BSides Canberra 2018 CTF Write-Up: Red or Blue

This is a write-up of the Red or Blue challenge from the BSides Canberra 2018 CTF. This challenge was worth 400 points.

Does it end with the blue pill? Is the red pill leading into Wonderland?

The challenge contained the above message, as well as two zip files: red.zipand blue.zip.

The Hack

When downloading the ZIP files you need to be a bit careful, as one of them results in an infinitely extracting archive on certain platforms (such as macOS) — as one of our team members discovered when it filled-up his entire free hard drive space. Always best to download into a sandboxed VM. In this case, we needed the archives intact and unexpanded, so downloading them into Kali Linux was a reliable way to do this.

After the zip files were downloaded, we could see that red.zip contains a file red.gz and blue.zip is encrypted. It might be possible to crack the ZIP file by brute forcing the password, but there is a much easier method (with hindsight, we found out that the password is 8 random characters, so it would take a very long time for even a fast computer to crack).

With a bit of research, we discovered that you can look at the contents of a ZIP file even if it is encrypted. The easiest way to see the files was to open them with Kali Linux’s Archive Manager.

Red and Blue zip files opened in Archive Manager

Looking at this, we can see that blue.zip contains two files, red.gz and blue.txt. Because the file red.gz is in both the encrypted and unencrypted zip files, and because of the way the encryption works, we can do something called a known plaintext attack.

This would require a lot of effort to do manually, luckily, there is a tool online that can help, pkcrack.

See the website for instructions on downloading and compiling the tool.

Once the tool is installed we had to run the command below this will use the red.gz file to do a known plaintext attack on red.zip and will output a cracked.zip file.

Important! You must use the original red.zip file, not unzip it and then zip it again. This is because in order for the known plaintext attack to work, the zip files must be zipped using the same compression software.

pkcrack -C blue.zip -c red.gz -P red.zip -p red.gz -d cracked.zip -a

After running this command (and a long wait), the file cracked.zip was created. Opening this file, we find that we can open blue.txt, which contains the flag.

A big thank you to all the organisers of the CTF for this great challenge.