{"id":3472,"date":"2018-08-19T13:07:13","date_gmt":"2018-08-19T11:07:13","guid":{"rendered":"https:\/\/0x90r00t.com\/?p=3472"},"modified":"2018-08-19T19:38:30","modified_gmt":"2018-08-19T17:38:30","slug":"whitehatvn-2018-misc-100-misc02-write-up","status":"publish","type":"post","link":"https:\/\/0x90r00t.com\/fr\/2018\/08\/19\/whitehatvn-2018-misc-100-misc02-write-up\/","title":{"rendered":"[WhiteHatvn 2018] [Misc 100 \u2013 Misc02] Write Up"},"content":{"rendered":"

Description<\/h2>\n

Find the private key and decrypt the secret inside the picture
\nmaterial.grandprix.whitehatvn.com\/misc02
\nMD5: 2cad267bb17d5f31551c0d8713e41a77<\/p>\n

Hint 1\u00a0: saintgiong.jpg.pgp<\/p>\n

Hint 2\u00a0: outguess<\/p><\/blockquote>\n

<\/p>\n

Resolution<\/h2>\n

Dans un premier temps, nous r\u00e9cup\u00e9rons un fichier iso\u00a0: Hacker.iso<\/p>\n

Une fois l\u2019archive extraite, nous commen\u00e7ons \u00e0 chercher l\u2019image qui nous int\u00e9resse. Un simple grep nous donne sa localisation.<\/p>\n

 grep -R jpg.pgp\r\nMAILDIR\/CUR\/15334499.COM:Content-Type: application\/octet-stream; name="SaintGiong.jpg.pgp"\r\nMAILDIR\/CUR\/15334499.COM:Content-Disposition: attachment; filename="SaintGiong.jpg.pgp"\r\n<\/pre>\n
En renommant le .COM en .eml, Thunderbird ouvre directement le mail et on r\u00e9cup\u00e8re l\u2019image chiffr\u00e9e qui se trouve en pi\u00e8ce jointe. L\u2019\u00e9tape suivante consiste \u00e0 trouver la cl\u00e9.<\/p>\n
Une rapide recherche dans les dossiers nous permet de trouver une cl\u00e9 priv\u00e9e PGP, Elle se trouve ici: Hacker\/ETC\/MAIL\/PRIVATE.ASC<\/p>\n
Le probl\u00e8me maintenant est de trouver la passphrase qui nous permettra d\u2019utiliser cette cl\u00e9 pour d\u00e9chiffrer l\u2019image.<\/p>\n
L\u2019utilisation de pgp2john avec John The Ripper et le dictionnaire bien connu Rockyou ne donne rien. Mais en regardant le contenu du dossier Hacker\/ETC\/MAIL, on voit ceci:<\/p>\n
\r\nENCRYPT.PYC \r\nPRIVATE.ASC \r\nSPAMASSA \r\n<\/pre>\n
Le fichier\u00a0ENCRYPT.PYC<\/code> attire notre attention\u2026 D\u00e9compilons le pour voir son contenu!<\/p>\n
Pour cela, nous utilisons l\u2019outil uncompyle6.<\/p>\n
Pour l\u2019installer:<\/p>\n
 sudo pip install uncompyle6 <\/pre>\n
Puis:<\/p>\n
 uncompyle6 ENCRYPT.PYC decrypted.py <\/pre>\n
Voici le contenu du script python obtenu.<\/p>\n
\r\n# uncompyle6 version 3.2.3 \r\n# Python bytecode 2.7 (62211) \r\n# Decompiled from: Python 2.7.15rc1 (default, Apr 15 2018, 21:51:34) \r\n# [GCC 7.3.0] # Embedded file name: .\/encrypt.py \r\n# Compiled at: 2018-08-16 09:16:13 \r\nimport struct, sys, base64 \r\npassword_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA' \r\nif len(sys.argv) != 2: \r\n    print 'Usage: %s data' % sys.argv[0]\r\n    exit(0) data = sys.argv[1] \r\npadding = 4 - len(data) % 4 \r\nif padding != 0: \r\n    data = data + '\\x00' * padding \r\nresult = [] \r\nblocks = struct.unpack('I' * (len(data) \/ 4), data) \r\nprint blocks \r\nfor block in blocks: \r\n    result += [block ^ block &amp;gt;&amp;gt; 16] \r\n    output = '' \r\nfor block in result: \r\n    output += struct.pack('I', block)\r\nprint output \r\nprint base64.b64encode(output)\r\n<\/pre>\n
Une ligne attire notre attention: password_enc = ‘JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA’<\/p>\n
Et si c\u2019\u00e9tait la passphase?<\/p>\n
Le scrypt python chiffre une chaine de caract\u00e8re. Le proc\u00e9d\u00e9 est simple, il est facile \u00e0 reverser pour d\u00e9chiffrer JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA.<\/p>\n
Voici le script qui va d\u00e9chiffrer password_enc<\/p>\n
\r\nimport struct, sys, base64 \r\npassword_enc = 'JTd1XyoIbmc3PWhpOjhfVhsIbmcAAAAA' \r\nc = base64.b64decode(password_enc) \r\nblocks = struct.unpack('I' * (len(c) \/ 4), c) \r\nprint blocks \r\nresult = [] \r\nfor block in blocks: \r\n    result += [block ^ block &amp;gt;&amp;gt; 16] \r\noutput = '' \r\nfor block in result: \r\n    output += struct.pack('I', block) \r\nprint output \r\n<\/pre>\n
Nous obtenons: Phu_Dong_Thien_Vuong<\/p>\n
Aussit\u00f4t, nous tentons d\u2019importer la cl\u00e9 avec la passphrase\u00a0 Phu_Dong_Thien_Vuong:<\/p>\n
\r\n\r\ngpg --import PRIVATE.ASC\r\n\r\n<\/pre>\n
Et bingo, \u00e7a fonctionne!<\/p>\n
Nous pouvons maintenant extraire l\u2019image:<\/p>\n
 gpg --decrypt SaintGiong.jpg.pgp img.jpg <\/pre>\n
C\u2019est alors que le deuxi\u00e8me hint nous est utile. En effet, outguess est un petit tool qui permet de cacher du texte dans une image.<\/p>\n
\r\n\r\nsudo apt install outguess\r\n\r\n<\/pre>\n
Puis<\/p>\n
\r\n\r\noutguess -r img.jpg hidden.txt\r\n\r\n<\/pre>\n
Nous obtenons le texte suivant:<\/p>\n
\r\nWhile the sixth Hung Vuong Dynasty, our country, then called Van Lang was under the menace of the An , situated in the North of Vietnam\u2019s borders.\r\n\r\nHung Vuong King was very worried and assembled his court to prepare a plan of defense for the country. A mandarin of the civil service reminded the King that the original founding King of the country, Lac Long Quan had instructed that if the country were ever to face danger, it should pray for his help.\r\n\r\nIn that situation, the King then invoked the spirit of the founding King.\r\n\r\nThree days later, a very old man appeared in the midst of a storm and said that he was Lac Long Quan himself. He prophesied that in three years the An from the North would try to invade the country; he advised that the King should send messengers all over the country to seek help from talented people, and that thereafter a general sent from heaven would come to save the country.\r\n\r\nEvent though three years later, indeed came the tempestuous foreign armies trying to take over the Southern Kingdom. At the capital city of Phong Chau, King Hung Vuong still remembered the instruction from Lac Long Quan.\r\n\r\nHowever Even earlier than, at the village of Phu Dong, County of Vo Ninh, Province of Bac Ninh, a woman in her sixties reported she had seen footprints of a giant in the field.\r\n\r\nAmazed, she tried to fit her feet in the footprints and suddenly felt that she was overcome by an unusual feeling.\r\n\r\nThereafter she became pregnant and delivered a boy whom she named Giong. Even at the age of three, Giong was not able to crawl, to roll over, or to say a single word.\r\n\r\nSurprisingly, at the news of the messenger from the King, Giong suddenly sat up and spoke to his mother, asking her to invite the messenger over to their home.\r\n\r\nHe then instructed the messenger to request the King to build a horse and a sword of iron for him so that he could go and chase the invaders away.\r\n\r\nWhen the horse and sword were eventually brought to his home, Giong stood up on his feet, stretched his shoulders, became a giant of colossal proportions, and asked his mother for food and new clothing.\r\n\r\nShe cooked many pots of rice for him but it was not enough for his appetite. The whole village brought over their whole supply of fabric and it was still not enough for his size.\r\n\r\nGiong put his helmet on, carried his sword, jumped on the back of his horse and rode away, as fast as a hurricane. The iron horse suddenly spit fire, and brought Giong to the front line at the speed of lightning. The invaders saw Giong like a punishing angel overwhelming them.\r\n\r\nTheir armies were incinerated by the flame thrown from the horse's mouth. Their generals were decapitated by Giong\u2019s sword. When it finally broke because of so much use, Giong used the bamboo trees that he pulled up from the sides of the road and wiped away the enemies.\r\n\r\nAfterwards, he left his armor on the mountain Soc (Soc Son) and both man and horse flew into the sky.\r\n\r\nLegend holds that lakes in the area of mountain Soc were created from the footprints of Giong\u2019s horse. At the site of the forest where he incinerated the enemy armies is now the Chay Village ("Chay" meaning burned).\r\n\r\nIn recognition of Giong's achievement, King Hung Vuong proclaimed him Phu Dong Thien Vuong (The Heaven Sent King of Phu Dong Village). For the people of his country, he is better known as Thanh Giong ("Saint" Giong)\r\n<\/pre>\n
On y voit clairement appara\u00eetre WHITEHAT\u2026 en regardant les premi\u00e8res lettres de chaque paragraphe.<\/p>\n
Pour finir:<\/p>\n
\r\n\r\necho -n "WHITEHATSHWSGTALI" | openssl sha1\r\n\r\n(stdin)= 05cc532353023d5954da9507e189a55296f6db97\r\n\r\n<\/pre>\n
Flag : WhiteHat{05cc532353023d5954da9507e189a55296f6db97}<\/p>\n
Le flag obtenu valide l’\u00e9preuve.<\/p>\n
Super challenge \ud83d\ude42<\/p>\n","protected":false},"excerpt":{"rendered":"
Description Find the private key and decrypt the secret inside the picture material.grandprix.whitehatvn.com\/misc02 MD5: 2cad267bb17d5f31551c0d8713e41a77 Hint 1\u00a0: saintgiong.jpg.pgp Hint 2\u00a0: outguess<\/p>\n","protected":false},"author":18,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[274,35,275],"tags":[],"class_list":["post-3472","post","type-post","status-publish","format-standard","hentry","category-2018-ctf-fr","category-ctf-fr","category-whitehatvn"],"_links":{"self":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/3472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/users\/18"}],"replies":[{"embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/comments?post=3472"}],"version-history":[{"count":16,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/3472\/revisions"}],"predecessor-version":[{"id":3488,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/posts\/3472\/revisions\/3488"}],"wp:attachment":[{"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/media?parent=3472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/categories?post=3472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/0x90r00t.com\/fr\/wp-json\/wp\/v2\/tags?post=3472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}