In this short write-up I’m going to explain how we solved the Ghost in the Shellcode 2014 “Dogecrypt” game.

The challenge started with a vim encrypted file provided by the organization. After a quick review we saw that the header of the file began with "VimCrypt~01!". Vim documentation reveals that this means the file has been encrypted using the Unix crypt function.

root@eleanor:/home/phr0nak/ctf/gits/dogecrypt# head dogecrypt-b36f587051faafc444417eb10dd47b0f30a52a0b
VimCrypt~01!	~x  ^u=ZfI+}^   0$     ' `  l h 6 ~ +        qLjar   y2Ŗ#; 9'XpMv 8 dC  +     h    [z }"mD4ǀ( :( !    q ^ N; u   B  Q   6 _   5[    :     m;  
 
  ݻ>Cy %   *Ru *O @ t -    Q  p 8 2 _  S 6  
                                           _I* m "    k  p} rLJ   f   L iY o   "؀  rB  # BYt :
 x6 <  2    r _   r w)<u(s %  3 9  5 Z  2FD  L ,   1iqM|    籿 pζ vx dn, [ ~  

After seen here an approach in python to automate the decryption using python Zipfile library, we decided to implement our own quick & dirty code to find the decryption key using a dictionary. Below there is the final code that helped us to solve the challenge.

#!/usr/bin/python

from zipfile import _ZipDecrypter
import os, sys

f = open(sys.argv[1], "r")
key = f.readline().rstrip()
while key != "":
    try:
        fp = open(sys.argv[2], 'rb')
        zd = _ZipDecrypter(key)
        fp.read(12)
	print "The password is: " + key
        print ''.join(zd(c) for c in fp.read())
    except:
        pass
    finally:
        try:
            fp.close()
        except:
            pass
    key = f.readline().rstrip()
f.close

With our simple program ready, we tested it using the american-english-small dictonary provided by the wamerican-small package debian.

Please note that finally we use this diccionary due the hint given by the organization that was "Solveable in < 5m. Much attack very wamerican-small".

root@eleanor:/home/phr0nak/ctf/gits/dogecrypt# python vimcrypt.py /usr/share/dict/american-english-small dogecrypt-b36f587051faafc444417eb10dd47b0f30a52a0b >> results.txt

The decryption key used to encrypt the vim file and the flag of the challenge were:

root@eleanor:/home/phr0nak/ctf/gits/dogecrypt# strings results.txt | grep -B1 "key is"
The password is: parliament
The key is: ShibeSuchDictionaryAttacksWow

Finally, the decrypted content of the file was:

The key is: ShibeSuchDictionaryAttacksWow

                                  wow

                                                        very much ctf

                                                                      most key

                            such flag

                                         so much shellcode


                                                        wow

As can be seen in the previous command output, the decryption key was parliament and the flag of this challenge was ShibeSuchDictionaryAttacksWow.



Tags


blog comments powered by Disqus