26
Feb
2012

CODEGATE 2012 – Network 100

Challenge Description

Someone have leaked very important documents. We couldn’t find any proof without one PCAP file. But this file was damaged.

¡Ø The password of disclosure document is very weakness and based on Time, can be found easily.
Cryptographic algorithm is below.

Msg = ¡°ThisIsNotARealEncryption!SeemToEncoding¡±
Key = 0x20120224 (if date format is 2012/02/24 00:01:01)
Cryto = C(M) = Msg * Key = 0xa92fd3a82cb4eb2ad323d795322c34f2d809f78

As stated in the challenge the pcap file is damaged, after examining it and seeing where the parsers have difficulty we came up with a quick Perl script to fix it up enough that wireshark would open it.

#!/usr/bin/perl

print "\xd4\xc3\xb2\xa1\x02\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x00\x00\x01\x00\x00\x00";

# read broken input file
while($line = <STDIN>) {
    $file .= $line;
}

print substr($file, 0, 0xd0c);
print "\x25\x02\x00\x00";
print "\x25\x02\x00\x00";
print substr($file, 0xd14);

perl ./patch.pl < A0EBE9F0416498632193F769867744A3 > proper.pcap

The pcap file contains a web download of a large file. We extracted this file by using ‘Follow TCP Stream’ and saving the data from the server to the client to a raw file.

Inspecting the last part of the file shows PK and plain text file names, this means it is likely a zip file.

$ xxd raw | tail
0030ad0: 6c6c 2e6a 7067 0a00 2000 0000 0000 0100 ll.jpg.. .......
0030ae0: 1800 86e3 212f cfeb cc01 c4b2 c330 cfeb ....!/.......0..
0030af0: cc01 8d0c b530 cfeb cc01 504b 0102 3f00 .....0....PK..?.
0030b00: 1400 0100 0000 389d 4f40 cf06 cb9c 3100 ......8.O@....1.
0030b10: 0000 2500 0000 0300 2400 0000 0000 0000 ..%.....$.......
0030b20: 2000 0000 bd09 0300 6b65 790a 0020 0000 .......key.. ..
0030b30: 0000 0001 0018 0037 620d 6bce ebcc 01f1 .......7b.k.....
0030b40: 0bcf 2dcc ebcc 01d6 b8c7 2dcc ebcc 0150 ..-.......-....P
0030b50: 5b05 0600 0000 0003 0003 0042 0100 000f [..........B....
0030b60: 0a03 0000 000a

Running unzip on it shows the file is corrupt and cannot be extracted. The broken zip file can be repaired as follows:

$ zip -FF raw.zip --out fixed.zip
Fix archive (-FF) - salvage what can
	zip warning: Missing end (EOCDR) signature - either this archive
                     is not readable or the end is damaged
Is this a single-disk archive?  (y/n): y
  Assuming single-disk archive
Scanning for entries...
 copying: George_Orwell.jpg  (19535 bytes)
 copying: key  (49 bytes)
Central Directory found...
no local entry: 1984-was-not-supposed-to-be-an-instruction-manual2-1.jpg

Unzipping the fixed zip file asks for a password. The challenge text hints at using a date for a password. The TCP stream contains the date the file was downloaded:


HTTP/1.1 200 OK
Date: Wed, 28 Nov 1984 10:50:28 GMT
...

Converting this to a key using the format specified in the challenge gives: 19841128. We used this to decrypt to zip file and are now left with a file called ‘key’.
This file contains the following:


be7790a9f6e79752d1f9e55a79a33f421cf68

Now we use the second hint from the challenge to decrypt that, using the same key:

o = 0xBE7790A9F6E79752D1F9E55A79A33F421CF68
p = 0x19841128
print hex(o/p)[2:-1].decode('hex')       

Yields the answer wo00osR0cKinG:)

Comments are closed.