Tuesday 20 May 2014

PlaidCTF 2014 For-400 write up

Challenge:
The Plague is using state of the art systems for storing his data. Our operatives managed to steal [a drive](zfs-ff06f37193caa92456e9c03090c80600.tar.bz2) from one of his servers, but it seems like our haste may have led to some uber-corruption. Can you get the data off the drive to track down The Plague?

From the question title, “disk” is kind of corrupted zfs drive. In order to recover the data as quick as possible, recovery tools like UFS Explorer Pro is used. Open the “disk” with it, you can see one file “not_the_key”.



Opening “not_the_key”, it’s really not the key… dig deeper
Then trying to recover the data from “disk”, three files are found.
key.xor_encrypted
not_the_key
xor_key


Extract the files, two of them look interesting. “xor_key” and “key.xor_encrypted” look self-explanatory, let’s try to “xor” them. The python code “xor” the two files.
from binascii import unhexlify, hexlify

def str_xor(s1, s2):
    return "".join([chr(ord(c1) ^ ord(c2)) for (c1,c2) in zip(s1,s2)])

def get_bytes_from_file(filename):  
    return open(filename, "rb").read()  

encByte = get_bytes_from_file('key.xor_encrypted')

keyByte = get_bytes_from_file('xor_key')

s = ''.join(chr(ord(c1) ^ ord(c2)) for c1, c2 in zip(encByte[-len(keyByte):], keyByte))

print s
Run the python code, the flag is here


===========================================================
Alternate Method:

Hex analysis approach to dig out the files, assuming we did not use UFS Explorer, we can use Hex Editor like WinHex


Oh well, we did not have clues, so we did some key word search, how about “key”?


Ok, we got “not_the_key”. Scroll up, it looked interesting, and we copy the block out.


Then we got “not_the_key” file and it asks us to dig deeper again. .\/. OK, find next... We continue to “dig deeper” and continue to search, we see three names:
key.xor_encrypted
not_the_key
xor_key


Ok, it's a bit by chance, we found that there's a 0x200 block ... 


And we scroll down to get another 0x200 block to see if we can do an XOR... 


oh yeah, it could perfectly do the XOR and get the cute shark again -_-..... 


Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)