NahamCon [REV] lockedbox

Description

Solution

We’re presented with a file called lockedbox, this file apparently is Makeself archive.

[ihuomtia@pc alocked_box]$ file lockedbox    
lockedbox: POSIX shell script executable (binary data), self-executable archive, Makeself 2.5.0

We’ll just extract the content of it using binwalk as shown below.

[ihuomtia@pc alocked_box]$ binwalk -e lockedbox    
  
DECIMAL       HEXADECIMAL     DESCRIPTION  
--------------------------------------------------------------------------------  
0             0x0             Executable script, shebang: "/bin/sh"  
840           0x348           Unix path: /usr/ucb/echo; then  
875           0x36B           Unix path: /usr/ucb/echo"  
931           0x3A3           Unix path: /usr/xpg4/bin; then
[...]
18176900      0x1155B84       Zlib compressed data, default compression  
18178934      0x1156376       Zlib compressed data, best compression  
18199124      0x115B254       Zlib compressed data, best compression

Next up, we got a bunch of files, after checking all of them the most interesting one was 4986 as it contains some useful files.

[ihuomtia@pc alocked_box]$ cd _lockedbox.extracted/  
[ihuomtia@pc _lockedbox.extracted]$ ls  
4986         99AB55.zip   9BF0A0.zip   AE4720.zip   B06ACA.zip   B43FC3.zip                                                           setuptools  
960A85.zip   99F430.zip   9CB636.zip   AEE062.zip   B15A2A.zip   BAF365.zip  
97A000.zip   9A0E19.zip   A1FE83.zip   AFDC3F.zip   B1F3F7.zip  'ǶmÛ¶mÛ¶mÛ¶mܱîØÖ'$'\035''ÛúÇÊK²Jª'$'\302\222''^õ¢'$'\027''gÓ§OW}'  
98DE7A.zip   9AC287.zip   ADBA65.zip   B068F7.zip   B2F078.zip   pip
[ihuomtia@pc _lockedbox.extracted]$ file 4986    
4986: POSIX tar archive

Lets’s extract it and see what’s inside.

[ihuomtia@pc _lockedbox.extracted]$ tar xvf 4986    
./.packaged_python/python/bin/2to3  
./.packaged_python/python/bin/2to3-3.11  
./.packaged_python/python/bin/idle3  
./.packaged_python/python/bin/idle3.11
[...]
./.packaged_python/python/share/man/man1/python3.11.1  
./_packaged_startup.sh  
./lockbox.py  

Basically there’s a file named lockbox.py, this file contains a bunch of fake flags, maybe to confuse anyone that uses grep?

[ihuomtia@pc _lockedbox.extracted]$ cat lockbox.py    
flag0 = 'flag{cfcd208495d565ef66e7dff9f98764da}'  
flag1 = 'flag{c4ca4238a0b923820dcc509a6f75849b}'  
flag2 = 'flag{c81e728d9d4c2f636f067f89cc14862c}'  
flag3 = 'flag{eccbc87e4b5ce2fe28308fd9f2a7baf3}'  
flag4 = 'flag{a87ff679a2f3e71d9181a67b7542122c}'
[...]
flag995 = 'flag{2bcab9d935d219641434683dd9d18a03}'  
flag996 = 'flag{0b8aff0438617c055eb55f0ba5d226fa}'  
flag997 = 'flag{ec5aa0b7846082a2415f0902f0da88f2}'  
flag998 = 'flag{9ab0d88431732957a618d4a469a0d4c3}'  
flag999 = 'flag{b706835de79a2b4e80506f582af3676a}'  
FLAG_PREFIX = "flag{%s}"  
  
print(FLAG_PREFIX % "3a50c5e41a1c3eee6dcddca9e04992e0"

As shown from the source running this Python file will print out the flag.

[ihuomtia@pc _lockedbox.extracted]$ python lockbox.py    
flag{3a50c5e41a1c3eee6dcddca9e04992e0}  

And here’s the flag: flag{3a50c5e41a1c3eee6dcddca9e04992e0}