![_3e6e38a2-38c1-47e6-a9c0-53078c09ccc7](https://hackmd.io/_uploads/SJjThamUa.jpg)
# internet-cat
Task Description
Flag format: ping{.*}
I heard that there are is no official nc for windows and I love this OS! Fortunately, my black hat hacker colleague has sent me his forged copy that he intercepted from other hackers which have intercepted it from others and that from others... I don't know how many times it was intercepted but it works! I have tested it on my Windows 10 and it works like a charm!
---
File: nc.exe
## Step 1 Discovery
I do strings on the file and find a base64 encoded string
![Skjermbilde 2023-12-10 234647](https://hackmd.io/_uploads/ry1fga7LT.png)
```bash=
echo "aHR0cHM6Ly9naXN0LmdpdGh1YnVzZXJjb250ZW50LmNvbS90b21lazc2NjcvOTIzOTNhNTkyMDdk
OTEzNzlmOWVlODc4NTg3OGI5OGIvcmF3LzNiNTM1NzJjMzQ0NTY0ZjMyMTE5NjA5MmMzMzg2M2EzO
DVjMTM2M2QvZ2lzdGZpbGUxLnR4dA==" | base64 -d
https://gist.githubusercontent.com/tomek7667/92393a59207d91379f9ee8785878b98b
/raw/3b53572c344564f321196092c33863a385c1363d/gistfile1.txt
```
The base64 encoded message is a link to a website. That has a gistfile1.txt with 24k numbers,that look at first like ascii chars.
![Skjermbilde 2023-12-10 235409](https://hackmd.io/_uploads/HyJWfTm8a.png)
<br>
## Step 2 Decoding
<br>
First i add the gistfile with all the numbers in Cyberchef. I user magic and get
![Skjermbilde 2023-12-11 000343](https://hackmd.io/_uploads/BJhfNamU6.png)
I click on that i a get a big text encoded.
Here there are two ways. One decryption leads to a code that recontruct a QR code. The other leads to the road i took, that was to get a new link.
So i take the result from the previous bake in cyberchef
and do magic one more time.
![Skjermbilde 2023-12-11 001312](https://hackmd.io/_uploads/HynXIpQI6.png)
the link is
https://privatebin.io/?1c59a5beffe3a844#FH7GExP62PJVJGd7TBku77R16TsWpGzshD8uLzVaSfUm
When i click on this link we get a new encoded text
![Skjermbilde 2023-12-11 001506](https://hackmd.io/_uploads/rkC5L6XU6.png)
```bash=
UEsDBBQACQBjABpciVcFV6wiRQAAACcAAAAIAAsAZmxhZy50eHQBmQcAAQBBRQMIAOqNoUX0Z5cij
1J6uViuJOT+jLbo0Tibnbs0x++zz1pfItBmkkebOjEsVMVAxWFcUO8yYdA4CXgjEECKzi+mBqdI+r
jACFBLBwgFV6wiRQAAACcAAABQSwECHwAUAAkAYwAaXIlXBVesIkUAAAAnAAAACAAvAAAAAAAAACA
IAAAAAAAAZmxhZy50eHQKACAAAAAAAAEAGAATmwIRiyraARObAhGLKtoBNqEVIIcq2gEBmQcAAQBB
RQMIAFBLBQYAAAAAAQABAGUAAACGAAAAAAA=
```
<br>
I used cyberchef + magic again and the result is quite surprising. Its a zip file that we can reconstruct.
![Skjermbilde 2023-12-11 001752](https://hackmd.io/_uploads/SkBNdTm86.png)<br>
## Step 3 Reconstrucing the ZIP file
I reconstructed the file with python
```bash=
import base64
encoded_string = "UEsDBBQACQBjABpciVcFV6wiRQAAACcAAAAIAAsAZmxhZy50eHQBmQcAAQBBRQMIAOqNoUX0Z5ci
j1J6uViuJOT+jLbo0Tibnbs0x++zz1pfItBmkkebOjEsVMVAxWFcUO8yYdA4CXgjEECKzi+mBqdI+
rjACFBLBwgFV6wiRQAAACcAAABQSwECHwAUAAkAYwAaXIlXBVesIkUAAAAnAAAACAAvAAAAAAAAAC
AIAAAAAAAAZmxhZy50eHQKACAAAAAAAAEAGAATmwIRiyraARObAhGLKtoBNqEVIIcq2gEBmQcAAQB
BRQMIAFBLBQYAAAAAAQABAGUAAACGAAAAAAA="
decoded_bytes = base64.b64decode(encoded_string)
with open("output.zip", "wb") as zip_file:
zip_file.write(decoded_bytes)
print("ZIP file saved as 'output.zip'")
```
The output.zip is password protected
To get the password if the zip file had a legacy encryption we can go with
bkcrack 1.5.0 - 2022-07-07
But since out file has an aes encryption we have to use John.
First i made file named hash, then i run the command
```bash=
zip2john output.zip > hash.txt
```
and run the hash.txt with john
```bash=
john --format=zip hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (ZIP, WinZip [PBKDF2-SHA1 256/256 AVX2 8x])
Cost 1 (HMAC size) is 41 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
billabong (output.zip/flag.txt)
1g 0:00:00:00 DONE 2/3 (2023-12-10 12:20) 2.083g/s 109991p/s 109991c/s 109991C/s 123456..faithfaith
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
```
The password is billabong
i open the zip and get the flag
```bash
ping{u_w4nt3d_f0r3n51C5_4nD_y0u_g0t_17}
```