7

[OtterCTF 2018] - ReCurse Writeup

 2 years ago
source link: https://nitesculucian.github.io/2018/12/10/otterctf-2018-recurse-writeup/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

[OtterCTF 2018] - ReCurse Writeup

Dec 10, 2018 • otterctf, ctf, writeups

Description:

Found this nested zip in Morty’s PC. what is it that he is hiding?

Download

Solution Author:

Lucian Nitescu, as part of jmp 0xc0ffee team.

Stats:

150 points / 94 solvers

Solution:  

The challenge started with a .zip file which contained multiple zipped files within other zipped files as you can see in the following example:

My approach was rather brute: I unzipped one file in a folder and within the newly created folder, I repeated my actions. Here is the single bash command that I executed:

while true; do unzip $(ls \*.zip) -d $(ls \*.zip). && cd $(ls \*.zip).; done

Output:

The resulting working directory and the retrieved files:

w.zip is the last zip archive within the chain and requires a password to extract the archived text file.

From the working directory path I decided to strip all the extension names (.zip) and other unnecessary file names:

/home/nli/Desktop/otterctf/ReCurse/a.zip./H.zip./R.zip./0.zip./c.zip./H.zip./M.zip./6.zip./L.zip./y.zip./9.zip./3.zip./d.zip./3.zip./c.zip./u.zip./Z.zip./X.zip./h.zip./v.zip./d.zip./G.zip./l.zip./j.zip./Y.zip./W.zip./5.zip./p.zip./b.zip./W.zip./F.zip./s.zip./c.zip./2.zip./Z.zip./v.zip./c.zip./n.zip./N.zip./h.zip./b.zip./G.zip./U.zip./u.zip./b.zip./m.zip./V.zip./0.zip./L.zip./3.zip./N.zip./h.zip./b.zip./G.zip./U.zip./v.zip./M.zip./z.zip./k.zip./z.zip./N.zip./T.zip./M.zip./t.zip./M.zip./i.zip./1.zip./m.zip./Z.zip./W.zip./1.zip./h.zip./b.zip./G.zip./U.zip./t.zip./c.zip./2.zip./1.zip./h.zip./b.zip./G.zip./w.zip./t.zip./Y.zip./2.zip./x.zip./h.zip./d.zip./y.zip./1.zip./B.zip./c.zip./2.zip./l.zip./h.zip./b.zip./i.zip./1.zip./v.zip./d.zip./H.zip./R.zip./l.zip./c.zip./n.zip./M.zip./u.zip./Y.zip./X.zip./N.zip.

Output:

aHR0cHM6Ly93d3cuZXhvdGljYW5pbWFsc2ZvcnNhbGUubmV0L3NhbGUvMzkzNTMtMi1mZW1hbGUtc21hbGwtY2xhdy1Bc2lhbi1vdHRlcnMuYXN

After I decoded the above base64 string, I obtained the following link:

https://www.exoticanimalsforsale.net/sale/39353-2-female-small-claw-Asian-otters.as

I had to add the p letter to the end of the link in order to access the page:

https://www.exoticanimalsforsale.net/sale/39353-2-female-small-claw-Asian-otters.asp

By clicking on the User Review link, I was redirected to http://www.birple.com/[email protected]&sid=175 website and page. At first, I thought that this was a dead end, but after multiple tries and failures I decided to use the leaked email ([email protected]) as the password for my last archive file:

Output:

Obtaining the flag:

flag{Recursion_1S_T3rribl3_AnD_1_H4t3_My_L1F3!!}

Comments


report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK