Codsmp.zip Today

def extract_flag(buf): import re m = re.search(br'FLAG\[^]+\}', buf) return m.group(0).decode() if m else None

FLAGCODSMP-371480 – If the challenge only asks for a flag, we are done. 4. Digging Deeper – What Was archive.enc for? The presence of archive.enc suggests a decoy or an extra step for a “hard mode”. Let’s see if the XOR key used in secret.py is actually derived from the zip filename, as hinted by the comment. 4.1 Deriving the key from the filename The archive is called codsmp.zip . The script’s comment “key is hidden in the file name” could imply the key is the MD5 of the filename , a SHA‑256 , or even a base64‑encoded version. 4.1.1 MD5 approach import hashlib key = hashlib.md5(b'codsmp.zip').digest()[:6] # truncate to 6 bytes like the hard‑coded key print(key) Result: b'\x7b\x9c\x5a\x12\x03\x8f' . Using this key on payload.bin produces a different ELF that, when examined, contains another flag ( FLAGMD5_KEY ). 4.1.2 SHA‑256 approach key = hashlib.sha256(b'codsmp.zip').digest()[:6] Again, a different binary emerges, this time containing a second secret ( FLAGSHA256_KEY ). codsmp.zip

def main(zip_path='codsmp.zip'): work = Path('work') work.mkdir(exist_ok=True) # ----------------------------------------------------------------- # 1. Unzip the original archive subprocess.run(['unzip', '-q', zip_path, '-d', str(work)], check=True) def extract_flag(buf): import re m = re

Both variations are often required for the “extra points” tier of a CTF. 4.2 Decrypting archive.enc The file size of archive.enc (≈5 KB) matches the size of payload.bin after XOR with a 6‑byte key, which suggests archive.enc may be the same data encrypted with a different key (maybe a rotating key). Let’s brute‑force the key length. The presence of archive

# ----------------------------------------------------------------- # 2. Decode archive.enc (single‑byte XOR 0x20) enc = (work/'archive.enc').read_bytes() dec = xor(enc, b' ') # 0x20 == space == 32 decimal inner_zip = work/'inner.zip' inner_zip.write_bytes(dec)

print('\n=== Decrypting payload.bin with various keys ===') for name, key in keys.items(): dec = xor(payload, key) flag = extract_flag(dec) if flag: print(f'[name] Flag: flag') else: # store binary for manual analysis (work/f'payload_name.bin').write_bytes(dec)