wannasigh

Author: Karol Baryła (aka Lorak_)

wannsigh was a task from WPI CTF 2019. Task description:

Here's link to drive image given in description, I have no idea how long it is going to be available.

File linked to in description is .ova file, a virtual machine with ubuntu installed. In ~ directory there is a encrypted zip file named your-stuff.zip containing most of the files from /home directory. Among other files there is flag.xcf. Task description hinted as that the encrypter was in a calc file. I opened firefox, and in the downloads there indeed is .ods file. It was downloaded from some gitlab repo (link), and in the commit history there is a commit with a bash script (link).

CURRENT_TIME=$(($(date +%s%N)/1000000))
echo $CURRENT_TIME

zip --password $CURRENT_TIME  ~/Templates/your-stuff.zip ~/Templates/*

NEXT_TIME=$(($(date +%s%N)/1000000))
echo $NEXT_TIME

It zips ~/Templates directory using current time as key. To get file modification date as timestamp I used command stat -c '%Y' your-stuff.zip, which yelded 1554920623. There was one last problem left, $(($(date +%s%N)/1000000)) gives us time stamp with an accuracy of miliseconds and file modification time is saved with accuracy of seconds. So the last thing to do was to bruteforce every milisecond in given second to get true key. Script to do that:

import zipfile 


zip = zipfile.ZipFile('./your-stuff.zip', 'r') 


for i in range(1000): 
     try: 
         zip.setpassword(b'1554920623' + ('%03d' % (i,) ).encode()) 
         zip.extractall('/tmp/unpack') 
         print('SUCCESS. Key: ' + '1554920623' + ('%03d' % (i,) )) 
     except: 
         pass

It successfully unpacks zip, and we can get our flag:

Remy's Epic Adventure

suckmore-shell

wannasigh

run_s0m3_w4r3z

wPI

coffeegate

Backtalk

Source

wannasigh

wannasigh

Author: Karol Baryła (aka Lorak_)

No Comments