/ forensic

RC3CTF - Breaking News (FORENSIC300)

Dans ce challenge nous avons une archive Forensics-300.tar-gz.

Dans un terminal:

$ tar -xvf Forensics-300.tar.gz
Chapter0.zip
Chapter1.zip
Chapter10.zip
Chapter11.zip
Chapter12.zip
Chapter13.zip
Chapter14.zip
Chapter15.zip
Chapter16.zip
Chapter17.zip
Chapter18.zip
Chapter19.zip
Chapter2.zip
Chapter3.zip
Chapter4.zip
Chapter5.zip
Chapter6.zip
Chapter7.zip
Chapter8.zip
Chapter9.zip
$ for i in $(seq 0 19); do strings Chapter$i.zip; done
GINg
Chapter0.txtUT	
L+^=
<U<i%[
GINg
Chapter0.txtUT
Chapter1.txtUT	
D{N1
!Rk\
^hE3n
Chapter1.txtUT
GIKZo=f
Chapter2.txtUT	
GIKZo=f
Chapter2.txtUT
Chapter3.txtUT	
Chapter3.txtUT
Chapter4.txtUT	
Chapter4.txtUT
UkMK
Chapter5.txtUT	
\DjX
pZzU
NR!R9
K4r>&
Chapter5.txtUT
Chapter6.txtUT	
Chapter6.txtUT
Chapter7.txtUT	
Chapter7.txtUT
Chapter8.txtUT	
Chapter8.txtUT
Chapter9.txtUT	
K)VH,JU(
Chapter9.txtUT
My0yMAo=
Chapter10.txtUT	
Chapter10.txtUT
MTYtRFUK
Chapter11.txtUT	
;X c
`s;	
(yCc
_/_PK
Chapter11.txtUT
Chapter12.txtUT	
Wow, these Queebloid folks do not fool around.
Chapter12.txtUT
Chapter13.txtUT	
H,Q/V(
,Q(NM
Chapter13.txtUT
Chapter14.txtUT	
0gZ+
?6(U
Chapter14.txtUT
Chapter15.txtUT	
Y*mO
.Xt]
3oc$M8e
Chapter15.txtUT
S1lGCg==
Chapter16.txtUT	
2VD%
Chapter16.txtUT
Chapter17.txtUT	
6[in
Chapter17.txtUT
Chapter18.txtUT	
,QH,(HM,*V(
Chapter18.txtUT
QkxTCg==
Chapter19.txtUT	
*Cut to black*
Chapter19.txtUT

Après avoir fait un strings sur les fichiers zip on constate la présence des chaines suivantes codées en base64:

UkMK - My0yMAo= - MTYtRFUK - S1lGCg== - QkxTCg==

En decodant les chaines unes pas unes nous retrouvons le flag: RC3-2016-DUKYFBLS.