HITBXCTF 2018 Quals - pix
We are given a PNG file, let's check it for any steg data with zsteg
:
$ zsteg aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate /usr/lib/ruby/2.3.0/open3.rb:199: warning: Insecure world writable dir /mnt/c/ProgramData/Oracle/Java in PATH, mode 040777 imagedata .. text: " !#865 " b1,r,msb,xy .. text: "y5b@2~2t" b1,rgb,lsb,xy .. file: Keepass password database 2.x KDBX b2,r,msb,xy .. text: "\rP`I$X7D" b2,bgr,lsb,xy .. text: "b;d'8H~M" b4,g,msb,xy .. text: ";pTr73& dvG:"
We have a KeePass DB hidden in the file, let's extract it with zsteg aee487a2-49cd-4f1f-ada6-b2d398342d99.SteinsGate -E b1,rgb,lsb,xy > wat.kdbx
. The file is protected with a password. We are given hints about the password:
weak password! lower casee letters and number len(password) == 10 hitb + number
Let's launch John the Ripper. First, we need to convert our kdbx file into a JtR hash:
.\keepass2john.exe .\wat.kdbx wat:$keepass$*2*6000*222*774fbe05c37a98c8094e1d625d285a193ae9cf9bc7f6ccbf8ee5cb28e2894070*02207c3d0a3feb6a589dc84f8d73ff86fe2629ff25f9cf23f7f9545b5786f882*065f70730c4e7b98ef7ea869f6958b03*2b3d24717d3e284484af4171a4a752d688111a96f7c36e7233048fc028867f16*43dbb269dff30e5cd1ce74dd8527594004f49bcd17414c24cb22c0d6e2b26a0b
Save it into hash.txt
and launch JtR with the mask hinted. It runs a little bit slow on my laptop, but with better hardware you can improve it easily:
.\john.exe --mask=hitb?d?d?d?d?d?d .\hash.txt Warning: '/dev/shm' does not exists or is not a directory. POSIX shared memory objects require the existance of this directory. Create the directory '/dev/shm' and set the permissions to 01777. For instance on the command line: mkdir -m 01777 /dev/shm Using default input encoding: UTF-8 Loaded 1 password hash (KeePass [SHA256 AES 32/64 OpenSSL]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:01:10 15.33% (ETA: 18:02:11) 0g/s 2177p/s 2177c/s 2177C/s hitb082351..hitb782351 0g 0:00:03:33 41.98% (ETA: 18:03:02) 0g/s 1962p/s 1962c/s 1962C/s hitb848914..hitb558914 0g 0:00:04:33 52.40% (ETA: 18:03:15) 0g/s 1915p/s 1915c/s 1915C/s hitb040425..hitb740425 hitb180408 (wat) 1g 0:00:07:16 DONE (2018-04-14 18:01) 0.002291g/s 1842p/s 1842c/s 1842C/s hitb080408..hitb780408 Use the "--show" option to display all of the cracked passwords reliably Session completed
We successfully cracked the password for the KeePass db hitb180408
, let's open it:
The flag is HITB{p1x_aNd_k33pass}
.