Writeup: intrainspection

  • This week we have a challenge!
    • The challenge is to unzip a zip file!
      • unzip Safe.zip
      • Archive: Safe.zip
      • [Safe.zip] jXeC.zip password:
        • The challenge is to guess the password!
  • The challenge is to guess 30 passwords!
    • That sounds hard!
      • So we’ll do it automatically!
    • You may notice that this doesn’t parse the output of john!
      • That seems like it might be hard!
        • We’ll do it… semiautomatically!

    What follows is real, uncensored shell history – viewer discretion is advised

    $ ./solve.sh jXeC.zip
    $ john --show jXeC.zip
    $ john --show example.hash
    $ unzip jXeC.zip
    $ ./solve.sh dHag.zip
    $ unzip dHag.zip
    $ ./solve.sh bSmC.zip
    $ unzip bSmC.zip
    $ ./solve.sh pbtJ.zip
    $ unzip pbtJ.zip
    $ ./solve.sh VGQc.zip
    $ unzip VGQc.zip
    $ ./solve.sh jxLD.zip
    $ unzip jxLD.zip
    $ ./solve.sh iXZA.zip
    $ unzip iXZA.zip
    $ ./solve.sh KxrU.zip
    $ unzip KxrU.zip
    $ ./solve.sh DlTL.zip
    $ unzip DlTL.zip
    $ ./solve.sh PEOa.zip
    $ unzip PEOa.zip
    $ ./solve.sh Dggp.zip
    $ unzip Dggp.zip
    $ ./solve.sh tXFO.zip
    $ unzip tXFO.zip
    $ ./solve.sh IrHd.zip
    $ unzip IrHd.zip
    $ ./solve.sh wedJ.zip
    $ unzip wedJ.zip
    $ ./solve.sh wbTt.zip
    $ unzip wbTt.zip
    $ ./solve.sh TUuF.zip
    $ unzip TUuF.zip
    $ ./solve.sh tiTW.zip
    $ unzip tiTW.zip
    $ ./solve.sh dFhG.zip
    $ unzip dFhG.zip
    $ unzip dFhG.zip -P DSLA
    $ unzip dFhG.zip
    $ ./solve.sh fjIZ.zip
    $ unzip fjIZ.zip
    $ ./solve.sh CMMw.zip
    $ unzip CMMw.zip
    $ ./solve.sh MzNR.zip
    $ unzip MzNR.zip -p YQND
    $ man unzip
    $ unzip -P YQND MzNR.zip
    $ ./solve.sh jLUX.zip
    $ unzip -P YQND jLUX.zip
    $ unzip -P WBOZ jLUX.zip
    $ ./solve.sh XDDN.zip
    $ unzip -P PEEC XDDN.zip
    $ ./solve.sh vfyN.zip
    $ unzip -P qoxe vfyN.zip
    $ ./solve.sh uwPY.zip
    $ unzip -P NgHV uwPY.zip
    $ ./solve.sh xfQR.zip
    $ unzip -P fhkC xfQR.zip
    $ ./solve.sh DtQE.zip
    $ unzip -P teEk DtQE.zip
    $ ./solve.sh KWHz.zip
    $ unzip -P peRR KWHz.zip
    $ ./solve.sh EVqP.zip
    $ unzip -P wgcw EVqP.zip
    $ ./solve.sh DZen.zip
    $ unzip -P Alon DZen.zip
    $ ./solve.sh Qymr.zip
    $ unzip -P rTPR Qymr.zip

    • That was convenient and definitely faster than figuring out how to parse out the stdout of john! (UNIX timestamps benchmark me at around 650 seconds and honestly that might be faster than how long it would take for me to script that)
      • We have a word doc!
        • grep -rn osu{ returns nothing 🙁
          • Let’s look at the .docx file after unzipping it!
            • feh media/image1.png
    • Epic! Let’s scan it with our phone!
      • Helb helbbb heellp it not working!
        • Oh it’s not supposed to be a link. ok. I guess i never really put it together that these things can hold more than just a link
          • Let’s scan it with our computer!
        7f 45 4c 46 01 01 01 00 79 5f 66 69 67 30 30 33 02 00 03 00 01 00 00 00 50 ef bf bd 04 08 2c 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 ef bf bd 04 08 00 ef bf bd 04 08 ef bf bd 00 00 00 ef bf bd 00 00 00 05 00 00 00 00 10 00 00 31 31 69 6e ef bf bd 04 00 00 00 31 ef bf bd 43 ef bf bd 04 00 00 00 ef bf bd 7d ef bf bd 04 08 cd 80 ef bf bd ef bf bd 71 cd 80 29 ef bf bd cd 80 ef bf bd ef bf bd 44 cd 80 ef bf bd ef bf bd 35 4a 4a cd 80 48 4b cd 80 6f 73 75 7b 7d 0a 0a 
        
        • This is an ELF!
          • Converting it to a binary in cyberchef gives us
        $ ./download.dat
        zsh: exec format error: ./download.dat
        
        • But that’s ok! Because we can run strings!
        $ strings download.dat
        y_fig003
        11in
        osu{}
        
        • $submit osu{fingy_30011}
          • $submit osu{y_fig00311in}
            • Helb helbbb heellp it not working!
          Is this legible

          Let the record show that I was getting pretty close with my guesses and if hypothetically the flag ended in a g I definitely 100% would have guessed it in one second. Please hypothetically award me a gold star.