Category: Forensics

Points: 50

Description:

Do the needful
https://scoreboard.openctf.com/DoTheNeedful-98e4c6ba71f88e4201a08e7503b0df6124607e39

File Download: DoTheNeedful-98e4c6ba71f88e4201a08e7503b0df6124607e39

When we extract this file, we end up with Challenge.txt. So I go ahead and cat it.

$ cat Challenge.txt 
=AAAAMjU/o7Z+0V17r06KDNmaZHQB1VSlR7wsTDuNk1ok3wfRPMl5YAAV/DwDzAIAERyH3wAAsVVGNBAIs4H

This looks like a base64 string, however, with base64 encoding, the = character is used as padding and should only show up at the end of a base64 string, if at all. So let’s try and reverse the string. I wrote a quick Python script for this, and write the result to a file.

from base64 import b64decode

# Read the file
with open('Challenge.txt', 'rb') as f:
    data = f.read().strip()

# Reverse the string
data = data[::-1]

# Decode
data = b64decode(data)

# Write to a file
with open('b64_decode.raw', 'wb') as f:
    f.write(data)

Now let’s see what kind of file the resulting base64 is.

$ file b64_decode.txt 
b64_decode.txt: gzip compressed data, last modified: Mon Jul 23 03:05:55 2018, from Unix

Ok, looks like a gzip. Let’s extract it!

$ mv b64_decode.txt b64_decode.gz
$ gzip -d b64_decode.gz
$ file b64_decode 
b64_decode: ASCII text

So it’s ASCII, maybe it’s the flag!

$ cat b64_decode 
466c61677b6577373332386866386573676839663233677d0a

Hmm, looks like hex encoding. I just run a simple one-liner in the Python interpreter to decode this.

>>> '466c61677b6577373332386866386573676839663233677d0a'.decode('hex')
'Flag{ew7328hf8esgh9f23g}\n'

Flag

Flag{ew7328hf8esgh9f23g}