STACK the Flags 2020

Introduction

This was a jeopardy style Capture-the-Flag organised by GovTech’s Cyber Security Group (CSG) which consisted of 11 challenges across domains like OSINT, Web, Mobile, Reverse Engineering and even Social Engineering. I participated with some friends with the goal of learning new techniques and we were definitely impressed by the creativity and quality of the challenges. It was a great experience for us and we would like to thank the admins and organisers for this fun event! (There were some technical issues with Dropbox and trolls made by some participants but the admins were quick to make clarifications and find the imposters👍)

As this was my team’s second CTF ever, we didn’t solve everything but we’re glad that we have improved and are slowly getting better💪 We hope that this write-up will help others who happen to be facing a similar problem and are searching for possible solutions. The following was one of the challenges we managed to solve:

Find the leaking bucket! (Cloud Challenge)

In this challenge we were given a website and a hint to use words related to the company’s business to find out the open S3 bucket.

Screenshot of the company website

Our first thought was to try the words “smartcity” and “cybersecurity” from the word cloud because they were the most obvious and related to the company “Safe Online Technologies”. Going into this link, we got this:

Ah bummer…guess we would have to try harder

Our next thought was to create a text file of possible 2-word combinations for the link using the words on the website and we did this using a simple for-loop. We had a list of at least 500 combinations and were almost going to click through every link but thankfully we found this tool called S3Scanner which takes in S3 bucket names and checks if they are open. The setup instructions were clear and we managed to get it up to process through our file. Running the command python ./s3scanner.py names.txt which logs out the process, we got this:

View of a successful open bucket

We found 4 open S3 buckets in total (intelligent-intelligent, steve-jobs, mobile-cybersecurity and think-innovation) and each link had a file inside. At this point there was an announcement that the following were troll buckets🤦‍♀️

That left us with “http://think-innovation-s4fet3ch.s3.amazonaws.com/” and going there showed the following:

We retrieved the secret file by appending “/secret-files.zip” to the end of the link. Yes! Could it be the flag? We tried to open the file but was prompted to enter a password.

Cracking password protected ZIP

As password protected ZIP files are vulnerable to brute-force and dictionary attacks, our first instinct was to run fcrackzip which is a ZIP file password cracking tool and run it against a list of possible passwords. A tutorial on how to use it can be found here. This was the command we used:

fcrackzip -b -D -p rockyou.txt -u secret-files.zip

The parameter -b refers to a brute-force attack ,-D -prefers to a dictionary attack using the following input password file (of which we used rockyou.txt which is a set of compromised passwords commonly used for a dictionary attack) and -u refers to decrypting the ZIP file by unzip.

Alas, it was unbroken…

Our next thought was to get more information about the file, perhaps the password would be hidden in its information. We used binwalk which is often used to analyse a given binary image for embedded files and managed to see that the secret-file contained 2 files. Using the command binwalk secret-files.zip we got this:

Oh there’s the flag! We also noticed that we had a copy of one of the files which was the indemnity form and wondered if the password was contained in it. We then went to the CTF event site and downloaded it but scanning through we found nothing suspicious. Yet there must be some reason why the file was inside…

Eureka!

After being depressed over our failed brute-force attack and intensive Googling, we came across a possible solution called the Known Plaintext Attack which is when an attacker knows some of the plaintext contents (in this case, the indemnity form) of an encrypted file and can launch an attack to get the key.

One caveat of this method is that the unencrypted plaintext must be compressed using the same method as the encrypted file. By simply using the UNIX zip utility to compress the unencrypted file, we discovered that the final file size for both versions were equivalent, and can thus safely assume that the compression method used was correct.

We then used pkcrack (more information of how to run it can be found here) and ran the following command:

As the process took awhile, intermediate processing was omitted

After running the command, the cracked file was created and we could open the flag.txt. Were we finally done (please no more games😭)?

Conclusion

Yes, opening the file we got our long awaited flag 🏁 : govtech-csg{EnCrYpT!0n_D0e$_NoT_M3@n_Y0u_aR3_s4f3}!

If you read till this point, I applaud your tenacity and hope you enjoyed the write-up and learnt more about cracking ZIPs 😊 A big thank you again to the organising team for this interesting challenge and my team for spending the weekend hacking together🙆‍♀️!