HACKvent 2020 - Day 3

01-01-2021 - 2 minutes, 1 second - CTF

Challenge - Packed gifts

One of the elves has unfortunately added a password to the last presents delivery and we cannot open it. The elf has taken a few days off after all the stress of the last weeks and is not available. Can you open the package for us?

We found the following packages:


Package 2 seems to be encrypted while Package 1 isn’t. First thought was, that the key might be the password, but at a second glance, there is a flag.bin in the encrypted archive. Both zip files have the same contents (excpect for the flag.bin), so this is bound to be a known-plaintext attack. So lets fire up kali (no code this time 😔) and heat the house with CPU power.

./pkcrack -c 0066.bin -p 0066.bin -C ../../Downloads/941fdd96-3585-4fca-a2dd-e8add81f24a1.zip -P ../../Downloads/790ccd6f-cd84-452c-8bee-7aae5dfe2610.zip -d decrypted.zip

Aaaaaaaand it didnt work. After many setbacks (with different files, different tools, …) i realized: “HOLY SHIT, the CRCs of the encrypted and plaintext files dont match!”. So.. the Plaintext files aren’t the same as the encrypted ones after all. Of course the plaintext attack doesn’t work.

After some fruitless trial and errors, i thought, maybe i should check the CRCs of the 100 files in both zips. And there is one file that matches with the encrypted one! it is 0053.bin, so lets try again:

./pkcrack -c 0053.bin -p 0053.bin -C ../../Downloads/941fdd96-3585-4fca-a2dd-e8add81f24a1.zip -P ../../Downloads/790ccd6f-cd84-452c-8bee-7aae5dfe2610.zip -d decrypted.zip 

pcrack output of known plaintext attack

HEUREKA! The content of flag.bin:


Which obviously is base64 for



There is a second flag hidden here – that much was visible from the leaderboard, since the leaders had more points than would have been possible by just the normal flags. So lets hunt it down.

All those bin files in the plaintext zip and the decrypted zip contain base64 strings. So lets write a little Code (yeah so there is code here after all 😀) that reads all the base64 strings and dumps them as binary.

using System;
using System.IO;
using System.Text;
using System.Text.RegularExpressions;

Console.WriteLine("Enter Path:");
var path = Console.ReadLine();

var newPath = path + "2";

if (!Directory.Exists(newPath))

var files = Directory.EnumerateFiles(path);

var regex = new Regex("HV20{[a-zA-Z0-9_\\-,]*}");

foreach (var file in files)
    var content = File.ReadAllText(file);

    var bContent = Convert.FromBase64String(content);
    var sContent = Encoding.ASCII.GetString(bContent);

    if (regex.IsMatch(sContent))
        Console.WriteLine($"found suspicious content in file {file}!");

    File.WriteAllBytes(Path.Combine(newPath, Path.GetFileName(file)), bContent);


Output of our program showing the flag

The bonus flag hidden in this challenge was:


Next Post Previous Post