[WhiteHatvn 2018] [Misc 100 – Misc02] Write UpDescription
Find the private key and decrypt the secret inside the picture
material.grandprix.whitehatvn.com/misc02
MD5: 2cad267bb17d5f31551c0d8713e41a77Hint 1 : saintgiong.jpg.pgp
Hint 2 : outguess
Resolution
Dans un premier temps, nous récupérons un fichier iso : Hacker.iso
Une fois l’archive extraite, nous commençons à chercher l’image qui nous intéresse. Un simple grep nous donne sa localisation.
grep -R jpg.pgp MAILDIR/CUR/15334499.COM:Content-Type: application/octet-stream; name="SaintGiong.jpg.pgp" MAILDIR/CUR/15334499.COM:Content-Disposition: attachment; filename="SaintGiong.jpg.pgp"
En renommant le .COM en .eml, Thunderbird ouvre directement le mail et on récupère l’image chiffrée qui se trouve en pièce jointe. L’étape suivante consiste à trouver la clé.
Une rapide recherche dans les dossiers nous permet de trouver une clé privée PGP, Elle se trouve ici: Hacker/ETC/MAIL/PRIVATE.ASC
Le problème maintenant est de trouver la passphrase qui nous permettra d’utiliser cette clé pour déchiffrer l’image.
L’utilisation de pgp2john avec John The Ripper et le dictionnaire bien connu Rockyou ne donne rien. Mais en regardant le contenu du dossier Hacker/ETC/MAIL, on voit ceci:
ENCRYPT.PYC PRIVATE.ASC SPAMASSA
Le fichier ENCRYPT.PYC attire notre attention… Décompilons le pour voir son contenu!
Pour cela, nous utilisons l’outil uncompyle6.
Pour l’installer:
sudo pip install uncompyle6
Puis:
uncompyle6 ENCRYPT.PYC decrypted.py
Voici le contenu du script python obtenu.
# uncompyle6 version 3.2.3
# Python bytecode 2.7 (62211)
# Decompiled from: Python 2.7.15rc1 (default, Apr 15 2018, 21:51:34)
# [GCC 7.3.0] # Embedded file name: ./encrypt.py
# Compiled at: 2018-08-16 09:16:13
import struct, sys, base64
password_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA'
if len(sys.argv) != 2:
print 'Usage: %s data' % sys.argv[0]
exit(0) data = sys.argv[1]
padding = 4 - len(data) % 4
if padding != 0:
data = data + '\x00' * padding
result = []
blocks = struct.unpack('I' * (len(data) / 4), data)
print blocks
for block in blocks:
result += [block ^ block >> 16]
output = ''
for block in result:
output += struct.pack('I', block)
print output
print base64.b64encode(output)
Une ligne attire notre attention: password_enc = ‘JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA’
Et si c’était la passphase?
Le scrypt python chiffre une chaine de caractère. Le procédé est simple, il est facile à reverser pour déchiffrer JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA.
Voici le script qui va déchiffrer password_enc
import struct, sys, base64
password_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA'
c = base64.b64decode(password_enc)
blocks = struct.unpack('I' * (len(c) / 4), c)
print blocks
result = []
for block in blocks:
result += [block ^ block >> 16]
output = ''
for block in result:
output += struct.pack('I', block)
print output
Nous obtenons: Phu_Dong_Thien_Vuong
Aussitôt, nous tentons d’importer la clé avec la passphrase Phu_Dong_Thien_Vuong:
gpg --import PRIVATE.ASC
Et bingo, ça fonctionne!
Nous pouvons maintenant extraire l’image:
gpg --decrypt SaintGiong.jpg.pgp img.jpg
C’est alors que le deuxième hint nous est utile. En effet, outguess est un petit tool qui permet de cacher du texte dans une image.
sudo apt install outguess
Puis
outguess -r img.jpg hidden.txt
Nous obtenons le texte suivant:
While the sixth Hung Vuong Dynasty, our country, then called Van Lang was under the menace of the An , situated in the North of Vietnam’s borders.
Hung Vuong King was very worried and assembled his court to prepare a plan of defense for the country. A mandarin of the civil service reminded the King that the original founding King of the country, Lac Long Quan had instructed that if the country were ever to face danger, it should pray for his help.
In that situation, the King then invoked the spirit of the founding King.
Three days later, a very old man appeared in the midst of a storm and said that he was Lac Long Quan himself. He prophesied that in three years the An from the North would try to invade the country; he advised that the King should send messengers all over the country to seek help from talented people, and that thereafter a general sent from heaven would come to save the country.
Event though three years later, indeed came the tempestuous foreign armies trying to take over the Southern Kingdom. At the capital city of Phong Chau, King Hung Vuong still remembered the instruction from Lac Long Quan.
However Even earlier than, at the village of Phu Dong, County of Vo Ninh, Province of Bac Ninh, a woman in her sixties reported she had seen footprints of a giant in the field.
Amazed, she tried to fit her feet in the footprints and suddenly felt that she was overcome by an unusual feeling.
Thereafter she became pregnant and delivered a boy whom she named Giong. Even at the age of three, Giong was not able to crawl, to roll over, or to say a single word.
Surprisingly, at the news of the messenger from the King, Giong suddenly sat up and spoke to his mother, asking her to invite the messenger over to their home.
He then instructed the messenger to request the King to build a horse and a sword of iron for him so that he could go and chase the invaders away.
When the horse and sword were eventually brought to his home, Giong stood up on his feet, stretched his shoulders, became a giant of colossal proportions, and asked his mother for food and new clothing.
She cooked many pots of rice for him but it was not enough for his appetite. The whole village brought over their whole supply of fabric and it was still not enough for his size.
Giong put his helmet on, carried his sword, jumped on the back of his horse and rode away, as fast as a hurricane. The iron horse suddenly spit fire, and brought Giong to the front line at the speed of lightning. The invaders saw Giong like a punishing angel overwhelming them.
Their armies were incinerated by the flame thrown from the horse's mouth. Their generals were decapitated by Giong’s sword. When it finally broke because of so much use, Giong used the bamboo trees that he pulled up from the sides of the road and wiped away the enemies.
Afterwards, he left his armor on the mountain Soc (Soc Son) and both man and horse flew into the sky.
Legend holds that lakes in the area of mountain Soc were created from the footprints of Giong’s horse. At the site of the forest where he incinerated the enemy armies is now the Chay Village ("Chay" meaning burned).
In recognition of Giong's achievement, King Hung Vuong proclaimed him Phu Dong Thien Vuong (The Heaven Sent King of Phu Dong Village). For the people of his country, he is better known as Thanh Giong ("Saint" Giong)
On y voit clairement apparaître WHITEHAT… en regardant les premières lettres de chaque paragraphe.
Pour finir:
echo -n "WHITEHATSHWSGTALI" | openssl sha1 (stdin)= 05cc532353023d5954da9507e189a55296f6db97
Flag : WhiteHat{05cc532353023d5954da9507e189a55296f6db97}
Le flag obtenu valide l’épreuve.
Super challenge 🙂