Challenge - Packed gifts
One of the elves has unfortunately added a password to the last presents delivery and we cannot open it. The elf has taken a few days off after all the stress of the last weeks and is not available. Can you open the package for us?
We found the following packages:
Solution
Package 2 seems to be encrypted while Package 1 isn’t. First thought was, that the key might be the password, but at a second glance, there is a flag.bin in the encrypted archive. Both zip files have the same contents (excpect for the flag.bin), so this is bound to be a known-plaintext attack. So lets fire up kali (no code this time 😔) and heat the house with CPU power.
./pkcrack -c 0066.bin -p 0066.bin -C ../../Downloads/941fdd96-3585-4fca-a2dd-e8add81f24a1.zip -P ../../Downloads/790ccd6f-cd84-452c-8bee-7aae5dfe2610.zip -d decrypted.zipAaaaaaaand it didnt work. After many setbacks (with different files, different tools, …) i realized: “HOLY SHIT, the CRCs of the encrypted and plaintext files dont match!”. So.. the Plaintext files aren’t the same as the encrypted ones after all. Of course the plaintext attack doesn’t work.
After some fruitless trial and errors, i thought, maybe i should check the CRCs of the 100 files in both zips. And there is one file that matches with the encrypted one! it is 0053.bin, so lets try again:
./pkcrack -c 0053.bin -p 0053.bin -C ../../Downloads/941fdd96-3585-4fca-a2dd-e8add81f24a1.zip -P ../../Downloads/790ccd6f-cd84-452c-8bee-7aae5dfe2610.zip -d decrypted.zip 
HEUREKA! The content of flag.bin:
SFYyMHtaaXBDcnlwdDBfdzF0aF9rbjB3bl9wbGExbnRleHRfMXNfZWFzeV90MF9kZWNyeXB0fSAgICAgICAgICAgICAgICAgSFYyMHtaaXBDcnlwdDBfdzF0aF9rbjB3bl9wbGExbnRleHRfMXNfZWFzeV90MF9kZWNyeXB0fQo=Which obviously is base64 for
HV20{ZipCrypt0_w1th_kn0wn_pla1ntext_1s_easy_t0_decrypt}
HV20{ZipCrypt0_w1th_kn0wn_pla1ntext_1s_easy_t0_decrypt}Bonus
There is a second flag hidden here – that much was visible from the leaderboard, since the leaders had more points than would have been possible by just the normal flags. So lets hunt it down.
All those bin files in the plaintext zip and the decrypted zip contain base64 strings. So lets write a little Code (yeah so there is code here after all 😀) that reads all the base64 strings and dumps them as binary.
using System;
using System.IO;
using System.Text;
using System.Text.RegularExpressions;
Console.WriteLine("Enter Path:");
var path = Console.ReadLine();
var newPath = path + "2";
if (!Directory.Exists(newPath))
{
Directory.CreateDirectory(newPath);
}
var files = Directory.EnumerateFiles(path);
var regex = new Regex("HV20{[a-zA-Z0-9_\\-,]*}");
foreach (var file in files)
{
var content = File.ReadAllText(file);
var bContent = Convert.FromBase64String(content);
var sContent = Encoding.ASCII.GetString(bContent);
if (regex.IsMatch(sContent))
{
Console.WriteLine($"found suspicious content in file {file}!");
Console.WriteLine(regex.Match(sContent).Value);
}
File.WriteAllBytes(Path.Combine(newPath, Path.GetFileName(file)), bContent);
}
Console.WriteLine("Done");
Console.ReadLine();
The bonus flag hidden in this challenge was:
HV20{it_is_always_worth_checking_everywhere_and_congratulations,_you_have_found_a_hidden_flag}`.