ig-ctf-solutions/write-ups-challenges-2023-2024
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7e677ee86c
write-ups-challenges-2023-2024/russianGOST/SOLUTION.md
rdegreef 7e677ee86c intitial commit
2023-11-28 16:24:59 +01:00

48 lines
4.5 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

## Difficulty
Medium
## Category
Steganography
## How To Solve
When trying to unzip the `targetspec.zip`, you are asked to enter the password. Since you don't know the password at this moment, and brute force will take way too long, you should look into another file first.
At first glance, you might want to just translate the `intercepted.txt` file. However, you will notice that the translation is nonsense, because these words aren't corrent Russian words. If you look carefully, you might see that the last character is capitalized. This may indicate the beginning of a sentence, but is never used at the end of a word. Also the punctuation placement is abnormal. From this we can conclude that we need to reverse all the characters to make sense of the text. Use the `rev` command.
```
> rev intercepted.txt
Удостоверьтесь, что название этого гребаного целевого города не утекло. Иностранцы никогда не должны иметь доступ к целевым спецификациям блять. Я также удалил парольную фразу с изображения кузнечика, потому что все время ее забываю
```
This can be translated into:
```
Make sure the name of the ******* target city doesn't get leaked. Foreigners should never have access to target specifications ****. I also removed the passphrase from the grasshopper image because I keep forgetting it
```
From this you can deduce that the password of the `targetspec.zip` folder might have something to do with the the target city. I you now look into the `information.txt` file, you see that the target city is unknown, but the name of the exact location is known! Look up this location on the internet, and you will find the name of the city: `Pennsylvania`. With this password, you can unzip the `targetspec.zip`.
When listing the files in the decompressed folder with a simple `ls`, you can see 6 images of the target location. However, there is 1 other image hidden in the folder. Use `ls -a` to show hidden files. The `.grasshopper.jpg` should now be listed. This is a picture of the target person. This image contains some hidden information. Use the `steghide` tool to reveal that information:
```
> steghide extract -sf .grasshopper.jpg
Enter passphrase:
wrote extracted data to "realname".
```
The `realname` file will contain the following text:
```
Настоящее имя цели зашифровано в картинке парковки, начиная с байта 1807996.
```
This translates to:
```
The real name of the target is encrypted in the parking picture, starting from byte 1807996.
```
To look for the encrypted bytes in the parking picture, use the following command:
```
> hexdump -s 1807996 -n 100 -C target_parking.jpg
001b967c 36 65 65 31 39 64 34 61 63 37 31 64 35 63 62 38 |6ee19d4ac71d5cb8|
001b968c 31 35 32 31 64 36 61 33 34 63 65 30 62 36 61 63 |1521d6a34ce0b6ac|
001b969c 31 36 35 38 37 36 31 63 64 64 64 34 36 35 36 64 |1658761cddd4656d|
001b96ac 35 64 37 33 64 32 63 33 66 31 62 38 33 38 64 31 |5d73d2c3f1b838d1|
001b96bc a8 a1 99 d3 7a 89 84 7e 43 97 47 c8 e3 8f dc d3 |....z..~C.G.....|
001b96cc 3e ca 24 ef fc 88 e3 fb 28 18 9e 34 94 6c 41 32 |>.$.....(..4.lA2|
001b96dc a6 d4 09 90 |....|
001b96e0
```
You're almost there! You can see a sequence of hexadecimals (`6ee19d4ac71d5cb81521d6a34ce0b6ac1658761cddd4656d5d73d2c3f1b838d1`), which together form an encrypted version of the flag. To determine what encryption algorithm has been used (and thus how decryption needs to be done), go back to the `information.txt` file. Important items in this file are the operation name `G(H)OST` and the code name of the targeted person `grasshopper`. If you loop up `GOST` and `grasshopper`, you might already find the algorithm you need. The translation of `grasshopper` in Russian is `Кузнечик`, which is the original name of the encryption algorythm. GOST is the name of the standard of the Russian Federation in which this algorithm was defined. Using [CyberChef](https://gchq.github.io/CyberChef/#recipe=GOST_Decrypt(%7B'option':'Hex','string':''%7D,%7B'option':'Hex','string':''%7D,'Hex','Raw','GOST%20R%2034.12%20(Kuznyechik,%202015)','64','E-TEST','ECB','NO','NO')&input=NmVlMTlkNGFjNzFkNWNiODE1MjFkNmEzNGNlMGI2YWMxNjU4NzYxY2RkZDQ2NTZkNWQ3M2QyYzNmMWI4MzhkMQ), you can decrypt the code to get the flag, containing the name of the targeted victim.
## Flag
`IGCTF{Oleksiy_Shevchenko}`
Reference in New Issue View Git Blame Copy Permalink