jebidiah-anthony
write-ups and what not
Friend (100 pts)
PART 1 : CHALLENGE DESCRIPTION
Among File001 to File999, find files with the same features with File.
Identify the files and also provide evidence for the commonality.
flag format: flag{File<4 digits>_lowercase alphanumeric}
PART 2 : GIVEN FILES
[>] Friend_0ad3d2abf5ededb11275ce89417f314e.zip
- File
- Files/File0001 - Files/File0999
- memo.txt
PART 3 : EXAMINING THE FILES
The goal is to find a file with similar “features” with the file, File.
First we inspect the contents of memo.txt:
$ cat memo.txt
File b9fef2a8fc93b05e7701e97196fda6c4fbeea25ff8e64fdfee7015eca8fa617d
File0001 5097d0556fde49fda625b2cba261e1bee99c66c073a3398844de3360c5f835c3
File0002 fd2c2fba409f10b32f4827f745efae50d1e5254f6f024ad964952eac3b2a332b
File0003 369db1c424b954d97c1203905f53d11ce0f2b6942d4b0bf059fdceebfa96d73b
File0004 15536fd2969cebf4577cc116da195f905c8f88e5768683d623795b5c09ff5f8b
File0005 858ac7f973834a3e426efa3f00d48a3fc38ec0ff4e44249ed610f3c6e56e537c
...
File0995 fa1306d21761346491e6c21b21e655518078e01906ca704360783c2b0aa072e3
File0996 daa5f5024a2e8953272b49273b17a843ee96c0f940ecba2eed76401f8d794fa9
File0997 c0e178abd3ea6bcdc074c0ad3490cb5d363de62d00fc22d331eb3d80835cec31
File0998 f41720d08c00bd15de6dbc13907ab36bc40d6b15080f7b1592c4e312a4f46db1
File0999 e85f5d89e52aef154930d337a1b655c44d81c896ddfeebcae09cd02a83a07586
It contains SHA1 hashes of all the files included in the zip file. Now to see what “features” `File has…
$ cat File
Ƙ!�������e�o�*p
$ cat File | xxd -p
d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb
7f8955ad340609f4b30283e4888325f1415a085125e8f7cdc99fd91dbd72
80373c5bd8823e3156348f5bae6dacd436c919c6dd53e23487da03fd0239
6306d248cda0e99f33420f577ee8ce54b67080280d1ec69821bcb6a88393
96f965ab6ff72a70
The similar file should contain a similar hexdump to File
PART 4 : GETTING THE FLAG
Finding a “similar” file:
$ cat Files/* | xxd -p | grep --color d131 | wc -l
7
$ cat Files/* | xxd -p | grep --color d131dd | wc -l
2
$ cat Files/* | xxd -p | grep --color d131dd
d131dd02c5e6eec4693d9a0698aff95c2fcab50712467eab4004583eb8fb
916e0fd3d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004
$ while IFS= read -r line; do
> file=$(echo $line | cut -d" " -f1)
> match=$(cat "Files/${file}" | xxd -p | tr -d '\n' | egrep --color d131dd02)
> if [ ! -z $match ]; then
> echo $file
> fi
> done < memo.txt
File0623
$ cat Files/File0623 | xxd -p
d131dd02c5e6eec4693d9a0698aff95c2fcab58712467eab4004583eb8fb
7f8955ad340609f4b30283e488832571415a085125e8f7cdc99fd91dbdf2
80373c5bd8823e3156348f5bae6dacd436c919c6dd53e2b487da03fd0239
6306d248cda0e99f33420f577ee8ce54b67080a80d1ec69821bcb6a88393
96f9652b6ff72a70
$ cat memo.txt | egrep -e "File( |0623)"
File b9fef2a8fc93b05e7701e97196fda6c4fbeea25ff8e64fdfee7015eca8fa617d
File0623 8d12236e5c4ed9f4e790db4d868fd5c399df267e18ff65c1107c328228cffc98
File0623 is the closest match to File with a few subtle differences.
They both have different SHA1 hashes as well… but what if they were hashed differently.
$ cat File | md5sum
79054025255fb1a26e4bc422aef54eb4 -
$ cat Files/File0623 | md5sum
79054025255fb1a26e4bc422aef54eb4 -
The contents of File and File0623 has a hash collision over MD5. The hash might be the required evidence for the challenge.