Question: The flag is in there somewhere, I swear. Format: "fastctf{flag}"
Hint: This archive appears to be password protected. Maybe a certain Cat can lend a hand?
Answer: fastctf{the hashcat goes meow}
Interestingly this file contained no extension. Often CTFs will not include file extensions as an extra layer of difficulty. If you don’t know the extension to a file, the Linux “file” command is the go-to option. In this demonstration I used Cygwin, a Linux emulator for Windows.
File4 is a 7zip archive. Edit the file in Explorer and add the “.7z” extension, then right-click to extract it. If you do not have 7zip, you should, and you can download it from https://www.7-zip.org/.
When trying to extract the file, you should be treated with this image above. A password on a 7zip archive? Who knew they had that functionality. This presents a problem. However they hint helps us out. “A certain Cat can lend a hand”. Hashcat is a popular GPU-based password cracker that supports many different encryption algorithms, including 7zip archives. You can download Hashcat from https://hashcat.net/hashcat/. While Hashcat can find a matching hash, first you need to acquire the hash from the archive.
7z2hashcat is a perl script that can determine the hash of the password used to encrypt a 7zip archive. You can download 7z2hashcat from https://github.com/philsmd/7z2hashcat. There is also a Windows executable available from the releases page. Once downloaded, the usage for 7z2hashcat is very straight-forward:
7z2hashcat.exe file4.7z
This will create a very, very large hash of the file. You will then need to insert this hash into Hashcat with a good password list. To specify the 7zip archive hash, use the “m” flag with the number 11600.
hashcat64.exe -m 11600 [hash] passwords.txt
Hashcat has successfully cracked the password:12345abc. This value is also added to a potfile in the Hashcat directory. File4.7z can now be unlocked since we know the password. Once extracted, there should be one file: “flag (81).txt”. Examining the text file gives us some more information.
In this file there is some metadata, and some HTML tags, and then a large section that is base64 encoded. From what we can tell that the content-type is an image. Putting the file through the file command gives a little more information on the file type as well.
MIME (Multipurpose Internet Mail Extensions) is an internet standard that extends the HTML format to support email, non-ASCII text, and attachments like images, audio, and videos. Changing the extension to HTML would not have helped. The file is actually an MHTML file, which is an archive format that combines HTML pages with metadata and any images or other attached documents. When changed to an MHTML file it can then be opened and the flag is displayed.
No comments:
Post a Comment