[WhiteHatvn 2018] [Misc 100 – Misc02] Write Up

Description

Find the private key and decrypt the secret inside the picture
material.grandprix.whitehatvn.com/misc02
MD5: 2cad267bb17d5f31551c0d8713e41a77

Hint 1 : saintgiong.jpg.pgp

Hint 2 : outguess

Resolution

First, we download an iso file : Hacker.iso

Once the archive is extracted, we start looking for the image that interests us. A simple grep gives us its location.

 grep -R jpg.pgp
MAILDIR/CUR/15334499.COM:Content-Type: application/octet-stream; name="SaintGiong.jpg.pgp"
MAILDIR/CUR/15334499.COM:Content-Disposition: attachment; filename="SaintGiong.jpg.pgp"

By renaming the .COM to .eml, Thunderbird opens the mail directly and retrieves the encrypted image that is attached. The next step is to find the key.

A quick search in the files allows us to find a private key PGP, It is here: Hacker/ETC/MAIL/PRIVATE.ASC

The problem now is to find the passphrase that will allow us to use this key to decipher the image.

The use of pgp2john with John The Ripper and the well-known Rockyou dictionary gives nothing. But looking at the contents of the folder Hacker/ETC/MAIL,we see this:

ENCRYPT.PYC 
PRIVATE.ASC 
SPAMASSA 

The ENCRYPT.PYC file attracts our attention … Let’s decompile it to see its content!

For this we use the tool uncompyle6.

To install it:

 sudo pip install uncompyle6 

Then:

 uncompyle6 ENCRYPT.PYC decrypted.py 

Here is the content of the python script obtained.

# uncompyle6 version 3.2.3 
# Python bytecode 2.7 (62211) 
# Decompiled from: Python 2.7.15rc1 (default, Apr 15 2018, 21:51:34) 
# [GCC 7.3.0] # Embedded file name: ./encrypt.py 
# Compiled at: 2018-08-16 09:16:13 
import struct, sys, base64 
password_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA' 
if len(sys.argv) != 2: 
    print 'Usage: %s data' % sys.argv[0]
    exit(0) data = sys.argv[1] 
padding = 4 - len(data) % 4 
if padding != 0: 
    data = data + '\x00' * padding 
result = [] 
blocks = struct.unpack('I' * (len(data) / 4), data) 
print blocks 
for block in blocks: 
    result += [block ^ block >> 16] 
    output = '' 
for block in result: 
    output += struct.pack('I', block)
print output 
print base64.b64encode(output)

A line catches our attention: password_enc = ‘JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA’

Could it be the passphrase !?

The Python scrypt encrypts a string of characters. The process is simple, it is easy to reverse to decipher JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA.

Here is the script that will decipher password_enc

import struct, sys, base64 
password_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA' 
c = base64.b64decode(password_enc) 
blocks = struct.unpack('I' * (len(c) / 4), c) 
print blocks 
result = [] 
for block in blocks: 
    result += [block ^ block >> 16] 
output = '' 
for block in result: 
    output += struct.pack('I', block) 
print output 

We get: Phu_Dong_Thien_Vuong

Immediately, we try to import the key with the passphrase Phu_Dong_Thien_Vuong:


gpg --import PRIVATE.ASC

Yes, it works!

We can now extract the image:

 gpg --decrypt SaintGiong.jpg.pgp img.jpg 

Then, the second hint is useful to us.
Indeed, outguess is a small tool that can hide text in an image.


sudo apt install outguess

Then


outguess -r img.jpg hidden.txt

We obtain the following text:

While the sixth Hung Vuong Dynasty, our country, then called Van Lang was under the menace of the An , situated in the North of Vietnam’s borders.

Hung Vuong King was very worried and assembled his court to prepare a plan of defense for the country. A mandarin of the civil service reminded the King that the original founding King of the country, Lac Long Quan had instructed that if the country were ever to face danger, it should pray for his help.

In that situation, the King then invoked the spirit of the founding King.

Three days later, a very old man appeared in the midst of a storm and said that he was Lac Long Quan himself. He prophesied that in three years the An from the North would try to invade the country; he advised that the King should send messengers all over the country to seek help from talented people, and that thereafter a general sent from heaven would come to save the country.

Event though three years later, indeed came the tempestuous foreign armies trying to take over the Southern Kingdom. At the capital city of Phong Chau, King Hung Vuong still remembered the instruction from Lac Long Quan.

However Even earlier than, at the village of Phu Dong, County of Vo Ninh, Province of Bac Ninh, a woman in her sixties reported she had seen footprints of a giant in the field.

Amazed, she tried to fit her feet in the footprints and suddenly felt that she was overcome by an unusual feeling.

Thereafter she became pregnant and delivered a boy whom she named Giong. Even at the age of three, Giong was not able to crawl, to roll over, or to say a single word.

Surprisingly, at the news of the messenger from the King, Giong suddenly sat up and spoke to his mother, asking her to invite the messenger over to their home.

He then instructed the messenger to request the King to build a horse and a sword of iron for him so that he could go and chase the invaders away.

When the horse and sword were eventually brought to his home, Giong stood up on his feet, stretched his shoulders, became a giant of colossal proportions, and asked his mother for food and new clothing.

She cooked many pots of rice for him but it was not enough for his appetite. The whole village brought over their whole supply of fabric and it was still not enough for his size.

Giong put his helmet on, carried his sword, jumped on the back of his horse and rode away, as fast as a hurricane. The iron horse suddenly spit fire, and brought Giong to the front line at the speed of lightning. The invaders saw Giong like a punishing angel overwhelming them.

Their armies were incinerated by the flame thrown from the horse's mouth. Their generals were decapitated by Giong’s sword. When it finally broke because of so much use, Giong used the bamboo trees that he pulled up from the sides of the road and wiped away the enemies.

Afterwards, he left his armor on the mountain Soc (Soc Son) and both man and horse flew into the sky.

Legend holds that lakes in the area of mountain Soc were created from the footprints of Giong’s horse. At the site of the forest where he incinerated the enemy armies is now the Chay Village ("Chay" meaning burned).

In recognition of Giong's achievement, King Hung Vuong proclaimed him Phu Dong Thien Vuong (The Heaven Sent King of Phu Dong Village). For the people of his country, he is better known as Thanh Giong ("Saint" Giong)

It clearly shows WHITEHAT … looking at the first letters of each paragraph.

Finally:


echo -n "WHITEHATSHWSGTALI" | openssl sha1

(stdin)= 05cc532353023d5954da9507e189a55296f6db97

Flag : WhiteHat{05cc532353023d5954da9507e189a55296f6db97}

The obtained flag validates the challenge.

Nice challenge 🙂

 

Leave a Reply

Your email address will not be published. Required fields are marked *