CTF
Search…
BSidesSF 2019 CTF
Sleep first, CTF second.

Forensic - bWF0cnlvc2hrYQ==

Foreword

The challenge is easy, not sure why it have high points, maybe because it have too much stages that make you frustated

Just fucking solve it!

Decode challenge's name by base64decode, we got
1
matryoshka
Copied!
So i can imagine that this one have many stage to solve
So the challenge gave us an eml file
bWF0cnlvc2hrYQ.eml
166KB
Binary
Extract the eml file, we found the message and attachments
We was given Matry_Oshka.key as PGP public key
1
[email protected]:~/Desktop/tmp/bside_sf/matryoska# cat Matry_Oshka.key
2
-----BEGIN PGP PRIVATE KEY BLOCK-----
3
4
lQPGBFx4q2MBCADDVyGq/S27Ug2rNmOOJzEZ1ZFGxk2UDaoqx+LO4QQHF4/quJ6m
5
w1R2L2cBxB9YSZyRr2SSn/VG/LiUx93EZscweHAotMpcmQP/gL5WxVF/0wigZ4bY
6
a6dOX58TC4cTsqInHE9ZZUHl9NqFSMslo3Xq3fUPSFDh2TY/Ck9g1sJ9pSl5Yne7
7
/yTZ9b606WBPMV+9DOcvE/pisF+Gz/DpFaZHeJUWkrhpZ2CN0QRnlkSyF+Ymqex4
8
XWAzrHRXT/71l7rNxs7dpvwHpWz9umPFA9XIUWqm8+1o+gHmflL/2+JZmHfBEvUh
9
2pngLubNq78OxZ28XkINvatq7oBHURc4xy2rABEBAAH+BwMCcPlf+rsxq6nqgfUy
10
QAihv6IMwR6xhnOAuHA9gxac6z0DKYtpP+IXaFZ39xEmfqQ4NYzyq6ZkxafHpUdB
11
hzx+CB6kQP7x4ZWC7IY/WSlan9wcX827E6kPZNDwyA6EQJiORpmHG83L4SnRCkSN
12
N3nGKKcHhQsSTUn2SuNmfB9D8lNbbdkZEcN5uzKd7/AqouB0nzmzKIiKCE7DB7aZ
13
nFlpXptYxpSl6wr5ThzfUHcxIJNAv1uujCst2tLCdRTnacYM0BicrWwRJcO19hjN
14
N14EZhP4NBVQ27E7Mq+fvkX2265oXG2DZZrej6txBR3jweEF2PXLuy+qlsHHqkwf
15
e68ZrOJj+1mp9NugaPTtF4dJsBDwKx5E8PM+erAUcDxW+HSJ50s/AVWa92o4eubw
16
NCH3nmNLXONHi/e/1pwHTT4wZ6srB9jFXtkVJKrW9dmY9ZAgofiCEaXC6qAvUXMU
17
vPNfLEEITiBKPby56Ght7nM7CAiSD5pc2XrUDhETy5+7nu9bbu1Sak5JDdp17yyJ
18
jIoNI/m1R/H6+8CZii9/vH+RIdLbR6UUKV3jM+DgIgEOP3LmFXeDy4lXJPBbZeT6
19
wnpRsUcdDXpINN0Ll7rkHmS7bEerqEbg5eukK1lE+SUtuSFvD1LRgk+FuyjHwyPz
20
hL4HdXrUO7pinbCFMrVKlICL001baYwp7DwwyzSaHJLxWmVXAcIPSUcAp1jWtXKk
21
kjkzey0q5altWpXKujuFG6fLkTFNetkP9fzwAuraTfq8Nqr+ijy/NvZUCSg/i7ep
22
qRfPNJ4rt4ZQnXoF1pwVJt7OK77PxiF7dqhdA8TLSFCM0Lur6+kJ3gXQSRGJjvXg
23
ojPpp3t/XaDhbi6YEpJC+IXJNfGnm3FtOMU42ms7r1eFOuzIF826nUOYwn57ntkL
24
8ZjlQeqXH+d3tCNNYXRyeSBPc2hrYSA8TWF0cnkuT3Noa2FAZ21haWwuY29tPokB
25
UwQTAQgAPRYhBAx7y7rfDFJz55cxgGnV8AOKKJ+xBQJceKtjAhsDBQkDwmcABAsJ
26
CAcFFQoJCAsFFgIDAQACHgECF4AACgkQadXwA4oon7FEJgf+IbvwIjAEqP/kRpEa
27
kFFk1g7PMkOLhpylf/urUXTHdZtxtf7J6bgSMVAFlT2jH5NsvCi7WBWc4EDV/GzH
28
j38PwehWCUQvuhbM7cehUPZQ7o/o6s7NCMUuaBzpfvPmN4VPKUbh0qpPxz4cyW2M
29
OnuhPmhJG2l3PvC1RMj+ynPZ2wxc1ghjgeZ1a6fc8tHio+UAaEfSGtc3jAaUTIHI
30
SlMR6Gn4QSTGLmDjrtHRr5VwL9T3GzP6y4M4dvk7e//759o/Bp2DPOva4enLvVIJ
31
SSzWJYW+D804lzFJBfRoUterhnWsOUN0LATJdR1kLcqeTW3yCuOw6IKNcPQezyZy
32
lXgHxp0DxgRceKtjAQgA0H6H1i1994w0cITd4riSHhzeK4ThiSYhq/p5BGWvEv8N
33
c0MhIkmwdpwXWqmRKTFlcPAbSMDzpsvPmxT6mIjTq5mttT7MDkXXqVWX+J0ruif8
34
vKzwzPijRkUx+2hh1XF40wmdahatLMJ5jyBR4A6vCRyW7m1P4g1avp7oFv36rIXs
35
93NE9T293lRPPFX/phxSCN5/oEITr5EJiKCFRGqv7crIa1rpw/ath2kPhNR7Gnj/
36
EqWiMrO2tXL+ffu+ziZ/wbZyAvLX9zo0ojFW+2SEECouQhlVlG72i//PbXDzmOAg
37
cOUqAAdEY1vNBecBwMkwLuRHq3OHPSlvugmzlMdW7wARAQAB/gcDAiYeS6GL1X+s
38
6tQ1pNCobI4SGl/t4B/2VxhLh2Ew6NdplNdGewAy6ipSO5z88uFxDqK++iW4OV8s
39
4HncJfQdp04fgonjS2pJg40MRmnAQ4rW+fqkoHSt54bZ5VX+/dToCgCgucItCidD
40
ph7gM7Cc2VKRWvFy2elABlBVSSVk9FJYQug6yrrxP9r4apmnQdILPklGFNyjF/ax
41
yQ3yG/hr9pYnkJUJ3t95CPz4c+N/f+8i5sGOw8sT6UcGDagRW4OQnaeWmHoxVmXR
42
uYsO0RSfJQ4TnAqMeuEaLMpfmUcumDA0j4mjX/AcCbx1LHyhjE2XkCVITOP8c3Ik
43
/FXWh/dgcIIbujpdEAzZ5c7S/LkncGINS6zcX35BCcSsd6RHo1lmf2RvOrOTNjmP
44
hmCbA8fIhXSmpeQcpjqDw12mxfydlY3A7z8U6USdy+PaEQCGQDmZ/dw1VPgLeYsc
45
rAM5mH0dO22md4R1OygEJ7WbQTmuwjpqYpIy08uUz43XKqqC5zofmPpcShO0ZtUT
46
7z5thTixg4dDqqzk5T6tB5fnhJEn1y6x5XKCJztHFIwu3Jho5WFNP/yt8bdEHEdP
47
5DB3dhE3ABfFHW4Yy+7eYRuxN9OPiYVQeou4GnELHrhqwH/rLezMNWKZ8QICB33X
48
HoNmT9Pp0zVw0GdYY+IZxMufLbB/Htq2alvNhUxdiFKREXn+1iht1/+IewMZL7TI
49
qjh8VlpKgMH0r6uWvI0BXNZB8YEbUI2MRRqmnI4MrqFTrFy1yt60OgKHt1QnrhsH
50
dTNcKicAP4MUn/4wJEAEwFtUWPMgV1ZESEC8IebHfEXp087/X4AnjXzgRAD+uQ7B
51
ZY6n21zQAYNORCZnMadtet4I6djzbLFibPwGM4UXkx9D16T7sBtCvn8jWahEisYP
52
8akab83Uvi1e6Epw1okBPAQYAQgAJhYhBAx7y7rfDFJz55cxgGnV8AOKKJ+xBQJc
53
eKtjAhsMBQkDwmcAAAoJEGnV8AOKKJ+xJGkIAMJis17NR9kZz6CPDJcx0dTY83Ol
54
RhvnAjqVj4aSMYNm/0OfULmkofMyjWZVw3QihoGT9/5CJWpvv5f4D6NtoQFSlpPn
55
e/gioBDHaN6CL0mgMXGYpCf9DObpeDZldqj3Q9YW+mkXdDnIzvHpH78qKyJPrZ9H
56
20wogMWlmyVg7Ksos528AFWQ+4HXoH7h0M6VZ3Xq0IrbNAKFQAesOG1SkudaM4n1
57
JN90bxUYDbSUSA4jU4e2Wd1aMh2DCkMUAdmm6rGZ5fp72GrLZRbPnY32yI7clG7z
58
un7m73MZ9lMlItql0EFWrlzQs/605/WBYqV7WxnhwEs/drA7qBtm4IBu7tk=
59
=Hhg6
60
-----END PGP PRIVATE KEY BLOCK-----
Copied!
Where hack.pgp is encrypted data
Later we found the QR code in sender profile
It was too small, so some online qr decoder fail, my experience for this is, if you cant decode with your computer software, use phone. Which successfully decoded it
1
h4ck_the_plan3t
Copied!
Then i use PGPTool to decode hack.pgp with that password
hack4.zip
111KB
Binary
Inside hack4.zip, we found file.bin
1
[email protected]:~/Desktop/tmp/bside_sf/matryoska# file file.bin
2
file.bin: data
3
[email protected]:~/Desktop/tmp/bside_sf/matryoska# binwalk file.bin
4
5
DECIMAL HEXADECIMAL DESCRIPTION
6
--------------------------------------------------------------------------------
7
11 0xB lzip compressed data, version: 1
Copied!
So there is lzip compressed data, let view it in hex
So i assume first 11 bytes is trash, i delete it and export the file
1
[email protected]:~/Desktop/tmp/bside_sf/matryoska# file file.bin
2
file.bin: lzip compressed data, version: 1
3
[email protected]:~/Desktop/tmp/bside_sf/matryoska/tmp# lzip -d file.bin
4
[email protected]:~/Desktop/tmp/bside_sf/matryoska/tmp# ls
5
file.bin.out
6
[email protected]:~/Desktop/tmp/bside_sf/matryoska/tmp# file file.bin.out
7
file.bin.out: PDF document, version 1.3
Copied!
Well, it's an PDF document
Analze the pdf stream, deflated it and we got junk, bad image ._. I was thought it's because of resolution
With good pair of eyes, you can see there is QR code hidden in this image
By using StegSolver subtract, and found the original image online
1
https://en.wikipedia.org/wiki/Bliss_(image)
Copied!
you can trivially extract the QR code
Next, i was spent 2 hours cluelessly finding a way to recover the QR...
I have no progress, so i need to come back and look again all step i did, then i was figured out that the image in PDF is already messed up when i extracted it
Extract it properly again, i found an 162kb (if i recall it right) image instead of 121kb. Then just do pixel subtract.
solved.bmp
solved.bmp
212KB
Image
Decode the QRcode, we got
1
/Td6WFoAAATm1rRGAgAhARwAAAAQz1jM4ELCAORdABhgwwZfNTLh1bKR4pwkkcJw0DSEZd2BcWATAJkrMgnKT8nBgYQaCPtrzORiOeUVq7DDoe9feCLt9PG-MT9ZCLwmtpdfvW0n17pie8v0h7RS4dO/yb7JHn7sFqYYnDWZere/6BI3AiyraCtQ6qZmYZnHemfLVXmCXHan5fN6IiJL7uJdoJBZC3Rb1hiH1MdlFQ/1uOwaoglBdswAGo99HbOhsSFS5gGqo6WQ2dzK3E7NcYP2YIQxS9BGibr4Qulc6e5CaCHAZ4pAhfLVTYoN5R7l/cWvU3mLOSPUkELK6StPUBd0AABBU17Cf970JQABgALDhQEApzo4PbHEZ/sCAAAAAARZWg==
Copied!
Decode it, we have something looks like an 7z file
out.7z
292B
Text
Extract out.7z, we got out.bin which contains a lot of binary string
Do decode as following
1
binary-octal-decimal-hex-ascii
Copied!
We got base64 string
1
Nlc/TyVBN11SY0ZDL2EuP1lzcSFCallwdERmMCEz
Copied!
Which decode to
1
echo "Nlc/TyVBN11SY0ZDL2EuP1lzcSFCallwdERmMCEz" | base64 -d
2
6W?O%A7]RcFC/a.?Ysq!BjYptDf0!3
Copied!
Which is ascii85 encode
1
CTF{delat_iz_muhi_slona}
Copied!
Last modified 2yr ago