Pragyan 2020 - Encuéntralo si puedes

Posted on mer. 26 février 2020 in CTF 

Encuéntralo si puedes (350pts)
Solved by: 12%

Luis is very fond of music. Recently he developed a keen interest in CTF challenges. He makes a challenge for yankee and asks him if he could break it and find the code from it. Help yankee to find the secret code.

The flag format - p_ctf{OBTAINED_SECRET_CODE}

$ ffprobe despacito_luisFonsi.mp3  
[...]
Input #0, mp3, from 'despacito_luisFonsi.mp3':
  Metadata:
    track           : 01
    Software        : Lavf58.33.100
    artist          : Luis Fonsi ft. Daddy Yankee
    genre           : POP
    Unknown text information frame: 2017
    title           : Despacito
    comment         : Better go last than first
    album           : Despacito
    date            : 2017
  Duration: 00:05:21.43, start: 0.023021, bitrate: 166 kb/s
    Stream #0:0: Audio: mp3, 48000 Hz, stereo, fltp, 166 kb/s
    Metadata:
      encoder         : LAME3.100

Ok, we know how to look for the information: end of the song.

We can use Audacity to open the file and use the spectogram view to show the information:

encuentralo1

Looks like morse code. After right all down, we can decode and got a message:

..-. ..- . .-. –.. .- -..-. -... .-. ..- – . -..-. -.. . -..-. -.-. .. -. -.-. — -..-. -.. .. –. .. – — ... -..-. -.-. — -. -..-. — .. -. ..- ... -.-. ..- .-.. .- ... -..-. -.– -..-. -. ..- — . .-. — ...

FUERZA/BRUTE/DE/CINCO/DIGITOS/CON/MINUSCULAS/Y/NUMEROS

We know now what kind of password we are looking. The tool pdfcrack can be use with specify the the minimal/maximal (-n and -m) lenght and space of the password (-c).

$ ./pdfcrack -f ../1Hola.pdf -c "abcdefghifklmnopqrstuvwxyz0123456789" -n 5 -m 5
PDF version 1.3
Security Handler: Standard
V: 2
R: 3
P: -3904
Length: 128
Encrypted Metadata: True
FileID: 34ef3f1f94c5a1a642014ddf22af7900
U: 5233de370d2758db5857a2a21592631c00000000000000000000000000000000
O: fc81cb565ad34c0f8d431ec8772e44d7ee7da867715f50294bfe5b23116564c4

Average Speed: 28059.7 w/s. Current Word: 'zabma'
[...]
Average Speed: 27737.7 w/s. Current Word: 'v3dmz'
Average Speed: 28639.5 w/s. Current Word: 'p2nyz'
found user-password: 'x2n1z'

Ok, we got the first password for the PDF files. Let's do the same for the two others files: found user-password: '39adz' and found user-password: '8yfa2'.

We got the two PDFs used to explain the SHA1 collision: https://shattered.io/. The last PDF told us how to get the flag: SHA1[original files] = base64-decrypt(base64-decrypt(flag)).

So, download the orignal file, and compute the base64 encode twice to it:

$ echo "p_ctf{$(echo -n $(printf "$(sha1sum  shattered-1.pdf | sed 's/^\([^ \t\s[:space:]]\+\).*$/\1/')" | base64) | base64)}"
p_ctf{TXpnM05qSmpaamRtTlRVNU16UmlNelJrTVRjNVlXVTJZVFJqT0RCallXUmpZMkppTjJZd1lRPT0=}`.

hack learn ctf pragyan cryptography 2020 morse audio pdfcrack bruteforce flagoverbeer