Wednesday, January 4, 2023

  Writeup: The Archive - Hacktoria Contract

 

Writeup: The Archive - Hacktoria Contract

 

Here's my writeup for the Hacktoria Contract "The Archive" which dropped on December 16, 2022 and I solved on Dec 28th.

Briefing

Greetings Special Agent K. As you might know, the end of the year is always signified with a massive uptick in cyber attacks. Particularly DDoS and Ransomware attacks are commonplace during this time of the year. It’s also the time of the year for agencies worldwide, to crack down on the criminal enterprises destroying the downtime of IT personnel everywhere.

Our good friends over at the FBI have done just that. Yesterday morning around 0400 UTC they were able to seize a warehouse full of C2 servers, crypto miners and an entire scam call-center rolled int one.

During this bust, several laptops of key individuals were confiscated. There was however one laptop of which the owner was able to wipe the disk, right as the raid was happening. The FBI was able to recover most of the files, but is left puzzled at several of them.

You might already feel this one coming. One of these archives was sent our way to be investigated. Find out what you can about the file inside the archive. It seems to have been damaged beyond the point of recovery, but the FBI has hopes our best and brightest can uncover something.

As always, Special Agent K. The contract is yours, if you choose to accept.

Materials and Answer Instruction

The password starts with “flag-“

MD5 Checksum for The Archive: 2625ae7c180080e580551347831362d7

—---------


And so with very little to start with as usual, I downloaded the archive file and after extracting psvoxkwo8mm took a look at it in the terminal to find a huge heap of text.


The text doesn’t jump out to me as anything in particular at first glance. At this point I’m thinking this is probably a trap of some kind, so I should probably look elsewhere. Taking into account what we have so far: the checksum, the filename, and the string of text in the file itself. I take the hash over to https://hashes.com/ and https://www.dcode.fr/cipher-identifier but have no luck playing around with it in there. My next move is to play around with the filename of the archive file. Running this through dcode bears fruit rather quickly:

As it identifies the text as encoded in the Affine Cipher. Filename8cc seems to be something useful, but I’m not immediately sure of its meaning. At this point its time for some strategic googling, which yields nothing. 


After a while I figure out its a url, filename.cc. When I visit the site I immediately get a download in my browser for a file named “passarch-mf28f2ukn2vh723f2f23” which holds a file “password-the archive”, and that seems rather promising! So, we open that up and viola! The flag for our file flag-****398D#C*$C#)*$V3405hv3j524952


So we head on over to our flag file, using that as our password and boom! We got the contract card.

Whoa! No updates?

I promised myself I'd stick with updating this blog and then I went a whole month without posting. So in lieu of a proper post, notes, o...