Description
RU: Все же любят хранить пароли в txt файликах? А наш подопытный пошел намного дальше! Он начал хранить в них информацию под грифом “СОВЕРШЕННО СЕКРЕТНО”! Докажите ему, что это не безопасно.
EN: Everybody likes to store passwords in txt files? And our guinea pig has gone much further! He has begun to store the information under a signature stamp “TOP SECRET” in them! Prove to him that it isn’t secure.
Solution
After extracting the ZIP archive we were given, I looked at its contents:
|
1 2 |
root@kali:~/h4ck1tctf/China/solve# ls __MACOSX test.rtf |
There is an .rtf file. Considering that the title of this challenge is RTFspy, there must be something in this file.
First, of course, I tried to open it in the regular way, but none of the programs I tried could open the file.
Clearly, the file is not meant to be looked at in the normal way. Therefore, let’s look at the first part of the file manually (it was quite a big file, hence the ‘-c 1000′):
|
1 2 3 4 5 |
root@kali:~/h4ck1tctf/China/solve# head -c 1000 test.rtf { {\colortbl ;\red255\green255\blue255;} \cf1 \'00\'89\'50\'4e\'47\'0d\'0a\'1a\'0a\'00\'00\'00\'0d\'49\'48\'44\'52\'00\'00\'00\'ef\'00\'00\'01\'87\'08\'06\'00\'00\'00\'58\'a0\'05\'3a\'00\'00\'00\'09\'70\'48\'59\'73\'00\'00\'0b\'13\'00\'00\'0b\'13\'01\'00\'9a\'9c\'18\'00\'00\'0a\'4f\'69\'43\'43\'50\'50\'68\'6f\'74\'6f\'73\'68\'6f\'70\'20\'49\'43\'43\'20\'70\'72\'6f\'66\'69\'6c\'65\'00\'00\'78\'da\'9d\'53\'67\'54\'53\'e9\'16\'3d\'f7\'de\'f4\'42\'4b\'88\'80\'94\'4b\'6f\'52\'15\'08\'20\'52\'42\'8b\'80\'14\'91\'26\'2a\'21\'09\'10\'4a\'88\'21\'a1\'d9\'15\'51\'c1\'11\'45\'45\'04\'1b\'c8\'a0\'88\'03\'8e\'8e\'80\'8c\'15\'51\'2c\'0c\'8a\'0a\'d8\'07\'e4\'21\'a2\'8e\'83\'a3\'88\'8a\'ca\'fb\'e1\'7b\'a3\'6b\'d6\'bc\'f7\'e6\'cd\'fe\'b5\'d7\'3e\'e7\'ac\'f3\'9d\'b3\'cf\'07\'c0\'08\'0c\'96\'48\'33\'51\'35\'80\'0c\'a9\'42\'1e\'11\'e0\'83\'c7\'c4\'c6\'e1\'e4\'2e\'40\'81\'0a\'24\'70\'00\'10\'08\'b3\'64\'21\'73\'fd\'23\'01\'00\'f8\'7e\'3c\'3c\'2b\'22\'c0\'07\'be\'00\'01\'78\'d3\'0b\'08\'00\'c0\'4d\'9b\'c0\' |
In the output above, the file consists of pairs of two characters, delimited by the symbols \ and ‘. This looks pretty hexadecimal to me. I therefore stripped out the parts that are not hexadecimal (the first 3 lines) and the last character (}). While I could have done that in bash too, I chose to do it manually. I saved the output to a file called hexstuff.txt.
Now, I still have to strip the \ and ‘ symbols to be able to decode the hex values to ASCII text. To do that, I cat the hexstuff.txt file, pipe it so sed with which I strip out the \ symbol, then pipe it to sed again and strip out the ‘ symbol. That output is piped to xxd which decodes it from hex to ASCII text, and then written to a file called hexdump.txt.
|
1 |
root@kali:~/h4ck1tctf/China/solve# cat hexstuff.rtf | sed -e 's/\\//g' | sed -e "s/'//g" | xxd -r -p > hexdump.txt |
A quick look at the output, hexdump.txt, showed that the content was not entirely humand-readble. Therefore, let’s look at the file using the command hexdump.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
root@kali:~/h4ck1tctf/China/solve# hexdump -C hexdump [ left out first part, kept only last part ] 0000c9c0 13 00 10 00 5f 5f 4d 41 43 4f 53 58 2f 2e 5f 66 |....__MACOSX/._f| 0000c9d0 6c 61 67 2e 74 78 74 55 58 0c 00 c3 84 7b 57 25 |lag.txtUX....{W%| 0000c9e0 84 7b 57 f6 01 14 00 63 60 15 63 67 60 62 60 f0 |.{W....c`.cg`b`.| 0000c9f0 4d 4c 56 f0 0f 56 88 50 80 02 90 18 03 27 10 1b |MLV..V.P.....'..| 0000ca00 01 71 25 10 83 f8 ab 19 88 02 8e 21 21 41 50 26 |.q%........!!AP&| 0000ca10 48 c7 1c 20 e6 47 53 c2 88 10 17 4f ce cf d5 4b |H.. .GS....O...K| 0000ca20 2c 28 c8 49 d5 0b 49 ad 28 71 cd 4b ce 4f c9 cc |,(.I..I.(q.K.O..| 0000ca30 4b 07 4a 96 96 a4 e9 5a 58 1b 1a 9b 18 19 9a 5b |K.J....ZX......[| 0000ca40 5a 98 00 00 50 4b 07 08 70 1a 8d c0 5d 00 00 00 |Z...PK..p...]...| 0000ca50 ab 00 00 00 50 4b 01 02 15 03 14 00 08 00 08 00 |....PK..........| 0000ca60 f9 66 e5 48 80 0b 60 09 1e 00 00 00 1c 00 00 00 |.f.H..`.........| 0000ca70 08 00 0c 00 00 00 00 00 00 00 00 40 a4 81 00 00 |...........@....| 0000ca80 00 00 66 6c 61 67 2e 74 78 74 55 58 08 00 c3 84 |..flag.txtUX....| 0000ca90 7b 57 25 84 7b 57 50 4b 01 02 15 03 0a 00 00 00 |{W%.{WPK........| 0000caa0 00 00 57 67 e5 48 00 00 00 00 00 00 00 00 00 00 |..Wg.H..........| 0000cab0 00 00 09 00 0c 00 00 00 00 00 00 00 00 40 fd 41 |.............@.A| 0000cac0 64 00 00 00 5f 5f 4d 41 43 4f 53 58 2f 55 58 08 |d...__MACOSX/UX.| 0000cad0 00 d5 84 7b 57 d5 84 7b 57 50 4b 01 02 15 03 14 |...{W..{WPK.....| 0000cae0 00 08 00 08 00 f9 66 e5 48 70 1a 8d c0 5d 00 00 |......f.Hp...]..| 0000caf0 00 ab 00 00 00 13 00 0c 00 00 00 00 00 00 00 00 |................| 0000cb00 40 a4 81 9b 00 00 00 5f 5f 4d 41 43 4f 53 58 2f |@......__MACOSX/| 0000cb10 2e 5f 66 6c 61 67 2e 74 78 74 55 58 08 00 c3 84 |._flag.txtUX....| 0000cb20 7b 57 25 84 7b 57 50 4b 05 06 00 00 00 00 03 00 |{W%.{WPK........| 0000cb30 03 00 d2 00 00 00 49 01 00 00 00 00 |......I.....| 0000cb3c |
It seems that there is some info on a file called flag.txt. Let’s carve hexdump.txt to see if it can be extracted:
|
1 2 3 4 5 |
root@kali:~/h4ck1tctf/China/solve# foremost hexdump.txt Processing: hexdump |foundat=flag.txtUX *| |
Cool! Let’s look at the contents of the ./output directory foremost created for us:
|
1 2 |
root@kali:~/h4ck1tctf/China/solve# cd outputroot@kali:~/h4ck1tctf/China/solve/output# ls audit.txt png zip |
My first guess was to look in the zip directory.
|
1 2 3 |
root@kali:~/h4ck1tctf/China/solve/output# cd zip root@kali:~/h4ck1tctf/China/solve/output/zip# ls 00000100.zip |
Unpack the ZIP archive:
|
1 2 3 4 5 |
root@kali:~/h4ck1tctf/China/solve/output/zip# unzip 00000100.zip Archive: 00000100.zip inflating: flag.txt creating: __MACOSX/ inflating: __MACOSX/._flag.txt |
Alright, so let’s have a look now:
|
1 2 |
root@kali:~/h4ck1tctf/China/solve/output/zip# ls 00000100.zip flag.txt __MACOSX |
…and look at the contents of flag.txt:
|
1 2 |
root@kali:~/h4ck1tctf/China/solve/output/zip# cat flag.txt h4ck1t{rtf_d0cs_4r3_awesome} |
That’s it, the flag is h4ck1t{rtf_d0cs_4r3_awesome}.
