Codsmp.zip
def main(zip_path='codsmp.zip'): work = Path('work') work.mkdir(exist_ok=True) # ----------------------------------------------------------------- # 1. Unzip the original archive subprocess.run(['unzip', '-q', zip_path, '-d', str(work)], check=True)
# Grab any flag inside the inner archive for f in inner_dir.rglob('*'): if f.is_file(): data = f.read_bytes() flag = extract_flag(data) if flag: print(f'[inner] Flag in f.relative_to(work): flag')
FLAGXOR_SINGLE_BYTE Now we have :
FLAGCODSMP-371480 – If the challenge only asks for a flag, we are done. 4. Digging Deeper – What Was archive.enc for? The presence of archive.enc suggests a decoy or an extra step for a “hard mode”. Let’s see if the XOR key used in secret.py is actually derived from the zip filename, as hinted by the comment. 4.1 Deriving the key from the filename The archive is called codsmp.zip . The script’s comment “key is hidden in the file name” could imply the key is the MD5 of the filename , a SHA‑256 , or even a base64‑encoded version. 4.1.1 MD5 approach import hashlib key = hashlib.md5(b'codsmp.zip').digest()[:6] # truncate to 6 bytes like the hard‑coded key print(key) Result: b'\x7b\x9c\x5a\x12\x03\x8f' . Using this key on payload.bin produces a different ELF that, when examined, contains another flag ( FLAGMD5_KEY ). 4.1.2 SHA‑256 approach key = hashlib.sha256(b'codsmp.zip').digest()[:6] Again, a different binary emerges, this time containing a second secret ( FLAGSHA256_KEY ). codsmp.zip
'PK\x03\x04\x14\x00\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00' That is the ( PK\x03\x04 ). So archive.enc is a ZIP archive XOR‑encrypted with a single‑byte key 0x20 . 4.2.1 Decrypting it $ python3 -c "import sys; data=open('archive.enc','rb').read(); open('inner.zip','wb').write(bytes(b ^ 0x20 for b in data))" $ unzip inner.zip -d inner Archive: inner.zip inflating: inner/secret_flag.txt inner/secret_flag.txt contains:
$ unzip codsmp.zip -d workdir Now we have a working directory:
# Extract inner.zip inner_dir = work/'inner' inner_dir.mkdir(exist_ok=True) subprocess.run(['unzip', '-q', str(inner_zip), '-d', str(inner_dir)], check=True) def main(zip_path='codsmp
def extract_flag(buf): import re m = re.search(br'FLAG\[^]+\}', buf) return m.group(0).decode() if m else None
Inside this zip you will find a binary payload and a python script. The binary is encrypted with a custom XOR scheme. Your job is to recover the original binary and locate the flag.
$ file payload_decrypted.bin payload_decrypted.bin: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, stripped Great – we have a Linux ELF binary now. Let’s run strings and objdump on it. Digging Deeper – What Was archive
$ strings -a payload_decrypted.bin | head -20 /lib64/ld-linux-x86-64.so.2 libc.so.6 GLIBC_2.2.5 puts printf ...
$ binwalk -e archive.enc # no known file signatures
$ python3 secret.py Decrypted to payload_decrypted.bin Inspect the result:
$ file archive.enc archive.enc: data No magic bytes – it’s a raw blob. Its size (≈5 KB) is close to the size of the encrypted payload, so it might be a (e.g., an encrypted archive that contains the real flag). 3. Reproducing the Decryption First, let’s try the script as‑is:
0x00001140 <main+40>: 1140: 48 8d 3d 0b 00 00 00 lea rdi,[rip+0xb] # 1152 <main+52> 1147: e8 34 ff ff ff call 1080 <puts@plt> 114c: b8 00 00 00 00 mov eax,0x0 1151: c3 ret
D50
Spiegelreflexkamera
Markteinführung: Juni 2005
Neupreis: 700 €
Geschätzter Wert: 95 € ?Wert nach Alter: 0 €
Wert nach Nutzen: 95 €
Wert nach Sammlungsrelevanz: 0 €(Erklärung)
Bajonett für Wechseloptiken
Sensor: CCD mit 6.1 MP, APS-C