Skip to content
/ nullcon-2017-hackim-prog3 Public

Solution to Programming Question 3 of HackIM at NullCon 2017

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

s-nirali/nullcon-2017-hackim-prog3

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
26685
26685
 
 
26685_t
26685_t
 
 
README.md
README.md
 
 
p3.py
p3.py
 
 
p3get_flag.py
p3get_flag.py
 
 

Repository files navigation

Programming Question 3 - HackIM NullCon 2017

The given file is a repeatedly archived file in various formats. This can be found by successively running the 'file' UNIX command on it and unarchiving it based on the file command's output for the archive type.

After manually running 'file' and unarchive commands based on the archival type of the file obtained for a few times, I made a list of all the archival types used, as follows: LZMA, XZ, gzip, ZPAQ, lzip, POSIX tar, bzip2 compressed data, NuFile, Zip, ARJ, 7-zip and Zoo

A few of them could be unarchived using existing archival commands in UNIx. Some others like those for XZ, ZPAQ, lzip, Zoo, 7-zip and ARJ could be installed using 'brew'. The following single brew install was capable of unarchiving Zip, ARJ, 7-zip and Zoo.

brew install unar

The NuFile archival format needed installation of 'nulib2' and 'nufxlib' which can be downloaded and installed from here: http://www.nulib.com/

Then I wrote the following python code to unarchive successively based on file type till an unarchived file was obtained after 254 iterations.

Python Code

The final file obtained was an ASCII text file which looked like shown below:

total 120
drwx------ 2 root     root     28672 Dec 23 21:01 apt-dpkg-install-kKBLWj
-rw-r--r-- 1 root     root     71259 Dec 23 19:50 apt-fast.list
-rw-r--r-- 1 root     root         0 Dec 23 19:50 apt-fast.lock
-rw-r--r-- 1 root     root         0 Dec 23 21:03 secr
drwx------ 3 root     root      4096 Dec 23 19:30 systemd-private-20af98806288452f91376e836938dc35-colord.service-hbUpEj
drwx------ 3 root     flag      4096 Dec 23 19:30 63336C756448746861486C35634442684C565A686353467566513D3D

Found flag string 63336C756448746861486C35634442684C565A686353467566513D3D.

This was not the flag; so I tried 'hex' decoding the string which gave the following string that looked like it was base-64 encoded: c3ludHthaHl5cDBhLVZhcSFufQ==

Base-64 decoding the above string gave this, synt{ahyyp0a-Vaq!n}. This looked like the cipher text for the flag. On inspection, I predicted that the first 4 letters could be 'flag' and the substring 'ahyyp0a' could be 'nullc0n'. It was a Ceasar cipher with shift=13. Hence, the plain text and flag was:

✨✨flag{nullc0n-Ind!a}✨✨

About

Solution to Programming Question 3 of HackIM at NullCon 2017

Topics

ctf-writeups ctf ctf-solutions

Resources

Readme
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages