The weekend of 04\/01\/2016 is pre-qualification for the Nuit du Hack 2016<\/a><\/strong>\u00a0as a Jeopardy CTF<\/strong>. Having had the opportunity and the time to participate with some colleagues and friends, here\u2019s a write-up resolution of the challenges which we could participate.<\/p>\n The pcapng file recovered, we open it with Wireshark to observe the different frames. This file is provided, let’s look to potential objects related to HTTP requests by exporting (File> Export Objects> HTTP …).<\/p>\n Exporting HTTP object from pcapng file<\/p><\/div>\n When accessing files that have been exported, several are of interest:<\/p>\n Files exported<\/p><\/div>\n Logical scheme<\/p><\/div>\n At this stage, we have:<\/p>\n Let’s start with the algorithm implementation of the logical schema in Python:<\/p>\n <\/p>\n The script is run\u00a0to produce the file “keyresult.txt” from the binary string in “key.txt”:<\/p>\n ASCII conversion of this new binary string gives us the following key:<\/p>\n Now regenerate an encrypted file as a bundle:<\/p>\n Having the key and the encrypted file, proceed to decryption … Yes, but what algorithm? (DES, 3DES, XOR, AES128, AES256 …). It turns out that this is the AES256 gives us a decent result:<\/p>\n So we have a file “decrypt.txt”, including portions of its contents appear in clear. A command like “strings decrypt.txt” will display all the displayable text of it, and we note that the last strings\u00a0are:<\/p>\n It seemed to be an RTF file to open with Word! Rename “decrypt.txt” in “decrypt.rtf” and …<\/p>\n RTF file decrypted<\/p><\/div>\n Just “remove” or move the image (which is in the foreground), to see the flag appear behind:<\/p>\n\n
![\"Export](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/01-1-300x186.png\")
<\/a>![\"Fichiers](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/02-1-300x261.png\")
<\/a>\n
\n
010001110101111001100011011011100100100100111001010111100100011101000111001110010100011100111001010001110011100101000111001110010101111001100011011011100100100101101110010010010011100100110101010111100110001100111001001101010110111001001001011011100100100101000111010111100011100100110101011011100100100101011110011000110100011101011110001110010011010101011110011000110101111001100011010111100110001101000111010111100101111001100011011011100100100101000111010111100011100100110101010001110101111001101110010010010101111001100011010111100110001101101110010010010101111001100011010111100110001100111001001101010100011101011110010111100110001101011110011000110101111001100011010001110101111001000111010111100101111001100011011011100100100101101110010010010101111001100011<\/pre>\n
\n
\n
\n
![\"Sch\u00e9ma](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/12767348_10208095326368148_1014857467_n-300x171.jpeg\")
<\/a>\n
#!\/usr\/bin\/python\r\n# Quick'n'dirty logical scheme implementation\r\n\r\nkeyFile = open(\"key.txt\", \"r\");\r\nresFile = open(\"keyresult.txt\", \"w\");\r\n\r\ndef AND(a, b):\r\n if a==\"1\" and b ==\"1\":\r\n return \"1\"\r\n else:\r\n return \"0\";\r\n\r\ndef NOT(a):\r\n if a==\"1\":\r\n return \"0\"\r\n else:\r\n return \"1\";\r\n\r\ndef OR(a, b):\r\n if a==\"1\" or b == \"1\":\r\n return \"1\"\r\n else:\r\n return \"0\";\r\n\r\ndef XOR(a, b):\r\n if (a==\"1\" or b == \"1\") and a!=b:\r\n return \"1\"\r\n else:\r\n return \"0\";\r\n\r\nkey = keyFile.read();\r\n\r\ni = 0;\r\nwhile i < len(key):\r\n a1 = key[i];\r\n a2 = key[i+1];\r\n a3 = key[i+2];\r\n a4 = key[i+3];\r\n a5 = key[i+4];\r\n a6 = key[i+5];\r\n a7 = key[i+6];\r\n a8 = key[i+7];\r\n u13 = NOT(a3)\r\n u16 = NOT(a4)\r\n u15 = NOT(a5)\r\n u14 = NOT(a2)\r\n u17 = NOT(a6)\r\n u20 = NOT(a8)\r\n u1 = AND(a1, u13)\r\n u2 = AND(u14, u13);\r\n u3 = AND(a1, a2);\r\n u18 = XOR(a6, a7); \r\n u19 = XOR(u14, u20);\r\n u4 = AND(u1, u16);\r\n u5 = AND(u16, u2);\r\n u6 = AND(u16, u3);\r\n u7 = AND(u17, a3);\r\n u8 = AND(a3, u19);\r\n u9 = AND(u4, u15);\r\n u10 = AND(u5, u15);\r\n u11 = AND(u15, u6);\r\n u12 = AND(u7, u18);\r\n u21 = OR(u9, u10);\r\n u22 = OR(u11, u12);\r\n u23 = OR(u22, u8);\r\n u24 = OR(u21, u23);\r\n resFile.write(u24);\r\n i = i+8<\/pre>\n
001101000101010101101011011110100011100100110101010001100011001001011001011100010101000001101001<\/pre>\n
4Ukz95F2YqPi<\/pre>\n
cat encrypt* > encrypt-bundle.txt<\/pre>\n
openssl enc -aes-256-cbc -d -a -in encrypt-bundle.txt -out decrypt.txt -k 4Ukz95F2YqPi<\/pre>\n
[...]\r\nword\/theme\/theme1.xmlPK\r\nword\/styles.xmlPK\r\nword\/document.xmlPK\r\ndocProps\/custom.xmlPK\r\ndocProps\/app.xmlPK\r\ndocProps\/core.xmlPK<\/pre>\n
![\"Fichier](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/03-1-300x251.png\")
<\/a>
![\"Flag](\"https:\/\/www.asafety.fr\/wp-content\/uploads\/04-1-300x155.png\")
<\/a>