duksctf

Bunch of sec. enthusiasts who sometimes play CTF

Plaid CTF 2016 - The stuff

A PCAP including a base64 zip file and a cleartext password; a wrong CRC preventing straightforward decryption.

Description

Can you believe Ryan uses Bing?

Details

Points: 50

Category: misc

Validations: 219

Solution

We got a 3.2MB pcap traffic capture including a bunch of Bing searches, but which were red herrings. The useful part was an email containg a base64-encoded ZIP file:

01:58:08.785762 IP 192.168.120.138.58414 > 192.168.120.1.smtp: Flags [P.], seq 161:216, ack 175, win 229, options [nop,nop,TS val 781875 ecr 1863138377], length 55: SMTP: Subject: The Stuff
E..k.%@.@.....x...x.......G.........r:.....
...3o.<ISubject: The Stuff
From: John Doe <jdoe@example.com>

01:58:08.785850 IP 192.168.120.1.smtp > 192.168.120.138.58414: Flags [.], ack 216, win 4111, options [nop,nop,TS val 1863138377 ecr 781875], length 0
E..4..@.@.....x...x...........H......K.....
o.<I...3
01:58:08.785891 IP 192.168.120.138.58414 > 192.168.120.1.smtp: Flags [P.], seq 216:240, ack 175, win 229, options [nop,nop,TS val 781875 ecr 1863138377], length 24: SMTP: To: jsmith@example.com
E..L.&@.@.....x...x.......H.........r......
...3o.<ITo: jsmith@example.com

01:58:08.786048 IP 192.168.120.138.58414 > 192.168.120.1.smtp: Flags [.], seq 240:4584, ack 175, win 229, options [nop,nop,TS val 781875 ecr 1863138377], length 4344: SMTP: Date: Sat, 16 Apr 2016 16:58:08 -0700
E..,.'@.@.....x...x.......H................
...3o.<IDate: Sat, 16 Apr 2016 16:58:08 -0700
Content-Type: multipart/mixed; boundary="=-zAAY+FBv9yZgwoZy4KHy"
X-Mailer: Evolution 3.10.4-0ubuntu2
Mime-Version: 1.0


--=-zAAY+FBv9yZgwoZy4KHy
Content-Type: text/plain
Content-Transfer-Encoding: 7bit

Yo, I got the stuff.


--=-zAAY+FBv9yZgwoZy4KHy
Content-Type: application/zip; name="flag.zip"
Content-Disposition: attachment; filename="flag.zip"
Content-Transfer-Encoding: base64

UEsDBBQACQAIAHGBkEjDELQcOSoAAFk3AAAIABwAZmxhZy5qcGdVVAkAA6XGElfKxhJXdXgLAAEE
6AMAAAToAwAAcu3qNOrf/ikOGiuwzSTfpxNkjsV6RU5ygGcK3CdWBI5s486P2jSZZMCE1dsgcB5C
dLpmtLHpndhIxgmpcC6M9oPtQqeeXZ1NR7J+Rjc6g8RuHvzSd4wRkRWj34l7Zs8Ssl8ktHWPa3gh
k39ggi+9gir1BwpopTsGoubAd3spqjfRuBh8QxzFRsCvNGcfUbZu3SEMqslTkpW57suOkTQw8T21
35AzcsQlDCwgBmd5uEaxq6Pwk74mljtv8TjrMGdR/1lrAICGWmm0kH4SFlBfJSy+x7AcUibmDAov
+CKwH1/eIQqTHdcJuSelelvlsdp4rlpR6mrf+imaaz8XTt8BWrrFiP8iYZh4kaRAX1nRXTshkj+t
uBRXfLRkuMNmNUpy2lQ+350vg2pP3tFAtbdKEDIw1GvUxAsuMy+5HVED2sAPEN08ZANq3jK66elA
vcgJz0DYOLhSky8hO1kIhN+XxTNQcMZDLrcbFU724xzTu2tqila0O2bsp4Mdc+Ml5wQEMHKGqz4x
t8YfyYSK5VDqypv/dBvyuEZEGNQwnOIWd9iZcfau+54qK0oDHG6rVF879KFEeCSR1UBLNo+oHnvb
(...)

The 11KB file flag.zip was encrypted, with unzip asking for a password. Finding it wasn’t super hard:

$ tcpdump -A  -r the_stuff.pcapng | grep password
reading from PCAP-NG file the_stuff.pcapng
Yo, you'll need this too: super_password1

That’s it? Nope, the zip file was corrupted, with a wrong CRC. This can be seen by unzipping using Python’s ZipFile class:

from zipfile import ZipFile
z= ZipFile('flag.zip', pwd='super_password1')
z.extractall()

which yields the following error:

/Users/jp/anaconda/envs/python2/lib/python2.7/zipfile.pyc in _update_crc(self, newdata, eof)
    645         # Check the CRC if we're at the end of the file
    646         if eof and self._running_crc != self._expected_crc:
--> 647             raise BadZipfile("Bad CRC-32 for file %r" % self.name)
    648
    649     def read1(self, n):

BadZipfile: Bad CRC-32 for file 'flag.jpg'

To avoid this, I patched zipfile.py to remove the CRC check (commenting lines 646-647), and it decrypted to a file flag.jpg:

Written on April 18, 2016