RTCP - Growls at the chicken
Posted on sam. 25 janvier 2020 in CTF
solves : 38
Point : 1000
grrrrrrR
big chicken, i hisS At you!!!
hint: NQr2MIa1jsaifAVOn3zYeMynNJwd4oBiiem4fJHsA1WjzfyhUp1+seCW0GMijoDHb3w9BMKj7aw6hhtae5/Qw5xOqMioJU3vvEj0BEHO1wInPqlOeTRdZb8BcTsXP+Z/KBA2FjSZcpGHo7rOZ7NtR15y3eY4s/e/tgKUHvPe9MdmDe1kINtyRXgjghJO9e3uMEQmFe2Ai5moVnG7yIVfUd3QG6/Z+K4PSttbJtjWSLFO7zpmYpEOg3XBxsOw/w5scJQqJ7OLGiH22u4+JFXRlD/wPmDzk9uYlLWLcCuxnY0xuMlSfKIFJtVmF0ViO4o4X89ZwsQjjHuYYDaB3el7iA63BzBlsC54Q7Ekv70/GI0UA3R3zJkMaBV12Z6NAE/kAgEJu9ZRcVm6MAIZInLwMU4R1frM0Bks1jeTe72agmxnAIrR8XDeAxzovbvXFwoxNyxiA63fPJGPVoGZq4ecfGvJ23i/Cg+cynB35lc3f+4QifpjCn+MxWkKCzCVEJXdDah19yXKlIxbaR1zm+YHkS0YSUzjr7NJUXHfDCrwAUpXpikfi2f9tgcXEnuhszScE1PCbdt22rRz1pS7MNdRxjCZ5j+8BQNRBLi2BjLGW14X3zd4d6ieoHWH+4fmbqU9dFsUgKN5qL4Gs2LZbbQwkf3+VbIRQK9RaSO9Hj+4/T0=
hint 2: Public [...]
hint 3: Private [...]
Ok, We have a base64 encoded message with a public thing and private thing. If we read the description carefully, the maj letter make the word RSA. The two others strings are the public key and private key. We don't need the public one to decrypt.
We can reconstruct the private key with adding the header and footer and replace all space with new line:
$ echo "-----BEGIN RSA PRIVATE KEY-----" > private.key
$ echo "MIIJKQIBAAKCAg[...]QdgsTn" >> private.key
$ echo "-----END RSA PRIVATE KEY-----" >> private.key
$ sed -i '/^-----/! s/ /\n/g' private.key
$ cat message| base64 -d | openssl rsautl -decrypt -inkey private.key -in -
unknown-123-246-470-726.herokuapp.com
The clear text is a link to a website:
https://unknown-123-246-470-726.herokuapp.com/
We got a wonderful GIF and some text in the console log:
<script>console.log('Jade: psst');</script>
<script>console.log('Jade: You there?');</script>
<script>console.log('Agate: *laughs*');</script>
<script>console.log('Jade: Well lets hope the chicken doesnt explod');</script>
<script>console.log('Agate: Hah, didnt Jess leave a defuser?');</script>
<script>console.log('Jade: Yep, its in the drawer');</script>
<script>console.log('Agate: Ill grab it.');</script>
<script>console.log('ono.');</script>
When we open the source code, we can see two other div hidden:
<p hidden>9 20 30 15 16 5 14 19 30 27 29 8 20 13 12 28</p>
<p hidden>"abcdefghijklmnopqrstuvwxyz[]. "</p>
Ok, let's start for mapping the both together:
keys = [9, 20, 30, 15, 16, 5, 14, 19, 30, 27, 29, 8, 20, 13, 12, 28]
chars = "abcdefghijklmnopqrstuvwxyz[]. "
flag = ""
for x in keys:
flag = flag + chars[x-1]
print(flag)
$ python map.py
it opens [.html]
Hum. Seems to indicate a new link but we need to find the first part. The answer comes from the dialog between the characters: Yep, its in the drawer. We got then the full link: https://unknown-123-246-470-726.herokuapp.com/drawer.html.
The same page is showing up. But, one more time, we find some relevant informations from the source code:
<p hidden>rtcp{ch1ck3n_4nd_th3_3gg}</p>