🤐Zippy

• Here, we are given a zip file zippy.zip

• We can unzip the zip file using unzip

• We get 54 other zip files which are named chunnk0.zip - chunk54.zip and a hint : if you want to find the flag, this hint may be useful: the text files within each zip consist of only "printable" ASCII characters

• We could try running strings on zippy.zip to find any printable characters

• Looks like gibberish No luck there

• We can try and open a chunk

• We see a data.txt file in it

• When we try to open it, it asks for a password

• We can use fcrackzip or john to tey and brute-force the password, but to no luck

• Then I noticed that all the data.txt in every chunk zip is exactly 4 bites i.e 32bits

• This got me thinking about CRC32

  • Zip files have CRC values, the checksum of the plaintext of contents (even if they are encrypted). If the file size is short enough (around 4 bytes because CRC32 is 32 bits), you can see the content of the encrypted zip file without the password.

• There is a good script by kmyk which can extract the contents using CRC32. You can find the GitHub repo here

• Cloning the script from github

• We can run it for all the chunks at ones by using python3 zip-crc-cracker/crack.py chunk*

• We can get the data from the chunks

• Seems like base64

• We need to join all the data to get a string

• For that we need to copy it into a file ascii.txt. You can used any text editor.I am suing sublime

• Save it

• Now we need to extract only the base64 part and join them.

• Here is the one-liner for that

sed -e 's!chunk!!' ascii.txt | sort -n | sed -n "s/^.*'\(.*\)'.*$/\1/ p" | tr -d '\n' 

• sed -e 's!chunk!!' :Removes the word chunk from all the lines so that we can sort them properly

• sort -n :Then sorts them numerically

• sed -n "s/^.*'\(.*\)'.*$/\1/ p": extracts the content only within the single quotes

• tr -d '\n' : Joins all the text into a single line

• After running the one-liner we get UEsDBBQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAZmxhZy50eHT/xhoeSnjMRLuArw2FXUAIWn8UQblChs4AF1dAnT4nB5hs2SkR4fTfZZRB56Bp/FBLAQI/AxQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAAAAAAAAAIIC0gQAAAABmbGFnLnR4dFBLBQYAAAAAAQABADYAAABVAAAAAAA=

• Base64 decoding it and saving it to a file flag.txt

echo "UEsDBBQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAZmxhZy50eHT/xhoeSnjMRLuArw2FXUAIWn8UQblChs4AF1dAnT4nB5hs2SkR4fTfZZRB56Bp/FBLAQI/AxQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAAAAAAAAAIIC0gQAAAABmbGFnLnR4dFBLBQYAAAAAAQABADYAAABVAAAAAAA=" | base64 -d > flag.txt 

• When we run file command on flag.txt, we see that it is a zip file

• Renaming the file to flag.zip and trying to unzip it.

• We are again asked for a password

• We can use john this time to crack it.

• First, we need to extract the zip has and save it to hash.txt using zip2john

• Now we can run john with hash.txt

• We get the password as z1P

• Using this we can unzip flag.zip and we get flag.txt

• Reading it will give us the flag