In this short write-up I’m going to explain how we solved the Ghost in the Shellcode 2014 “Dogecrypt” game.
The challenge started with a vim encrypted file provided by the organization. After a quick review we saw that the header of the file began with "VimCrypt~01!". Vim documentation reveals that this means the file has been encrypted using the Unix crypt function.
root@eleanor:/home/phr0nak/ctf/gits/dogecrypt# head dogecrypt-b36f587051faafc444417eb10dd47b0f30a52a0b VimCrypt~01! ~x ^u=ZfI+}^ 0$ ' ` l h 6 ~ + qLjar y2Ŗ#; 9'XpMv 8 dC + h [z }"mD4ǀ( :( ! q ^ N; u B Q 6 _ 5[ : m; ݻ>Cy % *Ru *O @ t - Q p 8 2 _ S 6 _I* m " k p} rǇ f L iY o " rB # BYt : x6 < 2 r _ r w)<u(s % 3 9 5 Z 2FD L , 1iqM| 籿 pζ vx dn, [ ~
After seen here an approach in python to automate the decryption using python Zipfile library, we decided to implement our own quick & dirty code to find the decryption key using a dictionary. Below there is the final code that helped us to solve the challenge.
#!/usr/bin/python from zipfile import _ZipDecrypter import os, sys f = open(sys.argv, "r") key = f.readline().rstrip() while key != "": try: fp = open(sys.argv, 'rb') zd = _ZipDecrypter(key) fp.read(12) print "The password is: " + key print ''.join(zd(c) for c in fp.read()) except: pass finally: try: fp.close() except: pass key = f.readline().rstrip() f.close
With our simple program ready, we tested it using the american-english-small dictonary provided by the wamerican-small package debian.
Please note that finally we use this diccionary due the hint given by the organization that was "Solveable in < 5m. Much attack very wamerican-small".
root@eleanor:/home/phr0nak/ctf/gits/dogecrypt# python vimcrypt.py /usr/share/dict/american-english-small dogecrypt-b36f587051faafc444417eb10dd47b0f30a52a0b >> results.txt
The decryption key used to encrypt the vim file and the flag of the challenge were:
root@eleanor:/home/phr0nak/ctf/gits/dogecrypt# strings results.txt | grep -B1 "key is" The password is: parliament The key is: ShibeSuchDictionaryAttacksWow
Finally, the decrypted content of the file was:
The key is: ShibeSuchDictionaryAttacksWow wow very much ctf most key such flag so much shellcode wow
As can be seen in the previous command output, the decryption key was parliament and the flag of this challenge was ShibeSuchDictionaryAttacksWow.