Tags: grabbag
Rating:
# Journey to the Center of the File (Grab Bag 100)
We're given a file to download. Let's have a look at it.
```
$ file flag
flag: bzip2 compressed data, block size = 400k
```
Alright, it's bzip2. Easy enough.
```
$ bzip2 -d flag
bzip2: Can't guess original name for flag -- using flag.out
$ file flag.out
flag.out: Zip archive data, at least v2.0 to extract
```
Alright. Now we have a zip. Again, nothing special.
```
$ unzip flag.out
Archive: flag.out
inflating: flag
$ file flag
flag: bzip2 compressed data, block size = 400k
```
bzip2, again.
```
$ bzip2 -f -d flag
bzip2: Can't guess original name for flag -- using flag.out
$ file flag.out
flag.out: ASCII text, with very long lines, with no line terminators
```
(`-f` just forces bzip2 to overwrite the old flag.out file)
ASCII text. Let's see here...
```
$ head -c 1000 flag.out
QlpoNDFBWSZTWRvYPKcA8azfgAQAAAj/4D////A////wY+fbZ7m3s1t5O1vaR73333Lru3zu9733313d9LvTq+9uetvuvnuvWe7Vd7s7Zt7d5rN283t59uXSvdnd913u9XZ2Pm69uu93vd9u+93XvZd28vO+299q3b3evLyrfW7b6d32c6vXOnne7fX1zt3Q+qs9fffd9vd7prG+175tvfdb2+t1eXe1Xvu3tdt3m6WzbV3fbe+7vr3bnvPvhvvbz425XXt676+7y+rrfe13ve7lb742+rc+qbKvcbiPux7271677a+Xe9ltvt3t5vbp9d4ynrrvefLcPb6PnHeztqe31ufR1723bol313Pevu33z55629b2d7jn3sfPe73r5fS1HLe93d957tauj7t99297cVbXdi7l1ffb7xe+93vvve++0+2q+r7fb11vXz17bOpb273u3Znu7q2S72e9tu73tK8+3dNxeldp3299H33e+33vdTz1717pe3jr6+++9988vszp9Ht4R95lfe7d7d97rvLe1t0yPl93e+fPT17ufF0b27z7e+vrtqvDWe9vNs7ZvPjudj6+6+5t9uvu3nvt7vodX2+53du772au9tdvetu9vXawL0bSx577jffdvpz7zvvXOffbe9vsejb13Cz3V1Z92d773fbezeuq6+Y87e9u3r17Td53udu2y3t63e3fXzq776p99Oc+q9XvLt7db7zvr6a30Z3tvZZet7vb33fW3u7fe23ur3u53u9PbN7PR0vWq2ruxt3NrfX3d49313d33Z41t1bA9sez07mVvrV5h7n3buu+t9a9a+29u76feddt7o9bvr0+99ve43t7fdo+9vveR0W20xm7vPB189k97u93e9fcl9Mvbb65bOnTl33e7b1OpVLtj68+99e9r27k1fe4nsu9rtqNsfLlfeb6e33dvspT6O+9vffeded3tdq6Pe6vs9eur3Xvvq2tXe1HfbfWs7u+XNvf
```
Looks like base64 encoded data. That's easy enough to handle.
```
$ base64 -d flag.out > base64-decoded
$ file base64-decoded
base64-decoded: bzip2 compressed data, block size = 400k
```
I think we're starting to see a pattern...
This file is essentially just wrapped in a bunch of layers, like an onion. There are three main things we're dealing with here: bzip2, gzip, zip, and base64. It would be tremendously impractical for us to do it by hand, so we can make a program to do it for us.
This is a super inelegant and choppy Python script I wrote to handle this. This isn't representative of my Python skills, but under a time limit, elegance becomes secondary.
```python
#!/usr/bin/env python3
import os
import time
from subprocess import *
def getType(fName):
return os.popen("file %s" % fName).read().split(":")[1].split()[0]
def bz(fName):
os.popen("bzip2 -f -d %s" % fName)
return fName + ".out"
def zp(fName):
return os.popen("unzip -o %s" % fName).readlines()[1].split(":")[1].strip("\n").lstrip().rstrip()
def ac(fName):
process = Popen("base64 --decode %s > tmp" % fName, shell=True, stdout=PIPE, stderr=PIPE)
out, err = process.communicate()
if b"invalid" in err:
print("We finally got it!")
exit()
else:
os.popen("mv tmp %s" % fName )
return fName
def gz(fName):
os.popen("mv %s %s.gz; gzip -d -f %s.gz" % (fName, fName, fName) )
return fName
def main():
fName = "flag"
tDone = False
while not tDone:
fType = getType(fName)
print(fName, fType)
if fType == "bzip2":
fName = bz(fName)
elif fType == "Zip":
fName = zp(fName)
elif fType == "ASCII":
fName = ac(fName)
elif fType == "gzip":
fName = gz(fName)
time.sleep(5)
if __name__ == "__main__":
main()
```
After letting it run, it'll let you know when all the layers have been peeled, and the flag is availble for you.
![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-MITRE-STEM/images/Journey.png)