Category: Misc Description:
Some basics of Cryptography and git. Detailed description in the files.
Description on the zip file for the challenge material contain the following long description:
P_g_G_i_P_t
===========
A DarkArmy newbie pulled out some files from an old vulnerable machine
that belonged to the great sage "karma".
He grabbed the following info:
PGP Fingerprint:
5071 62CE 550A 9B5D
Signature File:
a.sig
Find the first part of flag using above info and 10k.tar.zst
Password format for the prrotected git1.1.7z archive:
<(6-digit-number-from-10k.tar.zst)_(first-3-char/num-of-the-public-key)>
Note:
Password is free of any angle brackets and parantheses,
those are for explaination purpose only.
Do remember the _ it's in the password.
So, this step should be pretty easy but due to several hickups I got stuck on this a bit more time than necessary.
I found that the author uploaded the public key to the PGP public server: https://keys.openpgp.org
Using the fingerprint (5071 62CE 550A 9B5D) I was able to find it: https://keys.openpgp.org/search?q=5071+62CE+550A+9B5D
Problem #1 - this PGP key server stripes out the author ID, and due to that the key cannot be imported (I spent a bit trying to fix this but eventually I moved on to try finding it somehow).
I found that the key was also published to the mit one: https://pgp.mit.edu/pks/lookup?op=get&search=0x507162CE550A9B5D
With this I saved the public key to a file and imported the key manually:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname: pgp.mit.edu
mI0EX2isUAEEAMrhmSxi09RxVL0QT8N7HF/1/u7E7Zb6IRJBYrJCBtbbD86tenJb1BNwbcDs
pp6NTZs+lqx0/Qh2V87LQIiJLhs9FH3yP9NhamFCD3jDPAsoUIqbaEr6ExJrVCnI3LN1wWq5
OAlkLkiMckfcSV1Mv/QVoHc14m7BdhkyAH7gDsChABEBAAG0M2Rhcmthcm15J3MgUG90YXRv
UEMgKGZvciBDVEYpIDxwb3RhdG9AZGFya2FybXkueHl6PojUBBMBCAA+FiEEU0zAZCaKVjhX
ojJ0UHFizlUKm10FAl9orFACGwMFCQAbr4AFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ
UHFizlUKm13IFAQAk1ruyHNKkb6VPDqXxdElDFBC/dQzm4XU+cLzfOUVmAlqhHj6bg31/Xy9
v90OyUSVPYrCFxsEQHu+2NDy+jZ4fbPSTihOTvFkJyBY+xS7nPCVVH6Itl0sQdmxYa1H4h14
j6VnW3s5qgXDvUPoOr70DNbcAwMpqATtcSJAFX8NzxK4jQRfaKxQAQQAvaGroaPvLM/QiMzY
0XZk5pT+vRvaHr+4STkh1wEo/BErzJx3HhWXNjYh/Y7MJMzMl76R9sXvMOc4mW0vVd0yl3M/
vPxLVo/GOqFbGM7fvYu+Hi17bRtl1zKsoIi45WAil4tiA9ku1zjmuq20YbmrUXJZk5eOWOVa
floCdvVeko0AEQEAAYi8BBgBCAAmFiEEU0zAZCaKVjhXojJ0UHFizlUKm10FAl9orFACGwwF
CQAbr4AACgkQUHFizlUKm13kUQQAkl/YbupM23RHAhbYDRTNJsI/OdPjp6vUUgZS9uSXahV3
EoxHaNGwnTGpmrXZi54P6SUiVfxWJHsM5Lp6dLR1x3gZNqNEbo+tK0sl0A7iyzh7dGOEwrZF
ho0Pvggzb8JCHfZx5ZHxjMgg9e0S14n+eADWxHx2x5WllT5F64wmeZg=
=QPzO
-----END PGP PUBLIC KEY BLOCK-----
We found part of the password for the next level, (first 3 chars of the pub key), so we now know this from the password:
xxxxxxx_mI0(where x are still not known).
Looking at the 10k.tar.zst file this looks a different compression tool zstd, after installing it and decompress the file using zstd -d 10k.tar.zst I got a 10k.tar file, decompressed with tar -xvf 10k.tar showed finally a folder 10k with literally 10k text files inside, each one with a 7 char text (except the last one :) ).
To proceed forward the idea is to find the key that allows for the following gpgp command to succeed gpg --output a --decrypt a.sig
At this point I went rogue and decided to take a shortcut, the idea of the challenge was to validate the decryption key using one of the key files (provided on the challenge) BUT ... there are 10K files and I was not able to quickly find the command lines of gpg to accept the password file on a single command line, so this was causing me issues to script the execution.
What I did instead (as the time was running short) was the following:
- all the files in the 10K folder contained exactly 7 chars, and we also know that because the password is 7 chars
- coded a quick py script to create a dictionary of all values inside the files (you can probably see where this is going now)
- created the hash of the 7z file using (7z2hashcat.pl)
- hashcat buteforce the 7z file
- validate the actual found password was validating the pgp key (just to use the proper expected tools for this challenge)
Dictionary code:
yourpath = './P_g_G_i_P_t/10k'
import os
with open('./dic.txt', 'w') as dic:
for root, dirs, files in os.walk(yourpath, topdown=True):
files.sort()
for name in files:
#print(os.path.join(root, name))
with open(os.path.join(root, name), 'r') as f1:
str = '{}_mI0\n'.format(f1.readline())
dic.write(str)Generate the 7z Hash:
Creating the dictionary:
Putting it all together and running hashcat:
And in few seconds I got the password 2766951_mI0.
Now, before I moved on I just wanted to confirm the previous gpg command was indeed correct, so I need to find on which file is this password 2766951.
File 1235, let's validate the previous gpg command then:
So, right no we have the password to decrypt the next phase of the challenge.
Decompressing the git repo using the found password 2766951_mI0 showed a git repo:
I took also a considerable amount of time on this part of the challenge as I was looking to git branch and git checkout and git log trying to make some sense out of the history and determine on which branch was the damn file ... turns out I was on a rabbits hole.
Once I read a bit more about git I found git reflog, and something very odd was presented:
which was not consistent with :
It turns out that there was a deleted branch, and that was why I couldn't find it on the git log and branch/checkout party.
From this reflog I can issue a straight git checkout 40a3658 and then, we get our flag:
