Author: Karol Baryła (aka Lorak_)

wannsigh was a task from WPI CTF 2019. Task description:


File linked to in description is .ova file, a virtual machine with ubuntu installed. In ~ directory there is a encrypted zip file named your-stuff.zip containing most of the files from /home directory. Among other files there is flag.xcf. Task description hinted as that the encrypter was in a calc file. I opened firefox, and in the downloads there indeed is .ods file. It was downloaded from some gitlab repo (link), and in the commit history there is a commit with a bash script (link).

CURRENT_TIME=$(($(date +%s%N)/1000000))

zip --password $CURRENT_TIME  ~/Templates/your-stuff.zip ~/Templates/*

NEXT_TIME=$(($(date +%s%N)/1000000))

It zips ~/Templates directory using current time as key. To get file modification date as timestamp I used command stat -c '%Y' your-stuff.zip, which yelded 1554920623. There was one last problem left, $(($(date +%s%N)/1000000)) gives us time stamp with an accuracy of miliseconds and file modification time is saved with accuracy of seconds. So the last thing to do was to bruteforce every milisecond in given second to get true key. Script to do that:

import zipfile 

zip = zipfile.ZipFile('./your-stuff.zip', 'r') 

for i in range(1000): 
         zip.setpassword(b'1554920623' + ('%03d' % (i,) ).encode()) 
         print('SUCCESS. Key: ' + '1554920623' + ('%03d' % (i,) )) 

It successfully unpacks zip, and we can get our flag: Screenshot_20190415_201415.png