Rating: 0

noxCTF DontLookInsideTheBox

Idang1410 of NopSlide

At first we got a nice zip file from the DropBox server. after we opened it we discovered an unknown file, named HashTable... sounds interesting.

So, we can try and open it with 010 to see the headers/magic and discover
the file format. We found out that it's an sqlite3 db.
So let's open it and advance.

When we tried to open the file (I picked the official sqlite3.exe),
we got an error saying that it's not a DB file. strange.

After some short exploring on the internet, we could see that the headers are wrong indeed,
and instead of sqlite3 at the beginning, it should be SQLite3.

We fixed the header, and now we can read the DB! great.

inside we could see three tables: Flags, plain, and hashs.
The flags table has over 1600000 of entries, and all of them looked like the
flag we looked for.
Each of the other tables had one column name XorMe. Intersting.

The rest of the tables were significantly smaller, with only one entry each.
Hashs' only entry is : 6c7a634e058812fb329863ff42fec497
and Plain's only entry is : JohnE

It seems unwise to xor the two - because one is 16 chars long, and the
second is 5 chars long.
So maybe we need to break the hash, and xor the original value with plain?
Those of you who tried that discovered the hash is not in any common rainbow table,
nor doest it break easily with common hash breakers.

But even if we do manage to break it and xor the two values - what would we expect to get?
The flag? we have a full table of those. maybe an index to the table?
a five-byte valye would probably be too large to hold a valid index.

Let's think about another idea.
What if the creator took the MD5 of the flag, and the MD5 of the key (JohnE), xored them,
and saved the result as Hashs' entry? In this scenario, the hash is not meant be broken at all!
And if we calculate an MD5 hash of the key (da0754b53009704f67fa771ae3a3a036),
and xor it with the given hash, we should theoreticly get the MD5(flag).

Now we can use the flags table - let's calculate an md5 hash on each flag,
and compare it with the hash we got.

The python code goes like this :

(go to the original writeup)

Andddd Yes! we found the flag at the index of 16000000 - and it's noxCTF{h4shUL1t3}. Nice challange indeed