A box of chocolate

my public personal notebook

HITBXCTF 2018 Quals - pix

We are given a PNG file, let's check it for any steg data with zsteg:

$ zsteg aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate
/usr/lib/ruby/2.3.0/open3.rb:199: warning: Insecure world writable dir /mnt/c/ProgramData/Oracle/Java in PATH, mode 040777
imagedata           .. text: " !#865   "
b1,r,msb,xy         .. text: "y5b@2~2t"
b1,rgb,lsb,xy       .. file: Keepass password database 2.x KDBX
b2,r,msb,xy         .. text: "\rP`I$X7D"
b2,bgr,lsb,xy       .. text: "b;d'8H~M"
b4,g,msb,xy         .. text: ";pTr73& dvG:"

We have a KeePass DB hidden in the file, let's extract it with zsteg aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate -E b1,rgb,lsb,xy > wat.kdbx. The file is protected with a password. We are given hints about the password:

weak password!

lower casee letters and number


len(password) == 10


hitb + number

Let's launch John the Ripper. First, we need to convert our kdbx file into a JtR hash:

.\keepass2john.exe .\wat.kdbx
wat:$keepass$*2*6000*222*774fbe05c37a98c8094e1d625d285a193ae9cf9bc7f6ccbf8ee5cb28e2894070*02207c3d0a3feb6a589dc84f8d73ff86fe2629ff25f9cf23f7f9545b5786f882*065f70730c4e7b98ef7ea869f6958b03*2b3d24717d3e284484af4171a4a752d688111a96f7c36e7233048fc028867f16*43dbb269dff30e5cd1ce74dd8527594004f49bcd17414c24cb22c0d6e2b26a0b

Save it into hash.txt and launch JtR with the mask hinted. It runs a little bit slow on my laptop, but with better hardware you can improve it easily:

.\john.exe --mask=hitb?d?d?d?d?d?d .\hash.txt
Warning: '/dev/shm' does not exists or is not a directory.

POSIX shared memory objects require the existance of this directory.
Create the directory '/dev/shm' and set the permissions to 01777.
For instance on the command line: mkdir -m 01777 /dev/shm
Using default input encoding: UTF-8
Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:01:10 15.33% (ETA: 18:02:11) 0g/s 2177p/s 2177c/s 2177C/s hitb082351..hitb782351
0g 0:00:03:33 41.98% (ETA: 18:03:02) 0g/s 1962p/s 1962c/s 1962C/s hitb848914..hitb558914
0g 0:00:04:33 52.40% (ETA: 18:03:15) 0g/s 1915p/s 1915c/s 1915C/s hitb040425..hitb740425
hitb180408       (wat)
1g 0:00:07:16 DONE (2018-04-14 18:01) 0.002291g/s 1842p/s 1842c/s 1842C/s hitb080408..hitb780408
Use the "--show" option to display all of the cracked passwords reliably
Session completed

We successfully cracked the password for the KeePass db hitb180408, let's open it:

f:id:dakutenpura:20180414200631p:plain

The flag is HITB{p1x_aNd_k33pass}.