge peut se faire de manière indépendante. Cependant, pour inciter les gens à réaliser les challenges dans l'ordre, chaque résolution du challenge numéro N vous donnera un indice pour résoudre le challenge N+1. challenge

4/22/2020
StarCTF

DOc. Holmes When i started this CTF, i take the forensic first ! So the challenge is pretty simple we download a folder and with file command we indentify After unziped the file and little research we found some picture ! Great, one of them is the flag :D

2/18/2020
StarCTF

Blogger The second challenge was to analyze a pcap. We can quickly identify the protocol to exploit. A little google search and we find exactly what to do. https://medium.com/@ali.bawazeeer/kaizen-ctf-2018-reverse-engineer-usb-keystrok-from-pcap-file-2412351679f4 So I followed the tutorial :D little filter, frame len ... Add the useful column (LeftoverCaptureData) and extract in csv from wireshark

2/18/2020
Read more from Suric4t3
Published on HackMD