(SBT) HilltopCTF - Day Of The Tentacle Write-up.
Hi, how are you… I’m Cristian (aka ElRaroDeNegro) and I’m part of the Security Blue Team Staff.
As you may remember, some time ago we carried out our live flag capture event: “HilltopCTF”, where many challenges of different natures were presented that sought to test your knowledge and above all, provide a fun space where you could continue learning.
Well, I was the developer of the micro event “Day of the Tentacle”, based on the famous game by Lucas Arts (which, in my opinion, is one of the best games in the world xD) “Maniac Mansion 2: The Day of the Tentacle” and which I’ll tell you about in this occasion.
Well, without further ado, let’s go!
THE CHALLENGE
This challenge was classified in the Steganography category “STEGO” and was presented as a “moderately easy” challenge, with a value of 25 points and introduced as follows:
Title: Day of the Tentacle
A short description that reads:
“Oh no, the purple tentacle has drunk from that radioactive water, now the thing inside it made him EVIL.”
Three hints that depending on their cost became more and more specific:
1) “Purple is terrifying, there’s something strange into him.”
2) “Sometimes information is hidden, some other times you make a “dictionary” with what you see.”
3) “It’s dangerous to go alone! Take this: binwalk, cewl.”
(As you can see, the last clue gave you the answer to everything you wanted to do)
And finally, a .zip file that contained the following GIF:
THE SOLUTION
The first thing we must do is unzip the “Tentacles.zip” file. When we do it we will obtain the file “_Tentacles_.gif”, which we will proceed to analyze.
At first sight, we realize that this gif has something interesting inside because while it is playing you can read the message:
“https://en.wikipedia.org/wiki/Day_of_the_Tentacle"
Initially, this doesn’t help us at all, so we have to keep analyzing the file.
Using the “Strings” command to read the file on the command line we realize that at the end of the file there is an intriguing element… A flag?
We realize that this text line tells us that inside this GIF is a hidden file, which we can easily extract using the tool “Binwalk”.
To do this, we type the following command:
binwalk --dd=”.*” _Tentacles_.gif
Once the process is completed, we realize that inside this folder, there is another .zip file, which contains the file “Flag.txt” that we had seen a few moments ago.
Unfortunately, when we try to extract it, we realize that this file is blocked by a password of which we have no clue… Or maybe we do?
Let’s remember that link we found earlier… It can help us with this, not as a password (because it will not be possible to access the zip in this way), but by creating a dictionary through that web address. This is where we’ll use the following command from the “Cewl” tool:
cewl -d 0 -w [dict name] https://en.wikipedia.org/wiki/Day_of_the_Tentacle
Once the tool finishes its execution we have a new dictionary called “dictionary.txt”, which will be full of words obtained from the website provided above, and with which we can perform the decryption of the .zip file.
Using the tool “Fcrackzip” we will perform a dictionary attack:
fcrackzip -u -v -D -p [dict name] [zip file]
And that’s it! Finally, we have obtained the password of our file, now we only have to enter “LucasArts” as a password, and we will be able to obtain the file that contains the flag:
HilltopCTF{Purpl3_1s_Terr1fy1ng}
I hope you liked this explanation and that you never stop learning.
See you next time.
