Gift from Russia

Sang Nila Utama received a fishy gift from the Russia Empire, however something isnt right.

We were given a file, named flag with no file extension. As always, we run the file command to find what type of file is it.

As it turns out, it is a bzip2 file! Afterwards, we ran binwalk command to check if there are any embedded data within the file.

finding out what type of file
file flag
binwalk flag

Knowing that it is a bzip2 file, we proceeded to extract the file, and we received another file, named flag.out 😲 (Ignore flag_break.sh for now)

extracted flag file
bzip2 -d flag

We used the cat command to take a peek on what flag.out contains. At first, we didn't know what we were seeing 🤔

Soon, we realised that we were looking as ASCII texts. We confirmed it by running the file command on flag.out!

ASCII texts

We used CyberChef to decode the ASCII texts and interestingly, the results tells us that it is a PKZIP archive under Base64 🤔

After Googling around, we figured out how to decode a Base64 encoded file to a binary file. We renamed flag.out to flag.B64 and decoded it.

base64 encoded to binary file
base64 -d flag.b64 > new_flag_file

After decoding the Base64 encoded file to binary file, we ran the file command and found out that it is now a Zip file! 😲 Things have just started to get really interesting at this point.

zip file?!

We proceeded to unzip new_flag_file and we saw another BZIP2 file again!

unzip
bzip2 file

At this point we realised that this could be one of those challenges where you have to keep unzipping/decode a lot of times till you get the flag. A good example would be this CTF challenge here.

In other words, Gift from Russia challenge is a zip file in multiple zip files. Inception much? Recursive much? 🤯

Important: Do take note of this portion, as this is the part where we decided to create the script in a specific way.

What did we do?

Before we move forward, we noticed that the file starts off as a BZIP2 file, then an encoded Base64 file, decoded Base64 (PK Zip) and finally a ZIP file before going back to Bzip2.

  • Bzip2 -> Encoded Base64 -> PK Zip -> Zip -> Bzip2

We made a shell script that checks for the file if it is a Bzip2/Zip/PK Zip, we would then unzip the file based on the file type, and lastly, hex dump the content of the file. (What is Hex Dump?)

In short;

  1. Check for file type

  2. Unzip based on the file type

    • Else, treat the File Type as encoded Base64 file.

  3. Hex dump the content of the file

  4. Loop the whole process

How did we do it?

  1. Check for file type

    • We used the File Signatures to verify the type of file. Another word for file signatures are Magic Numbers/Bytes.

    • The list of file signatures can be found here.

      • BZIP File Signature

        • 42 5a

      • PK Zip File Signature

        • 50 4b 03 04

      • GZ Zip File Signature

        • 1f 8b

  2. Decompress/Unzip the files

    • BZIP File

      • bzip2 -dvcf flag_script

    • PK Zip File

      • unzip flag_script

    • GZ zip

      • gzip -dk ./flag_script.gz

    • Encoded Base64

      • base64 -d flag_script

  3. Hex dump the content of the file

    • After every decompression of each file, we would dump it's header to dump_bak.txt, a temporary text file.

    • The reason we do this is because the flag is stored in the File Header in Hex.

  4. Loop the process

    • This part was mostly trial and error. We didn't know how much to loop it and so, we started off with max = 100 and we did not get anything of interest.

    • We increment it by 100 along the way, up to 1000 loops, and we found something out of the ordinary!

HEX TEXTS!!

Towards the end of the dump, we saw this Hex texts, and we were curious. We took the Hex texts and thew it in CyberChef.

53 54 41 4E 44 43 4F 4E 32 32 7B 44 30 4C 4C 5F 46 30 52 5F 53 41 4E 47 4E 49 4C 41 5F 55 54 41 4D 41 7D 22

Et voila! To our surprise, it is the flag!!

flag!

Flag: STANDCON22{D0LL_F0R_SANGNILA_UTAMA}

Script

#!/bin/sh

#while [ completed -lt 1 ]
max=1000
for i in `seq 1 $max`
do
        magicN=$(hexdump -n 4 -e '16/1 "%02x " "\n"' flag_script)
        echo $i
        if echo "$magicN" | grep -Fqw '42 5a';then
                echo "BZIP Found!!\n"
                bzip2 -dvcf flag_script > flag_script_temp
                
        elif echo "$magicN" | grep -Fqw '50 4b 03 04';then
                echo "PK zip Found!!\n"
                unzip flag_script
                mv ./flag ./flag_script_temp
                
        elif echo "$magicN" | grep -Fqw '1f 8b';then
                echo "GZ zip Found!!\n"
                mv ./flag_script ./flag_script.gz
                gzip -dk ./flag_script.gz
                mv ./flag_script ./flag_script_temp
                mv ./flag_script.gz ./flag_script
        else
                echo "else base64\n"
                base64 -d flag_script >flag_script_temp
        fi
        echo "decode done"
        hd -n 128 flag_script >> dump_bak.txt
        echo "\n\n---NEXT FILE---\n\n" >> dump_bak.txt
        rm ./flag_script
        mv ./flag_script_temp ./flag_script
        echo "replace done"
        completed=1

done

Challenge Files

27MB
flag
PreviousAtlan Safe P1NextAsmuth Shares

Last updated