$ telnet hoge.com 110
Trying 127.0.1.1...
Connected to hoge.com.
Escape character is '^]'.
+OK Dovecot ready.
USER hoge
+OK
PASS hogehoge
OK LOGGED IN.
こうなれば成功
$ telnet hoge.com 110
Trying 127.0.1.1...
Connected to hoge.com.
Escape character is '^]'.
+OK Dovecot ready.
USER hoge
+OK
PASS hogehoge
-ERR [AUTH] Authentication failed.
~/pkcrack-1.2.2/src/$ pkcrack -C ./unzip.zip -c backnumber08.txt -P backnumber08.zip -p backnumber08.txt -d unzip_1.zip
Files read. Starting stage 1 on Mon Dec 7 14:35:35 2015
Generating 1st generation of possible key2_5299 values...done.
Found 4194304 possible key2-values.
Now we're trying to reduce these...
Lowest number: 984 values at offset 970
Lowest number: 932 values at offset 969
Lowest number: 931 values at offset 967
Lowest number: 911 values at offset 966
Lowest number: 906 values at offset 965
Lowest number: 904 values at offset 959
Lowest number: 896 values at offset 955
Lowest number: 826 values at offset 954
Lowest number: 784 values at offset 606
Lowest number: 753 values at offset 206
Done. Left with 753 possible Values. bestOffset is 206.
Stage 1 completed. Starting stage 2 on Mon Dec 7 14:35:46 2015
Ta-daaaaa! key0=270293cd, key1=b1496a17, key2=8fd0945a
Probabilistic test succeeded for 5098 bytes.
Ta-daaaaa! key0=270293cd, key1=b1496a17, key2=8fd0945a
Probabilistic test succeeded for 5098 bytes.
Stage 2 completed. Starting zipdecrypt on Mon Dec 7 14:36:14 2015
Decrypting backnumber08.txt (5315a01322ab296c211eecba)... OK!
Decrypting backnumber09.txt (83e6640cbec32aeaf10ed1ba)... OK!
Decrypting flag (34e4d2ab7fe1e2421808bab2)... OK!
Finished on Mon Dec 7 14:36:14 2015
これで暗号化されていないunzip_1.zipが生成される
$ unzip unzip_1.zip
Archive: unzip_1.zip
replace backnumber08.txt? [y]es, [n]o, [A]ll, [N]one, [r]ename: y
inflating: backnumber08.txt
inflating: backnumber09.txt
inflating: flag
$ ls
backnumber08.zip
unzip.zip
backnumber08.txt
backnumber09.txt
flag
unzip_1.zip
$ file flag
flag: Microsoft Word 2007+
$ cd binwalk-2.0.0.tar/binwalk-2.0.0
binwalk-2.0.0.tar/binwalk-2.0.0 $ ./configure
binwalk-2.0.0.tar/binwalk-2.0.0 $ make
binwalk-2.0.0.tar/binwalk-2.0.0 $ sudo make install
これでインストールできbinwalkで実行できる
binwalkでMrFusion.gpjbを解析してみると
$ binwalk MrFusion.gif
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 GIF image data, version "89a", 1280 x 720
6943 0x1B1F PNG image, 1280 x 720, 8-bit colormap, interlaced
7194 0x1C1A Zlib SECCON_2015_Online_CTF data, SECCON_2015_Online_CTF, unSECCON_2015_Online_CTF size >= 922950
9727 0x25FF JPEG image data, JFIF standard 1.01
26632 0x6808 PC bitmap, Windows 3.x format, 1280 x 720 x 24
2791486 0x2A983E GIF image data, version "89a", 1280 x 720
2794240 0x2AA300 PNG image, 1280 x 720, 8-bit colormap, interlaced
2794491 0x2AA3FB Zlib SECCON_2015_Online_CTF data, SECCON_2015_Online_CTF, unSECCON_2015_Online_CTF size >= 922950
2796217 0x2AAAB9 JPEG image data, JFIF standard 1.01
2813627 0x2AEEBB PC bitmap, Windows 3.x format, 1280 x 720 x 24
5578481 0x551EF1 GIF image data, version "89a", 1280 x 720
5580896 0x552860 PNG image, 1280 x 720, 8-bit colormap, interlaced
5581147 0x55295B Zlib SECCON_2015_Online_CTF data, SECCON_2015_Online_CTF, unSECCON_2015_Online_CTF size >= 922950
5583378 0x553212 JPEG image data, JFIF standard 1.01
5601221 0x5577C5 PC bitmap, Windows 3.x format, 1280 x 720 x 24
8366075 0x7FA7FB GIF image data, version "89a", 1280 x 720
8368830 0x7FB2BE PNG image, 1280 x 720, 8-bit colormap, interlaced
8369081 0x7FB3B9 Zlib SECCON_2015_Online_CTF data, SECCON_2015_Online_CTF, unSECCON_2015_Online_CTF size >= 922950
8371932 0x7FBEDC JPEG image data, JFIF standard 1.01
このようにファイルフォーマットごとに表示してくれます
(ZlibはPNGに使われている圧縮方法なのでZlibのところは無視する)
gif→png→jpeg→bmp→gif→png→・・・のように繰り返している
#coding: UTF-8
a = [0,6943,9727,26632,2791486,2794240,2796217,2813627,5578481,5580896,5583378,5601221,8366075,8368830,8371932,8388384]
#アドレス
b = ['gif','png','jpg','bmp']
#拡張子
f = open("MrFusion.gif", "rb")
#ファイルの読み込み
for x in range(len(a)-1):
open('result{:02d}.{}'.format(x, b[x % 4]), 'wb').write(f.read(a[x + 1] - a[x]))