Tags: python
Rating: 3.0
# EASYCTF - Zipperoni
> I've created a dastardly chain of zip files. Now you'll never find my flag!
> The first file is begin.zip, with password coolkarni.
Based on the instruction we can `unzip` begin.zip with `coolkarni` and we have the following files:
* filename.txt : name of the next zip file
* hash.txt
* pattern.txt : pattern of the password for the next file.
The goal is quite clear, we have to unzip all the file and bruteforce the password based on the pattern.
The pattern wasn't very understandable , at first I thought you had to guess the "_" when it fact this character was a part of the password.
> Hint: You need to guess the password of the next zip file. However, the underscores in the pattern appear in the same positions as they do in the actual password, so you don't need to guess them. For example, the first pattern is __0_0_, which means that you need to guess the 3rd and 5th characters.
With this hint we can start cracking the passwords. Let's start by generating our wordlist with mp64.
mp64 uses the following masks in order to generate a custom wordlist:
* `?l = abcdefghijklmnopqrstuvwxyz`
* `?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ`
* `?d = 0123456789`
* `?s = !"#$%&'()*+,-./:;<=>?@[\]^_{|}~`
* `?a = ?l?u?d?s`
* `?b = 0x00 - 0xff`
With theses masks in mind we can parse the pattern to match our expectations, and then give the wordlists to `fcrackzip`
```
pattern = pattern.replace("A","?u")
pattern = pattern.replace("a","?l")
pattern = pattern.replace("0","?d")
```
The final script took around 10min to find the passwords and extracts the 100 zip files.
```
#!/usr/bin/python
# -*- coding: utf-8 -*-
import sys, subprocess, re
def command(cmd,arg):
proc = subprocess.Popen([cmd, arg], stdout=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()
return out
if __name__ == "__main__":
d = 'list_mp64'
zippy = "begin.zip"
pattern = ""
n_zip = 100
# 1st password
gen_pattern = command("echo 'coolkarni' > list_mp64", "")
for i in range(n_zip):
fcrackzip_cmd = command("fcrackzip -v -D -p "+ d +" "+str(zippy)+" -u","")
print "[CRACK ZIP ] fcrackzip -v -D -p "+ d +" "+str(zippy)+" -u"
if "FOUND" in fcrackzip_cmd:
passwd = fcrackzip_cmd.split(' ')[-1].strip()
print "[FOUND "+str(i)+"] unzip -o -P " +passwd+ " ./"+str(zippy)
command("unzip -o -P " +passwd+ " ./"+str(zippy),"")
# open dir and zippy = cat filename
with open("pattern.txt", 'r') as f:
pattern = f.read()
pattern = pattern.strip()
pattern = pattern.replace("A","?u")
pattern = pattern.replace("a","?l")
pattern = pattern.replace("0","?d")
print "[NEW PATTERN] ", pattern, ": mp64 '"+pattern+"' > list_mp64"
gen_pattern = command("mp64 '"+pattern+"' > list_mp64", "")
with open("filename.txt", 'r') as f:
zippy = f.read()
zippy = zippy.replace('zip_files/','').strip()
print "[ZIP ] ", zippy, "\n"
else:
with open('flag.txt', 'r') as f:
print f.read();
```
So we don't make use of `hash.txt` file.
If we use `hash.txt`, cracking time will be around 1 minute.