Gift from Russia
Sang Nila Utama received a fishy gift from the Russia Empire, however something isnt right.
We were given a file, named flag with no file extension. As always, we run the file command to find what type of file is it.
As it turns out, it is a bzip2 file! Afterwards, we ran binwalk command to check if there are any embedded data within the file.
Knowing that it is a bzip2 file, we proceeded to extract the file, and we received another file, named flag.out 😲 (Ignore flag_break.sh for now)
We used the cat command to take a peek on what flag.out contains. At first, we didn't know what we were seeing 🤔
Soon, we realised that we were looking as ASCII texts. We confirmed it by running the file command on flag.out!
We used CyberChef to decode the ASCII texts and interestingly, the results tells us that it is a PKZIP archive under Base64 🤔
After Googling around, we figured out how to decode a Base64 encoded file to a binary file. We renamed flag.out to flag.B64 and decoded it.
After decoding the Base64 encoded file to binary file, we ran the file command and found out that it is now a Zip file! 😲 Things have just started to get really interesting at this point.
We proceeded to unzip new_flag_file and we saw another BZIP2 file again!
At this point we realised that this could be one of those challenges where you have to keep unzipping/decode a lot of times till you get the flag. A good example would be this CTF challenge here.
In other words, Gift from Russia challenge is a zip file in multiple zip files. Inception much? Recursive much? 🤯
Important: Do take note of this portion, as this is the part where we decided to create the script in a specific way.
What did we do?
Before we move forward, we noticed that the file starts off as a BZIP2 file, then an encoded Base64 file, decoded Base64 (PK Zip) and finally a ZIP file before going back to Bzip2.
Bzip2 -> Encoded Base64 -> PK Zip -> Zip -> Bzip2
We made a shell script that checks for the file if it is a Bzip2/Zip/PK Zip, we would then unzip the file based on the file type, and lastly, hex dump the content of the file. (What is Hex Dump?)
In short;
Check for file type
Unzip based on the file type
Else, treat the File Type as encoded Base64 file.
Hex dump the content of the file
Loop the whole process
How did we do it?
Check for file type
We used the File Signatures to verify the type of file. Another word for file signatures are Magic Numbers/Bytes.
The list of file signatures can be found here.
BZIP File Signature
42 5a
PK Zip File Signature
50 4b 03 04
GZ Zip File Signature
1f 8b
Decompress/Unzip the files
BZIP File
bzip2 -dvcf flag_script
PK Zip File
unzip flag_script
GZ zip
gzip -dk ./flag_script.gz
Encoded Base64
base64 -d flag_script
Hex dump the content of the file
After every decompression of each file, we would dump it's header to
dump_bak.txt,a temporary text file.The reason we do this is because the flag is stored in the File Header in Hex.
Loop the process
This part was mostly trial and error. We didn't know how much to loop it and so, we started off with
max = 100and we did not get anything of interest.We increment it by 100 along the way, up to 1000 loops, and we found something out of the ordinary!
Towards the end of the dump, we saw this Hex texts, and we were curious. We took the Hex texts and thew it in CyberChef.
53 54 41 4E 44 43 4F 4E 32 32 7B 44 30 4C 4C 5F 46 30 52 5F 53 41 4E 47 4E 49 4C 41 5F 55 54 41 4D 41 7D 22
Et voila! To our surprise, it is the flag!!
Flag: STANDCON22{D0LL_F0R_SANGNILA_UTAMA}
Script
Challenge Files
Last updated