[Sharif University CTF 2016] [Forensic 100 – We lost the Fashion Flag!] Write Up

Description

In Sharif CTF we have lots of task ready to use, so we stored their data about author or creation date and other related information in some files. But one of our staff used a method to store data efficiently and left the group some days ago. So if you want the flag for this task, you have to find it yourself!

Resolution

We were given an archive, we decompressed it and found 2 files:

$ tar xzfv fashion.tar.gz


sharif_tasks.tgz
fashion.model

The 1st file was an archive, giving multiples files:

$ tar xzfv sharif_tasks.tgz


out/
out/0
out/1
out/10
out/100
out/1000
out/10000
...
out/9997
out/9998
out/9999

Each file wasn’t interesting at all, so we continued with the 2nd file and looked inside with strings:

$ strings fashion.model


FemtoZip
4}', 'ctf': 'Shairf CTF', 'points': 265,4}', 'ctf': 'Shairf CTF', 'points': 280, 'year': 2014}', 'ctf': 'Shairf CTF', 'points': 325, 'year': 2015}', 'ctf': 'Shairf CTF', 'points': 235, 'year': 2015}', 'ctf': 'Shairf CTF', 'points': 255, 'year': 2016}', 'ctf': 'Shairf CTF', 'points': 100, 'year': 2016}', 'ctf': 'Shairf CTF', 'points': 160, 'year': 2016}', 'ctf': 'Shairf CTF', 'points': 285, 'year': 2016}', 'ctf': 'Shairf CTF', 'points': 295, 'year': 2017}', 'ctf': 'Shairf CTF', 'points': 115, 'year': 2017}', 'ctf': 'Shairf CTF', 'points': 200, 'year': 2017}', 'ctf': 'Shairf CTF', 'points': 265, 'year': 2017}', 'ctf': 'Shairf CTF', 'points': 300, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 160, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 170, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 180, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 195, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 215, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 275, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 280, 'year': 2018}', 'ctf': 'Shairf CTF', 'points': 300, 'year': 2019}', 'ctf': 'Shairf CTF', 'points': 165, 'year': 2019}', 'ctf': 'Shairf CTF', 'points': 170, 'year': 2019}', 'ctf': 'Shairf CTF', 'points': 175, 'year': 201a}' ... 

It was a sort of JSON file, prefixed by “FemtoZip”.
We looked on Google and found it was a kind of compression algorithm which construct a dictionary of common substrings.
The file fashion.model contained repeated strings, the rest of unique strings were contained in the files of the directory /out.
We built FemtoZip using the documentation on https://github.com/gtoubassi/femtozip/wiki/How-to-build.

$ cd femtozip/cpp && ./configure && make

Then using we found the correct syntax on https://github.com/gtoubassi/femtozip/wiki/Tutorial.

$ fzip/src/fzip --model ~/challs/sharif/fashion.model --decompress ~/challs/sharif/out

The files in /out has been rebuilt using the substrings.
Looking with a cat and a grep gave us some flags:

$ cat out/* | grep 2016 | grep forensic | grep 100

{'category': 'forensic', 'author': 'staff_3', 'challenge': 'Fashion', 'flag': 'SharifCTF{2b9cb0a67a536ff9f455de0bd729cf57}', 'ctf': 'Shairf CTF', 'points': 100, 'year': 2016} {'category': 'forensic', 'author': 'staff_5', 'challenge': 'Fashion', 'flag': 'SharifCTF{41160e78ad2413765021729165991b54}', 'ctf': 'Shairf CTF', 'points': 100, 'year': 2016}
{'category': 'forensic', 'author': 'staff_2', 'challenge': 'Fashion', 'flag': 'SharifCTF{8725330d5ffde9a7f452662365a042be}', 'ctf': 'Shairf CTF', 'points': 100, 'year': 2016}

We tried the flag at the first line and it worked.

Flag was “2b9cb0a67a536ff9f455de0bd729cf57“.

Leave a Reply

Your email address will not be published. Required fields are marked *