ASIS CTF Quals 2015: Zrypt

This is a write up for the Zrypt forensics challenge, which was worth 200 points.

As in the previous challenge, we are given a XZ compressed pcap file.

$ file zrypt_6a370fc7e33aa5f6a44a2be4999c4966 
zrypt_6a370fc7e33aa5f6a44a2be4999c4966: XZ compressed data
$ unxz < zrypt_6a370fc7e33aa5f6a44a2be4999c4966 > zrypt
$ file zrypt
zrypt: pcap-ng capture file - version 1.0

Opening the pcap file with Wireshark shows a bunch of files being uploaded (these turned out to be decoys) and several zip files being transmitted from the server.

Let’s extract all the files and save them to disk by going to File – Export Objects – HTTP – Save All.

All the zip files are password protected.

Inspecting the files inside each one we notice that:

  • VuwPO9eM contains a file named flag.txt

  • Although it’s not obvious because of the names, the zip files appear to be organized in some sort of cascade. It’s useful to sort them by size to visualize this. The smallest zip contains flag.txt and another file, which is 90.9 kbytes in size. The next zip contains two files, one that is 90.9 kbytes (same as in the previous zip) and a 202.7 kb file. The third zip contains a a 202.7 kb file (same as in the previous zip) and a larger file. And so on.

It’s impractical to brute force the passwords, so there must be some other way. Some googling pointed to the known plaintext attack.

The idea is that if you happen to have a plaintext version of any of the files that are inside an encrypted zip, you are able to recover the 96-bit internal representation of the key, which suffices to decrypt the whole file. i.e: you create an encrypted zip containing 1.jpg, 2.jpg, and 3.jpg, and forget the password later on. If you manage to find a plaintext copy of any of the images, you’ll be able to recover the key and decrypt the rest. Keep in mind that this attack works only if the files provided are using standard zip 2.0 encryption (as in this case 🙂 ). It won’t work against AES encrypted zips.

With this in mind, it’s pretty obvious that in order to decrypt the zip that contains flag.txt (let’s call it zip #1), we first need to decrypt the one that shares some content with it (#2). In order to decrypt #2, we need to crack #3 and get the plaintext version of the content they share. And so it goes.

The biggest zip has to be the starting point. It contains a 1.8mb file that is shared with the next step in the cascade, and it also contains a 2.7mb file named 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f. It looks a lot like a SHA-1 sum. I spent several hours digging through the pcap to find a file that matched this checksum with no luck at all.

However, googling the checksum points to a malware sample that is available for download here.

We now have the same file in plaintext and inside the encrypted zip, so we can proceed with the known plaintext attack using the pkcrack tool that implements it.

$ extract xnCub4eW 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
$ ls -l 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f 
-rw-r—r— 1 root root 2725466 May 11 12:00 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f
$ ls -l plaintext 
-rw-r—r— 1 root root 2725454 May 11 11:59 plaintext

The encrypted file should be 12 bytes larger than the plaintext version.

After a few seconds the keys will be printed and pkcrack will attempt to bruteforce the password. We don’t really care about the password, since the keys are sufficient to decrypt the zip file.

$ pkcrack -c 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f -p plaintext
Ta-daaaaa! key0=70a8cda4, key1=547222ce, key2=4c7d562e
Probabilistic test succeeded for 35479 bytes.

We can decrypt the contents with the zipdecrypt tool shipped with pkcrack.

$ zipdecrypt 70a8cda4 547222ce 4c7d562e xnCub4eW
Decrypting 317fc6d41e3d0f79f3e9c470cda48f52a7168c6f (ed5e829f7f1c27cbb62e5458)… OK!
Decrypting 2VT&Wb!XJ0dzG7JyvyH-II#J (15b6960191cbc71256147d67)… OK!

Now we have a plaintext version (2VT&amp;Wb!XJ0dzG7JyvyH-II#J) of the encrypted file named cohaxOTDL4Iy4sK7DWFU6Mw6 in the next zip file (E0frzRAi). If we continue doing this one by one, we’ll finally be able to decrypt the contents of the last zip, which contains the flag.

$ cat flag.txt 

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s