Find us on:
© 2011 Le Pan. All rights reserved.
© 2011 Le Pan. All rights reserved.
| Variant | Flag | |---------|------| | Default key ( b'codsmp' ) | FLAGCODSMP-371480 | | MD5‑derived key | FLAGMD5_KEY | | SHA‑256‑derived key | FLAGSHA256_KEY | | Single‑byte XOR (0x20) on archive.enc | FLAGXOR_SINGLE_BYTE |
# Extract inner.zip inner_dir = work/'inner' inner_dir.mkdir(exist_ok=True) subprocess.run(['unzip', '-q', str(inner_zip), '-d', str(inner_dir)], check=True)
workdir/ ├─ README.txt ├─ payload.bin ├─ secret.py └─ archive.enc 2.1 README.txt Welcome to the CODSMP challenge!
$ file payload_decrypted.bin payload_decrypted.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, stripped Great – we have a Linux ELF binary now. Let’s run strings and objdump on it. codsmp.zip
def xor(data, key): return bytes(a ^ b for a, b in zip(data, itertools.cycle(key)))
$ strings -a payload_decrypted.bin | head -20 /lib64/ld-linux-x86-64.so.2 libc.so.6 GLIBC_2.2.5 puts printf ...
Both variations are often required for the “extra points” tier of a CTF. 4.2 Decrypting archive.enc The file size of archive.enc (≈5 KB) matches the size of payload.bin after XOR with a 6‑byte key, which suggests archive.enc may be the same data encrypted with a different key (maybe a rotating key). Let’s brute‑force the key length. | Variant | Flag | |---------|------| | Default
'PK\x03\x04\x14\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' That is the ( PK\x03\x04 ). So archive.enc is a ZIP archive XOR‑encrypted with a single‑byte key 0x20 . 4.2.1 Decrypting it $ python3 -c "import sys; data=open('archive.enc','rb').read(); open('inner.zip','wb').write(bytes(b ^ 0x20 for b in data))" $ unzip inner.zip -d inner Archive: inner.zip inflating: inner/secret_flag.txt inner/secret_flag.txt contains:
# Grab any flag inside the inner archive for f in inner_dir.rglob('*'): if f.is_file(): data = f.read_bytes() flag = extract_flag(data) if flag: print(f'[inner] Flag in f.relative_to(work): flag')
def main(zip_path='codsmp.zip'): work = Path('work') work.mkdir(exist_ok=True) # ----------------------------------------------------------------- # 1. Unzip the original archive subprocess.run(['unzip', '-q', zip_path, '-d', str(work)], check=True) def xor(data, key): return bytes(a ^ b for
$ xxd archive.enc | head 00000000: 6e 33 3c 3d 6c 6e 3c 3d 6e 33 3c 3d 6c 6e 3d 2c n3<=ln<=n3<=ln=, ... Those bytes look like ASCII after a simple XOR with 0x20 (space):
$ unzip -l codsmp.zip Archive: codsmp.zip Length Date Time Name --------- ---------- ----- ---- 2048 2024-09-10 13:21 README.txt 8192 2024-09-10 13:21 payload.bin 4096 2024-09-10 13:21 secret.py 5120 2024-09-10 13:21 archive.enc --------- ------- 19 456 bytes total The archive is password‑protected (the unzip -l works without a prompt), but it does contain an encrypted file ( archive.enc ) and a suspicious payload.bin . The first step is to extract everything:
$ binwalk -e archive.enc # no known file signatures