ASIS Cyber Security Contest Finals 2014: Mask

Category: Crypto, Stego Points: 150 Description:

Flag is hidden in file, find it!

Hint: Numerical representation can be useful.

Write-up

Let’s see what the provided file could be:

$ file mask_e50b38fc9ba38378c444bd93518e886f
mask_e50b38fc9ba38378c444bd93518e886f: xz compressed data

So, we extract the file using the built-in xz or unxz commands:

• xz -dc < mask_e50b38fc9ba38378c444bd93518e886f > mask
• unxz < mask_e50b38fc9ba38378c444bd93518e886f > mask

Alternatively, extract the provided file using p7zip:

7z x mask_e50b38fc9ba38378c444bd93518e886f

Let’s find out what the extracted file is:

$ file mask
mask: data

Okay, it’s just a bunch of seemingly random, binary data. Let’s use the hint to try to make sense of it, and convert the byte stream into a number. First we use hexdump and xxd to view the hexadecimal representation of the file, but nothing really stands out. Let’s represent the file as a decimal number. Since the file is quite big, we write a Python script for this:

import binascii
f = open('mask', 'rb')
byte_stream = f.read()
number = int(binascii.hexlify(byte_stream), 16)

with open('big-ass-int.txt', 'w') as number_file:
  number_file.write(str(number))

After running this script, big-ass-int.txt contains the number, which consists of 674,209 digits:

$ wc -c big-ass-int.txt
  674209 big-ass-int.txt

The number starts with the following digits:

$ head -c 40 big-ass-int.txt
1415926535890932384626433832095028841971

Those look like the fractional-part digits of π! Let’s get the fractional-part digits of π and compare them to this number to see if there’s a difference.

This page lists the first million digits of π, which is more than enough for our experiment (we only need 674,209 fractional-part digits). After removing the leading 3. and whitespace we end up with this file named pi.txt.

Let’s write a Python script diff.py to get the digits from the real π that are different in the big-ass-int.txt file, and format the resulting number in hex.

#!/usr/bin/env python
# coding=utf-8

real_pi = open('pi.txt', 'r').read()
big_ass_int = open('big-ass-int.txt', 'r').read()

result = ''
for i in range(0, len(big_ass_int)):
  if big_ass_int[i] != real_pi[i]:
    result += real_pi[i]

print '%x' % int(result)

Let’s treat the hexadecimal output of the script as a byte stream and save the result as a file named diff.bin.

$ python diff.py > diff

$ xxd -r -p diff > diff.bin

$ file diff.bin
diff.bin: xz compressed data

Aha, apparently this is another xz archive! Let’s extract it using any of the abovementioned techniques:

$ unxz < diff.bin > extracted

$ file extracted
extracted: PDF document, version 1.5

Opening the extracted file in a PDF viewer reveals the flag: ASIS_d45491d1ad0b63ae05b0f0238d0c48e8.

Other write-ups and resources

• none yet