Damjan Cvetko

Damjan Cvetko

Developer, System Architect, Hacker.

Xmas CTF 2020 - Day 3

2 minutes read

Challenge: Santa got a secret message from a gifted child. Can you help him decode the message and save Christmas?

secret-message.zip

The ZIP is encrypted. Building on last years knowledge I assumed: a) it was solvable and b) password was in either of the most popular password databases.

I picked rockyou.txt and fcrackzip.

$ fcrackzip -u -D -p rockyou.txt secret-message.zip
PASSWORD FOUND!!!!: pw == letmein

Ok, lets get the contents.

$ unzip secret-message.zip
Archive:  secret-message.zip
[secret-message.zip] ransom/document1.txt.cpt password:
 extracting: ransom/document1.txt.cpt
 extracting: ransom/document2.txt.cpt
 extracting: ransom/document3.txt.cpt
 extracting: ransom/document4.txt.cpt
  inflating: ransom/password.c

So there’s a bunch of encrypted messages, and a .c file. The code looks like it creates a random password…

The contents of the files didn’t make much sense, and I tried to search for the file extension, but didn’t find much. Eventually I found out that the tool used to encrypt the files was ccrypt. The tool takes a password, but that was random generated… from… time().

If we look at the times of the files, we see that they all share the same Modify time.

$ stat document1.txt.cpt
  File: document1.txt.cpt
  Size: 183             Blocks: 0          IO Block: 4096   regular file
Device: eh/14d  Inode: 3940649675356974  Links: 1
Access: (0777/-rwxrwxrwx)  Uid: ( 1000/    zobo)   Gid: ( 1000/    zobo)
Access: 2020-12-01 07:42:46.000000000 +0100
Modify: 2020-12-01 07:42:41.000000000 +0100
Change: 2020-12-25 01:22:56.013169100 +0100
 Birth: -

That tells us, when the password was created.

So its just a question of generating it again.

$ date --date="2020-12-01 07:42:41.000000000 +0100" +%s
1606804961

Not being bothered to setup gcc locally, I used the online tool again: https://www.onlinegdb.com/online_c_compiler.

The last file contained the flag.

In the course of my research I also found, basically, the same CTF challenge on github: https://github.com/Probely/CTF-Challenges/blob/master/Forensics/200-Ransomware/SOLUTION.md

The difference is that the description clearly hints that the files are encrypted.

Flag: xmas{PutYourWorriesAsideAndOpenUpYourMind}

What did I learn: .cpt is for ccrypt, look at stat.

Recent posts

See more

Categories

About