[Misc] EncryptCTF - crack-jack

crack-jack 50

Description:
Visuals are Deceptive

So… Visuals are Deceptive… I guess not only the visuals are deceptive :’)
We are publishing this write-up only to show how such an easy problem, that barely has no value compared to the other challenges (50pts), due to the excessive guessing component, can be tricky enough to be only solved by 11 teams out of 696

Let’s get into it.
Firstly, we are presented with this image
Classic image with a bs flag in it. Surely this flag won’t do anything. We could try to use some steganography tools, but since other problems were meant to be solved using them, lets keep them as our last resort.

Let’s binwalk it.

After using binwalk it is possible to see that there is a zip archive inside. Let’s extract everything using binwalk -e to automatically extract known file types that exist inside the flag.png file.

Displaying everything that is inside the folder we see that exists, besides the zip file, a file named flag.txt. No way it is the real flag. cat‘ed and nothing as expected.

Let’s check the zip. unzipwon’t do because it is password protected. What’s inside?

A flag.txt inside the password-protected zip? It must be it. The challenge has crack on its name. Let’s crack it!

Usually it this cases I use zip2john to get hashed passwords out of the zip archives and then brute-force them using john and a common wordlist ( e.g. rockyou.txt )

Oh well…. No password hashes lef to crack and none was cracked… Usually if rockyou doesn’t work it has to be with some sort of information related to the challenge itself…

Hello Guessing Part. Are you there?
What can we try? Hmm… this was my line of thought:
1-FAIL: Metadata? - used exiftool on both the zip file and on the initial flag.png. Nahhhh nothing interesting.

2-FAIL: First Image Text? - well, flag.png has some text, such as “ENCRYPT CTF 2019”, “encryptCTF{N0t__7h@7_345y}”, etc… Did a script to use those strings plus the individual words of each string, etc, etc. Guess what? Nothing…

3-CORRECT: Visuals are Deceiving - “what if the visuals (point 2) of an image are there to just deceive us and behind everything we see isn’t the true reality? earth being round or flat doesn’t mean anything because that’s just our visual perception of it and it’s deceiving the true form of it! Nothing that we see can be trusted” - said the author of this challenges when was creating it while tripping out.
Don’t get me wrong, I’m just kidding and hope you don’t get offended, but this is a clear representation of my initial statement. A supposedly easy challenge that doesn’t value that much (50pts) that deceives us into trying over and over basic stuff and losing a lot of time because if it is easy it should be done quickly and we are not expecting to be trying to lose time guessing random stuff.

Getting back to the solution. Since Visuals are Deceiving. what really matters from that initial flag.png isn’t the image itself but the text of the file. This can be obtained using strings. Getting this text, you can create a wordlist based on it and use it to crack the hash of the zip

Bingo! The password is: G^WBC[WLr3. Let’s unzip and view the content of the flag.txt file.

There you go. That’s how we did it. Hope we don’t get trash guessing challenges like this ever again…

The flag was encryptCTF{C4acK!ng_7h3_Uncr4ck4bl3}