Writeups
  • Writeups
    • TryHackMe
      • 🕵️‍♀️Basic Pentesting
      • 🔷Blue
      • ⚡Bolt
      • 🤖Cyborg
      • 🃏HA Jocker CTF
      • 🧊Ice
      • 🕯️Ignite
      • 🎃Jack-of-All-Trades
      • 🎩Mr Robot
      • 🔓Overpass
      • 🥒Pickle Rick
      • 💻RootMe
      • 🐇Year of the Rabbit
    • Vulnhub
      • 📦Colddbox
      • 💱Crypto Bank
      • 🛰️GoldenEye
      • 🎊Hacker Fest
      • 🤠Lampiao
      • ✴️Node
      • ♟️PWNLAB
      • 🔓Solid State
      • 📎Stapler
    • CTFs
      • 🤐Zippy
    • Demos
      • 🤒AMSI bypass using Python
      • 🌆Steganography tools
Powered by GitBook
On this page
  1. Writeups
  2. CTFs

Zippy

PreviousCTFsNextDemos

Last updated 2 years ago

  • Here, we are given a zip file zippy.zip

  • We can unzip the zip file using unzip

  • We get 54 other zip files which are named chunnk0.zip - chunk54.zip and a hint : if you want to find the flag, this hint may be useful: the text files within each zip consist of only "printable" ASCII characters

  • We could try running strings on zippy.zip to find any printable characters

  • Looks like gibberish No luck there

  • We can try and open a chunk

  • We see a data.txt file in it

  • When we try to open it, it asks for a password

  • We can use fcrackzip or john to tey and brute-force the password, but to no luck

  • Then I noticed that all the data.txt in every chunk zip is exactly 4 bites i.e 32bits

  • This got me thinking about CRC32

    • Zip files have CRC values, the checksum of the plaintext of contents (even if they are encrypted). If the file size is short enough (around 4 bytes because CRC32 is 32 bits), you can see the content of the encrypted zip file without the password.

  • Cloning the script from github

  • We can run it for all the chunks at ones by using python3 zip-crc-cracker/crack.py chunk*

  • We can get the data from the chunks

  • Seems like base64

  • We need to join all the data to get a string

  • For that we need to copy it into a file ascii.txt. You can used any text editor.I am suing sublime

  • Save it

  • Now we need to extract only the base64 part and join them.

  • Here is the one-liner for that

sed -e 's!chunk!!' ascii.txt | sort -n | sed -n "s/^.*'\(.*\)'.*$/\1/ p" | tr -d '\n'

  • sed -e 's!chunk!!' :Removes the word chunk from all the lines so that we can sort them properly

  • sort -n :Then sorts them numerically

  • sed -n "s/^.*'\(.*\)'.*$/\1/ p": extracts the content only within the single quotes

  • tr -d '\n' : Joins all the text into a single line

  • After running the one-liner we get UEsDBBQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAZmxhZy50eHT/xhoeSnjMRLuArw2FXUAIWn8UQblChs4AF1dAnT4nB5hs2SkR4fTfZZRB56Bp/FBLAQI/AxQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAAAAAAAAAIIC0gQAAAABmbGFnLnR4dFBLBQYAAAAAAQABADYAAABVAAAAAAA=

  • Base64 decoding it and saving it to a file flag.txt

echo "UEsDBBQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAZmxhZy50eHT/xhoeSnjMRLuArw2FXUAIWn8UQblChs4AF1dAnT4nB5hs2SkR4fTfZZRB56Bp/FBLAQI/AxQDAQAAAJFy1kgWujyNLwAAACMAAAAIAAAAAAAAAAAAIIC0gQAAAABmbGFnLnR4dFBLBQYAAAAAAQABADYAAABVAAAAAAA=" | base64 -d > flag.txt

  • When we run file command on flag.txt, we see that it is a zip file

  • Renaming the file to flag.zip and trying to unzip it.

  • We are again asked for a password

  • We can use john this time to crack it.

  • First, we need to extract the zip has and save it to hash.txt using zip2john

  • Now we can run john with hash.txt

  • We get the password as z1P

  • Using this we can unzip flag.zip and we get flag.txt

  • Reading it will give us the flag

There is a good script by kmyk which can extract the contents using CRC32. You can find the GitHub repo

🤐
here