This is a write-up of the Red or Blue challenge from the BSides Canberra 2018 CTF. This challenge was worth 400 points.
Does it end with the blue pill? Is the red pill leading into Wonderland?
The challenge contained the above message, as well as two zip files:
When downloading the ZIP files you need to be a bit careful, as one of them results in an infinitely extracting archive on certain platforms (such as macOS) — as one of our team members discovered when it filled-up his entire free hard drive space. Always best to download into a sandboxed VM. In this case, we needed the archives intact and unexpanded, so downloading them into Kali Linux was a reliable way to do this.
After the zip files were downloaded, we could see that
red.zip contains a file
blue.zip is encrypted. It might be possible to crack the ZIP file by brute forcing the password, but there is a much easier method (with hindsight, we found out that the password is 8 random characters, so it would take a very long time for even a fast computer to crack).
With a bit of research, we discovered that you can look at the contents of a ZIP file even if it is encrypted. The easiest way to see the files was to open them with Kali Linux’s Archive Manager.
Looking at this, we can see that
blue.zip contains two files,
blue.txt. Because the file
red.gz is in both the encrypted and unencrypted zip files, and because of the way the encryption works, we can do something called a known plaintext attack.
This would require a lot of effort to do manually, luckily, there is a tool online that can help, pkcrack.
See the website for instructions on downloading and compiling the tool.
Once the tool is installed we had to run the command below this will use the
red.gz file to do a known plaintext attack on
red.zip and will output a
Important! You must use the original
red.zip file, not unzip it and then zip it again. This is because in order for the known plaintext attack to work, the zip files must be zipped using the same compression software.
pkcrack -C blue.zip -c red.gz -P red.zip -p red.gz -d cracked.zip -a
After running this command (and a long wait), the file
cracked.zip was created. Opening this file, we find that we can open
blue.txt, which contains the flag.
A big thank you to all the organisers of the CTF for this great challenge.