Tags: misc zip stego 

Rating:

# SSCTF 2016 : Chain Rule 200

**Category:** Crypto-Exploit
**Points:** 200
**Solves:** 47
**Description:**

> 该题目已有 47 个队伍完成
>
> It has completed by 47 teams
>
> 解题说明
>
> Description
>
>
> Try 'start'
>
> 战题链接 <http://static.lab.seclover.com/crypto/crypto2-b7486602.zip>

## Write-up

One of the files has password "start". Inside that file there is text document with another password (that password is unbrutable). Decrypting files one by one gives us 2 zip files: *flag.zip* and *pwd.zip* and message, telling us to look for flag and pwd.

*flag.zip* is password-protected too. *pwd.zip* is unprotected and contains 6140 text files, one is named *start.txt*, and other have numerical names. In every file except the last one there's a link to the next one or two files ("next is xxxxxx[ , or yyyyyy]"). Walking through this linked list (using breadth-first search and marking visited files) we visit every file and in the last one we get message, telling us to pay attention to comments and avoid blackhole.

Blackhole is an infinite loop, to which we get if we do not mark visited files. And what comments? There were no comments if the files, except the first and the last one. At the end I found out that most of txt files in *pwd.zip* had a comment inside zip-archive. These comments were " " or "\t". If we collect all the comments while walking though the graph, and assume that " " == 0 and "\t" == 1, we get a string of bytes in BigEndian:

>b"\x01^\xb8\x94k\xe6\nh\xf8e\xcbEIi\x98s\xc7\xad#\xc6*\xb7=\x83U\x95P\xeb\xcd[-\xf8\x86\xf4V\xc7\\#\x9f&9\xd0\xbe\rrE\xd57\xffG\xb6k\xb5[\xe9u.\x1b\xf2\xc2F\xd5\x10q\xf6yt\x02@\xd6\xe6\x0e\x91\xbb\x95\xb3u\x14\x14B\xbc\x1d\xab/\xb1\xbdb\xbe\xca\xe3\xf7\x19\xf7\xce>\x0c\xb4\xcdsK\xb9C\x020\xe1\x0c\x98\xfc\xcd\x8b\x8f\xf6\xdf\x94\x01`\xae\x92\xcc\xfe\x8d\xbd\xb1M\xdcP\xe5\xe1\x17\xb7

Original writeup (https://github.com/ctfs/write-ups-2016/tree/master/ssctf-2016/crypto-exploit/chain-rule-200).