Bunch of sec. enthusiasts who sometimes play CTF

Nuit du hack quals 2016 - Invest

We received a invest.pcapng file which contains a schematic, encrypted files and a binary chain. Once the binary chain was passed in the schematic we obtained a password to decrypt with OpenSSL the files. The resulting file is a Word document with the Flag inside.


A paranoid guy seems to have secured his file very well. But I am convinced he made a mistake somewhere.


Points: 50

Category: Inforensic

Validation: 70


The challenge provided us with invest.pcapng, a packet capture for us to analyze. With Wireshark we could extract several files with File->Export Objects->HTML. Within the pcap is a file called ‘key.txt’, which contains a binary chain. Interpreting the chain in ASCII showed that it does not look really random:


The pcap also contains several pictures; one in particular seems interesting:


We noticed that this function takes 8 bit as input and output one bit. Among the downloaded they were 81 files with their name starting by encrypt. They are base64 encoded. We merged, decoded them and obtained a file which start with the string Salted__.

> binwalk merged.bin 

0             0x0             OpenSSL encryption, salted, salt: 0x7DD883F026435AB8

It means it is a file encrypted with OpenSSL. Then we coded the function represented by the previous picture:

import binascii


chunks, chunkSize = len(key), 8
l = [ key[i:i + chunkSize] for i in range(0, chunks, chunkSize) ]

# The logic part

s = ""

for b in l:

    b0 = int(b[0])
    b1 = int(b[1])
    b2 = int(b[2])
    b3 = int(b[3]
    b4 = int(b[4])
    b5 = int(b[5])
    b6 = int(b[6])
    b7 = int(b[7])

    c1 = b0 and (not b2)
    c2 = (not b2) and (not b1)
    c3 = b0 and b1
    c4 = b5 ^ b6
    c5 = (not b1) ^ (not b7)

    d1 = c1 and (not b3)
    d2 = c2 and (not b3)
    d3 = c3 and (not b3)
    d4 = b2 and (not b5)
    d5 = c5 and b2
    e1 = d1 and (not b4)
    e2 = d2 and (not b4)
    e3 = d3 and (not b4)
    e4 = d4 and c4

    f1 = e1 or e2
    f2 = e3 or e4
    g = f2 or d5

    o = int(g or f1)
    s += str(o)

password = binascii.unhexlify(hex(int(s,2))[2:])

We passed the string contains in key.txt to the script and we obtained the string “4Ukz95F2YqPi”. The string is 12-byte long. We did not know any cipher using such length for the key so we thought about a password. Since the guy is paranoid he would have used a strong block cipher. We started with AES-128:

openssl enc -aes128 -in merged.bin -out merged.out -d  -k 4Ukz95F2YqPi -p
iv =7413F91D4B87534B953CC656476C3107
bad decrypt
140385251583632:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:529:

Then we tried AES-256:

openssl enc -aes256 -in merged.bin -out merged.out -d  -k 4Ukz95F2YqPi -p
iv =C2E8D310CAD4C7A8CC4CD67BA81E672F

The file was decrypted properly. The decrypted file is a Word file which shows a picture. We unzip the file a run a grep on the repository:

grep "NDH" -r merged.out_FILES/

It revealed the flag. However we could have open the file and move or delete the image to display the flag.

Written on April 4, 2016