## Security Advisory

We get a pdf that seems to contain gibberish at first

Looking closely we see `Blowfish/8` , it is not a product but an encryption algorithm.

Further on we see a suspicious `OFB` mode, one of the encryption modes for blowfish, but we don't have any text to decrypt or any key & iv. Or do we?

The clients claimed to be vulnerable looks like valid hex
> cf1c1a057d47, 86a9ef0f5a74, 4e6fa75810fc, and 855f3945f731
826610fc022a, e726719dc183, b7451dc8f5bf, and 3e3c8ad7bc55

but they are not 8 bytes (expected for blowfish key and iv length)

Searching further we find the metadata has a suspicious field

`<xmp:CreatorTool>|64616d6e206d657461646174613b206865726520796f7520676f3a20325a646b4b5474707247646448683333|</xmp:CreatorTool>`

Decoding that from hex gives us

> damn metadata; here you go: 2ZdkKTtprGddHh33

`2ZdkKTtprGddHh33` is not 8 bytes but it is 16 bytes what if we split it into 2 for key and iv and use the rest as the encrypted text in CyberChef?

[Cyberchef](https://gchq.github.io/CyberChef/#recipe=Blowfish_Decrypt(%7B'option':'UTF8','string':'2ZdkKTtp'%7D,%7B'option':'UTF8','string':'rGddHh33'%7D,'OFB','Hex','Raw')&input=Y2YxYzFhMDU3ZDQ3ODZhOWVmMGY1YTc0NGU2ZmE3NTgxMGZjODU1ZjM5NDVmNzMxODI2NjEwZmMwMjJhZTcyNjcxOWRjMTgzYjc0NTFkYzhmNWJmM2UzYzhhZDdiYzU1)

AND we have our flag

Flag : `syskronCTF{you-Just-anaLyzed-your-1st-advisorY}`

[](https://qz.sg)

Original writeup (https://github.com/QzSG/CTF-Write-Ups/blob/master/Syskron%20Security%20CTF/2020/Thursday.md#security-advisory).