OtterCTF Writeup Misc Recuse 150

Misc

Recuse 150

Found this nested zip in Morty's PC. what is it that he is hiding?

a.zipが渡される。解凍するとH.zipが出てくる。階層構造になっているので再帰的に解凍した。

while [ "`find . -type f -name '*.zip' | wc -l`" -gt 0 ]; do find -type f -name "*.zip" -exec unzip -- '{}' \; -exec rm -- '{}' \;; done
 

Archive: ./a.zip
extracting: H.zip
Archive: ./H.zip
inflating: R.zip
Archive: ./R.zip
inflating: 0.zip
Archive: ./0.zip
inflating: c.zip
Archive: ./c.zip
extracting: H.zip
Archive: ./H.zip
inflating: M.zip
Archive: ./M.zip
inflating: 6.zip
Archive: ./6.zip
extracting: L.zip
Archive: ./L.zip
inflating: y.zip
Archive: ./y.zip
extracting: 9.zip
Archive: ./9.zip
inflating: 3.zip
Archive: ./3.zip
inflating: d.zip
Archive: ./d.zip
inflating: 3.zip
Archive: ./3.zip
inflating: c.zip
Archive: ./c.zip
inflating: u.zip
Archive: ./u.zip
extracting: Z.zip
Archive: ./Z.zip
inflating: X.zip
Archive: ./X.zip
inflating: h.zip
Archive: ./h.zip
extracting: v.zip
Archive: ./v.zip
inflating: d.zip
Archive: ./d.zip
inflating: G.zip
Archive: ./G.zip
inflating: l.zip
Archive: ./l.zip
extracting: j.zip
Archive: ./j.zip
inflating: Y.zip
Archive: ./Y.zip
extracting: W.zip
Archive: ./W.zip
inflating: 5.zip
Archive: ./5.zip
extracting: p.zip
Archive: ./p.zip
inflating: b.zip
Archive: ./b.zip
inflating: W.zip
Archive: ./W.zip
extracting: F.zip
Archive: ./F.zip
inflating: s.zip
Archive: ./s.zip
inflating: c.zip
Archive: ./c.zip
inflating: 2.zip
Archive: ./2.zip
extracting: Z.zip
Archive: ./Z.zip
inflating: v.zip
Archive: ./v.zip
inflating: c.zip
Archive: ./c.zip
extracting: n.zip
Archive: ./n.zip
inflating: N.zip
Archive: ./N.zip
extracting: h.zip
Archive: ./h.zip
inflating: b.zip
Archive: ./b.zip
extracting: G.zip
Archive: ./G.zip
inflating: U.zip
Archive: ./U.zip
extracting: u.zip
Archive: ./u.zip
inflating: b.zip
Archive: ./b.zip
extracting: m.zip
Archive: ./m.zip
inflating: V.zip
Archive: ./V.zip
extracting: 0.zip
Archive: ./0.zip
inflating: L.zip
Archive: ./L.zip
extracting: 3.zip
Archive: ./3.zip
inflating: N.zip
Archive: ./N.zip
extracting: h.zip
Archive: ./h.zip
inflating: b.zip
Archive: ./b.zip
extracting: G.zip
Archive: ./G.zip
inflating: U.zip
Archive: ./U.zip
extracting: v.zip
Archive: ./v.zip
inflating: M.zip
Archive: ./M.zip
extracting: z.zip
Archive: ./z.zip
inflating: k.zip
Archive: ./k.zip
extracting: z.zip
Archive: ./z.zip
inflating: N.zip
Archive: ./N.zip
extracting: T.zip
Archive: ./T.zip
inflating: M.zip
Archive: ./M.zip
extracting: t.zip
Archive: ./t.zip
inflating: M.zip
Archive: ./M.zip
extracting: i.zip
Archive: ./i.zip
inflating: 1.zip
Archive: ./1.zip
extracting: m.zip
Archive: ./m.zip
inflating: Z.zip
Archive: ./Z.zip
extracting: W.zip
Archive: ./W.zip
inflating: 1.zip
Archive: ./1.zip
extracting: h.zip
Archive: ./h.zip
inflating: b.zip
Archive: ./b.zip
extracting: G.zip
Archive: ./G.zip
inflating: U.zip
Archive: ./U.zip
extracting: t.zip
Archive: ./t.zip
inflating: c.zip
Archive: ./c.zip
extracting: 2.zip
Archive: ./2.zip
inflating: 1.zip
Archive: ./1.zip
extracting: h.zip
Archive: ./h.zip
inflating: b.zip
Archive: ./b.zip
extracting: G.zip
Archive: ./G.zip
inflating: w.zip
Archive: ./w.zip
extracting: t.zip
Archive: ./t.zip
inflating: Y.zip
Archive: ./Y.zip
extracting: 2.zip
Archive: ./2.zip
inflating: x.zip
Archive: ./x.zip
extracting: h.zip
Archive: ./h.zip
inflating: d.zip
Archive: ./d.zip
extracting: y.zip
Archive: ./y.zip
inflating: 1.zip
Archive: ./1.zip
extracting: B.zip
Archive: ./B.zip
inflating: c.zip
Archive: ./c.zip
extracting: 2.zip
Archive: ./2.zip
inflating: l.zip
Archive: ./l.zip
extracting: h.zip
Archive: ./h.zip
inflating: b.zip
Archive: ./b.zip
extracting: i.zip
Archive: ./i.zip
inflating: 1.zip
Archive: ./1.zip
extracting: v.zip
Archive: ./v.zip
inflating: d.zip
Archive: ./d.zip
extracting: H.zip
Archive: ./H.zip
inflating: R.zip
Archive: ./R.zip
extracting: l.zip
Archive: ./l.zip
inflating: c.zip
Archive: ./c.zip
extracting: n.zip
Archive: ./n.zip
inflating: M.zip
Archive: ./M.zip
extracting: u.zip
Archive: ./u.zip
inflating: Y.zip
Archive: ./Y.zip
extracting: X.zip
Archive: ./X.zip
inflating: N.zip
Archive: ./N.zip
inflating: w.zip
Archive: ./w.zip

 最後に出てきたw.zipにはパスワードがかかっていて解凍することができなかった。

そこで出てきたzipのファイル名をgrepして整形をすると次の文字列を得ることが出来た。

aHR0cHM6Ly93d3cuZXhvdGljYW5pbWFsc2ZvcnNhbGUubmV0L3NhbGUvMzkzNTMtMi1mZW1hbGUtc21hbGwtY2xhdy1Bc2lhbi1vdHRlcnMuYXNw

 おそらくBase64でエンコードされてると思われるのでデコードした。

~ ᐅ echo 'aHR0cHM6Ly93d3cuZXhvdGljYW5pbWFsc2ZvcnNhbGUubmV0L3NhbGUvMzkzNTMtMi1mZW1hbGUtc21hbGwtY2xhdy1Bc2lhbi1vdHRlcnMuYXNw' | base64 -d
https://www.exoticanimalsforsale.net/sale/39353-2-female-small-claw-Asian-otters.asp%

 URLにアクセスすると次のWebページが表示される。

f:id:Yunolay:20181210220559p:plain

 メールをして友達になることができるサービスのようだ?

User Reviewからメールアドレスが確認できた。

http://www.birple.com/users.asp?id=Brking1991@gmail.com&sid=175

Brking1991@gmail.com

 このメールアドレスがw.zipのパスワードになっており、解凍することでFLAGが得られた。

~/Desktop/ReCurse ᐅ cat EmailMeThis.txt
flag{Recursion_1S_T3rribl3_AnD_1_H4t3_My_L1F3!!}