387 lines
4.3 KiB
Markdown
387 lines
4.3 KiB
Markdown
## The Keymaker
|
|
The main idea finding the flag using some forensics and Crypto concepts.
|
|
|
|
|
|
#### Step-1:
|
|
After we download `The-Keymaker.jpg`, we try to open and see the flag and check if we find any.
|
|
|
|
<img src="The-Keymaker.jpg">
|
|
|
|
#### Step-2:
|
|
I tried simple techniques and easily found answer when we send the command:
|
|
|
|
`strings PikesPeak.jpg`
|
|
|
|
I and got this as output:
|
|
|
|
```
|
|
JFIF
|
|
CTFlearn{TheKeymakerIsK00l}
|
|
b3BlbnNzbCBlbmMgLWQgLWFlcy0yNTYtY2JjIC1pdiBTT0YwIC1LIFNPUyAtaW4gZmxhZy5lbmMg
|
|
LW91dCBmbGFnIC1iYXNlNjQKCml2IGRvZXMgbm90IGluY2x1ZGUgdGhlIG1hcmtlciBvciBsZW5n
|
|
dGggb2YgU09GMAoKa2V5IGRvZXMgbm90IGluY2x1ZGUgdGhlIFMwUyBtYXJrZXIKCg==
|
|
CmmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY
|
|
, #&')*)
|
|
-0-(0%()(
|
|
((((((((((((((((((((((((((((((((((((((((((((((((((
|
|
RR=,Q
|
|
)n}}
|
|
ZY&H
|
|
1(m{iR
|
|
!AE3
|
|
J/>E
|
|
]m4us
|
|
/fuY
|
|
*0W[
|
|
YDkR&
|
|
-(ah!
|
|
X*EY#
|
|
}up07%
|
|
FPvV
|
|
[T);
|
|
uZD
|
|
[vK4
|
|
O>a\U
|
|
L.dY[
|
|
KK$h
|
|
Xn6<|
|
|
_@[O
|
|
+$KIQ;
|
|
A7~B.A]B
|
|
l-nvQ
|
|
i+2n
|
|
+K0x
|
|
{b:W
|
|
h4Yf7s;
|
|
1RTI
|
|
ZR^C
|
|
[Yf#r
|
|
U]+U4
|
|
{5}n
|
|
%SAL
|
|
IJ4\7
|
|
>_@M=<b
|
|
F*%J
|
|
X\lp
|
|
f=+kn9
|
|
e+^@
|
|
S`=+
|
|
JZ$D
|
|
W,C;
|
|
Se=I
|
|
!I7$/
|
|
?\UIn
|
|
Jjm.
|
|
Kn/ql>#'o
|
|
F\z>y
|
|
npU7
|
|
{D[i
|
|
-:*C
|
|
-;5r
|
|
%Ciw
|
|
V],Is
|
|
,I ~
|
|
hE#Q
|
|
2jz/(
|
|
itO,
|
|
er.](
|
|
sj9d
|
|
biF:
|
|
o~19F.-
|
|
m.uX,rzB.
|
|
PI8xc
|
|
MR,(_T`
|
|
|;jOoS$
|
|
jJ7e
|
|
'Y$]
|
|
znRK
|
|
C$+8
|
|
,!~th}
|
|
7nS*
|
|
~pE=
|
|
dMh&
|
|
KsHw
|
|
QTHZ
|
|
S-~u=
|
|
:RB9uFr
|
|
ER #
|
|
A-.kx%
|
|
/qm_,FZN
|
|
j#2*
|
|
@,T[{
|
|
Ksri
|
|
6kYB
|
|
1u23
|
|
e%I/Q
|
|
%fJm
|
|
tM:v
|
|
M+I<M
|
|
)!U5
|
|
@e%H
|
|
tHrw
|
|
U_G_
|
|
^m4B
|
|
ue:E
|
|
gR/.
|
|
6b !v
|
|
*-40E-S
|
|
;`)FN
|
|
MU.KN
|
|
JN%F
|
|
+%MD3E*M*K
|
|
`W)'
|
|
Q$04
|
|
:IpKI^2
|
|
5ev$o
|
|
CRb4
|
|
fS|<`S
|
|
iMD1RT
|
|
`bX>
|
|
yU^[K
|
|
NAP_r
|
|
WFZN
|
|
iU_=B
|
|
jwX
|
|
R=:F
|
|
2g4m
|
|
Vu=9
|
|
&jHj
|
|
Q,h6>
|
|
$j`7
|
|
xTGP
|
|
Y]MZ
|
|
KQ--
|
|
CH:T
|
|
8hGt{
|
|
%)tG
|
|
'*Z`
|
|
BQZ1
|
|
aQY&^
|
|
pl}(N
|
|
K[_MBFZ
|
|
IM!Q
|
|
TZiQ
|
|
<h5!I
|
|
NNAwM
|
|
`JQ%$ut
|
|
"Uid1
|
|
U59m8S
|
|
4;Lup
|
|
PD4GO
|
|
r*TU
|
|
po~7
|
|
o},}
|
|
yQe!_
|
|
&3:E
|
|
!+E,
|
|
#9g |
|
|
E=_e*h
|
|
9A"O
|
|
:4P_2
|
|
(:k,
|
|
9id$I
|
|
05An
|
|
YfqT
|
|
IW]CQOB
|
|
RW^&
|
|
$)<0
|
|
8QoQ[
|
|
-l/|
|
|
l,nB
|
|
~xx)(
|
|
@Art
|
|
h+s\
|
|
d9>aUQqU
|
|
M9S\
|
|
3eA,
|
|
S\q0
|
|
A6;x
|
|
bU4u
|
|
LoIR
|
|
%)5&
|
|
w#X
|
|
5B7Q
|
|
AEO*UH
|
|
~IN{
|
|
P56c]B:
|
|
&PdR
|
|
Uw[s}
|
|
&&#{
|
|
{q|,t
|
|
_[WV%
|
|
(Bm,
|
|
/jDh
|
|
U$t.
|
|
%aUX
|
|
8}WSSf
|
|
TRg4b
|
|
bUbs
|
|
-9J1Q
|
|
2*et
|
|
GSJL&
|
|
nHym
|
|
JQ9mE
|
|
SWQ+
|
|
T}6_
|
|
U)SB|K
|
|
*j`i+
|
|
YuFqS
|
|
]GMm
|
|
T#>_C
|
|
M$4u'
|
|
qwWK
|
|
OVnF
|
|
.HBm~
|
|
SFw$
|
|
pRrT
|
|
$iY@0
|
|
T%X
|
|
Hg%!`
|
|
HUtz
|
|
^Pw'
|
|
Qtm2U
|
|
9_LW
|
|
&WHh
|
|
^?l_
|
|
DUPv
|
|
e-%Q
|
|
T$NA
|
|
#3Lf
|
|
LqV-
|
|
|uY%j
|
|
\Xsl
|
|
Wmz}B
|
|
P0se
|
|
:^u.
|
|
-[-,3
|
|
iceW
|
|
IuvC
|
|
A`.
|
|
K$YlO
|
|
plqx
|
|
!hAq
|
|
;[H$
|
|
VIA$
|
|
uacp
|
|
K?/ht
|
|
Qi%@\
|
|
C"V4OK
|
|
[QY#
|
|
gRKCRY
|
|
/b6+
|
|
7$JI
|
|
M^eQ
|
|
9k"c"@
|
|
`} l
|
|
-Q42
|
|
F6ui*E
|
|
#Tj(
|
|
%%Na
|
|
;Q9\
|
|
1@_},C
|
|
+=E=B
|
|
6zzy"
|
|
h{!"
|
|
olNj
|
|
Wc$TY}fT
|
|
STjfD
|
|
/#gNC
|
|
uV_C[)
|
|
n,Bj
|
|
?dy[
|
|
LT}T
|
|
jcHB
|
|
T7QV
|
|
*(N\
|
|
GVi9NV
|
|
)i"U
|
|
DZ_H
|
|
-;'Q
|
|
P,ZA
|
|
m~|b5r@
|
|
()*^
|
|
,B^7
|
|
u'wI
|
|
M=k"
|
|
1OQv6
|
|
iNSJ
|
|
M9c&
|
|
_QM]
|
|
WGlll-r
|
|
s4 4
|
|
\o|w
|
|
WSM)e
|
|
Pwhj
|
|
jzw.
|
|
u4tU9
|
|
&YL K1S
|
|
?BlF:c
|
|
Qmt@*
|
|
iY]9
|
|
#m#"6
|
|
PEP@
|
|
mrpV
|
|
```
|
|
|
|
#### Step-4:
|
|
Try the flag and it is incorrect. Now the following part looks like Base64 encryption:
|
|
```
|
|
b3BlbnNzbCBlbmMgLWQgLWFlcy0yNTYtY2JjIC1pdiBTT0YwIC1LIFNPUyAtaW4gZmxhZy5lbmMg
|
|
LW91dCBmbGFnIC1iYXNlNjQKCml2IGRvZXMgbm90IGluY2x1ZGUgdGhlIG1hcmtlciBvciBsZW5n
|
|
dGggb2YgU09GMAoKa2V5IGRvZXMgbm90IGluY2x1ZGUgdGhlIFMwUyBtYXJrZXIKCg==
|
|
```
|
|
|
|
When we decode it online, we get the following:
|
|
```
|
|
openssl enc -d -aes-256-cbc -iv SOF0 -K SOS -in flag.enc -out flag -base64
|
|
|
|
iv does not include the marker or length of SOF0
|
|
|
|
key does not include the S0S marker
|
|
```
|
|
|
|
|
|
#### Step-5:
|
|
|
|
This is a hint, the flag is encoded with AES-256-CBC, then we need to find 128 bits of _iv_ and 256 bits of _key_ to decode and find the flag.
|
|
|
|
#### Step-6:
|
|
|
|
Open the image with hex editor, we find SOF0 with `0xff` `0xc0`, the length of SOF0 is `0x00` `0x11`.
|
|
|
|
If you don't have idea of mark identifiers of an image, refer below:
|
|
|
|
http://vip.sugovica.hu/Sardi/kepnezo/JPEG%20File%20Layout%20and%20Format.htm
|
|
|
|
Then, the _iv_ is: `0800be00c803011100021101031101ff`
|
|
|
|
#### Step-7:
|
|
|
|
We find S0S with `0xff` `0xda`, the _key_ is:
|
|
|
|
`000c03010002110311003f00f9766bfc44beda8f3f5c031b92cb0e92d6bdc952`
|
|
|
|
#### Step-8:
|
|
|
|
We have a comment left, this is the encoded flag:
|
|
|
|
`mmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`
|
|
|
|
#### Step-9:
|
|
|
|
According to the command, input we need to create a `flag.enc` which includes the above comment.
|
|
|
|
So, finally the contents of flag.enc become : `mmtaSHhAsK9pLMepyFDl37UTXQT0CMltZk7+4Kaa1svo5vqb6JuczUqQGFJYiycY`
|
|
|
|
#### Step-10:
|
|
According to previous given Base64 decryption, we have put the following command:
|
|
|
|
`openssl enc -d -aes-256-cbc -iv 0800be00c803011100021101031101ff -K 000c03010002110311003f00f9766bfc44beda8f3f5c031b92cb0e92d6bdc952 -in flag.enc -out flag -base64`
|
|
|
|
#### Step-11:
|
|
|
|
This will create a file `flag` in the same directory and then we can read the contents by just `cat flag`
|
|
|
|
#### Step-12:
|
|
Finally the flag becomes:
|
|
`CTFlearn{Ne0.TheMatrix}` |