{"id":153,"date":"2023-01-31T00:47:20","date_gmt":"2023-01-31T00:47:20","guid":{"rendered":"https:\/\/blogs.oregonstate.edu\/paul\/?p=153"},"modified":"2023-01-31T00:48:59","modified_gmt":"2023-01-31T00:48:59","slug":"writeup-intrainspection","status":"publish","type":"post","link":"https:\/\/blogs.oregonstate.edu\/paul\/2023\/01\/31\/writeup-intrainspection\/","title":{"rendered":"Writeup: intrainspection"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>This week we have a challenge!\n<ul class=\"wp-block-list\">\n<li>The challenge is to unzip a zip file!\n<ul class=\"wp-block-list\">\n<li><code>unzip Safe.zip<\/code><\/li>\n\n\n\n<li><code>Archive: Safe.zip<\/code><\/li>\n\n\n\n<li><code>[Safe.zip] jXeC.zip password:<\/code>\n<ul class=\"wp-block-list\">\n<li>The challenge is to guess the password!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"732\" height=\"573\" src=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-9.png\" alt=\"\" class=\"wp-image-154\" srcset=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-9.png 732w, https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-9-300x235.png 300w\" sizes=\"auto, (max-width: 732px) 100vw, 732px\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>The challenge is to guess 30 passwords!\n<ul class=\"wp-block-list\">\n<li>That sounds hard!\n<ul class=\"wp-block-list\">\n<li>So we&#8217;ll do it automatically!\n<ul class=\"wp-block-list\"><\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"683\" height=\"173\" src=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-11.png\" alt=\"\" class=\"wp-image-156\" srcset=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-11.png 683w, https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-11-300x76.png 300w\" sizes=\"auto, (max-width: 683px) 100vw, 683px\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>You may notice that this doesn&#8217;t parse the output of john!\n<ul class=\"wp-block-list\">\n<li>That seems like it might be hard! \n<ul class=\"wp-block-list\">\n<li>We&#8217;ll do it&#8230; semiautomatically!<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"has-small-font-size\"><em>What follows is real, uncensored shell history &#8211; viewer discretion is advised<\/em><\/p>\n\n\n\n<p><code>$ .\/solve.sh jXeC.zip<br>$ john --show jXeC.zip<br>$ john --show example.hash<br>$ unzip jXeC.zip<br>$ .\/solve.sh dHag.zip<br>$ unzip dHag.zip<br>$ .\/solve.sh bSmC.zip<br>$ unzip bSmC.zip<br>$ .\/solve.sh pbtJ.zip<br>$ unzip pbtJ.zip<br>$ .\/solve.sh VGQc.zip<br>$ unzip VGQc.zip<br>$ .\/solve.sh jxLD.zip<br>$ unzip jxLD.zip<br>$ .\/solve.sh iXZA.zip<br>$ unzip iXZA.zip<br>$ .\/solve.sh KxrU.zip<br>$ unzip KxrU.zip<br>$ .\/solve.sh DlTL.zip<br>$ unzip DlTL.zip<br>$ .\/solve.sh PEOa.zip<br>$ unzip PEOa.zip<br>$ .\/solve.sh Dggp.zip<br>$ unzip Dggp.zip<br>$ .\/solve.sh tXFO.zip<br>$ unzip tXFO.zip<br>$ .\/solve.sh IrHd.zip<br>$ unzip IrHd.zip<br>$ .\/solve.sh wedJ.zip<br>$ unzip wedJ.zip<br>$ .\/solve.sh wbTt.zip<br>$ unzip wbTt.zip<br>$ .\/solve.sh TUuF.zip<br>$ unzip TUuF.zip<br>$ .\/solve.sh tiTW.zip<br>$ unzip tiTW.zip<br>$ .\/solve.sh dFhG.zip<br>$ unzip dFhG.zip<br>$ unzip dFhG.zip -P DSLA<br>$ unzip dFhG.zip<br>$ .\/solve.sh fjIZ.zip<br>$ unzip fjIZ.zip<br>$ .\/solve.sh CMMw.zip<br>$ unzip CMMw.zip<br>$ .\/solve.sh MzNR.zip<br>$ unzip MzNR.zip -p YQND<br>$ man unzip<br>$ unzip -P YQND MzNR.zip<br>$ .\/solve.sh jLUX.zip<br>$ unzip -P YQND jLUX.zip<br>$ unzip -P WBOZ jLUX.zip<br>$ .\/solve.sh XDDN.zip<br>$ unzip -P PEEC XDDN.zip<br>$ .\/solve.sh vfyN.zip<br>$ unzip -P qoxe vfyN.zip<br>$ .\/solve.sh uwPY.zip<br>$ unzip -P NgHV uwPY.zip<br>$ .\/solve.sh xfQR.zip<br>$ unzip -P fhkC xfQR.zip<br>$ .\/solve.sh DtQE.zip<br>$ unzip -P teEk DtQE.zip<br>$ .\/solve.sh KWHz.zip<br>$ unzip -P peRR KWHz.zip<br>$ .\/solve.sh EVqP.zip<br>$ unzip -P wgcw EVqP.zip<br>$ .\/solve.sh DZen.zip<br>$ unzip -P Alon DZen.zip<br>$ .\/solve.sh Qymr.zip<br>$ unzip -P rTPR Qymr.zip<\/code><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>That was convenient and definitely faster than figuring out how to parse out the stdout of john! (UNIX timestamps benchmark me at around 650 seconds and honestly that might be faster than how long it would take for me to script that) \n<ul class=\"wp-block-list\">\n<li>We have a word doc!\n<ul class=\"wp-block-list\">\n<li><code>grep -rn osu{<\/code> returns nothing \ud83d\ude41\n<ul class=\"wp-block-list\">\n<li>Let&#8217;s look at the .docx file after unzipping it!\n<ul class=\"wp-block-list\">\n<li><code>feh media\/image1.png<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image1.png\" alt=\"\" class=\"wp-image-157\" width=\"150\" height=\"150\" \/><\/figure>\n<\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Epic! Let&#8217;s scan it with our phone!\n<ul class=\"wp-block-list\">\n<li>Helb helbbb heellp it not working!\n<ul class=\"wp-block-list\">\n<li>Oh it&#8217;s not supposed to be a link. ok. I guess i never really put it together that these things can hold more than just a link \n<ul class=\"wp-block-list\">\n<li>Let&#8217;s scan it with our computer!\n<ul class=\"wp-block-list\"><\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\"><\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n7f 45 4c 46 01 01 01 00 79 5f 66 69 67 30 30 33 02 00 03 00 01 00 00 00 50 ef bf bd 04 08 2c 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 ef bf bd 04 08 00 ef bf bd 04 08 ef bf bd 00 00 00 ef bf bd 00 00 00 05 00 00 00 00 10 00 00 31 31 69 6e ef bf bd 04 00 00 00 31 ef bf bd 43 ef bf bd 04 00 00 00 ef bf bd 7d ef bf bd 04 08 cd 80 ef bf bd ef bf bd 71 cd 80 29 ef bf bd cd 80 ef bf bd ef bf bd 44 cd 80 ef bf bd ef bf bd 35 4a 4a cd 80 48 4b cd 80 6f 73 75 7b 7d 0a 0a \n<\/pre><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>This is an ELF!\n<ul class=\"wp-block-list\">\n<li>Converting it to a binary in cyberchef gives us <\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$ .\/download.dat\nzsh: exec format error: .\/download.dat\n<\/pre><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>But that&#8217;s ok! Because we can run <code>strings<\/code>!<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: plain; title: ; notranslate\" title=\"\">\n$ strings download.dat\ny_fig003\n11in\nosu{}\n<\/pre><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li><code>$submit osu{fingy_30011}<\/code>\n<ul class=\"wp-block-list\">\n<li><code>$submit osu{y_fig00311in}<\/code>\n<ul class=\"wp-block-list\">\n<li>Helb helbbb heellp it not working!\n<ul class=\"wp-block-list\"><\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"478\" src=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-13-1024x478.png\" alt=\"\" class=\"wp-image-159\" srcset=\"https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-13-1024x478.png 1024w, https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-13-300x140.png 300w, https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-13-768x358.png 768w, https:\/\/osu-wams-blogs-uploads.s3.amazonaws.com\/blogs.dir\/4941\/files\/2023\/01\/image-13.png 1188w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">Is this legible<\/figcaption><\/figure>\n\n\n\n<p>Let the record show that I was getting pretty close with my guesses and if hypothetically the flag ended in a g I definitely 100% would have guessed it in one second. Please hypothetically award me a gold star.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>What follows is real, uncensored shell history &#8211; viewer discretion is advised $ .\/solve.sh jXeC.zip$ john &#8211;show jXeC.zip$ john &#8211;show example.hash$ unzip jXeC.zip$ .\/solve.sh dHag.zip$ unzip dHag.zip$ .\/solve.sh bSmC.zip$ unzip bSmC.zip$ .\/solve.sh pbtJ.zip$ unzip pbtJ.zip$ .\/solve.sh VGQc.zip$ unzip VGQc.zip$ .\/solve.sh jxLD.zip$ unzip jxLD.zip$ .\/solve.sh iXZA.zip$ unzip iXZA.zip$ .\/solve.sh KxrU.zip$ unzip KxrU.zip$ .\/solve.sh DlTL.zip$ unzip DlTL.zip$ &hellip; <a href=\"https:\/\/blogs.oregonstate.edu\/paul\/2023\/01\/31\/writeup-intrainspection\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">Writeup: intrainspection<\/span><\/a><\/p>\n","protected":false},"author":11809,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,4],"tags":[13,12],"class_list":["post-153","post","type-post","status-publish","format-standard","hentry","category-osu-affiliated","category-writeups","tag-john","tag-misc"],"_links":{"self":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/153","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/users\/11809"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/comments?post=153"}],"version-history":[{"count":2,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/153\/revisions"}],"predecessor-version":[{"id":162,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/posts\/153\/revisions\/162"}],"wp:attachment":[{"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/media?parent=153"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/categories?post=153"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.oregonstate.edu\/paul\/wp-json\/wp\/v2\/tags?post=153"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}