backdoorCTF 2014 WriteUp

To find the flag in this task we needed to decode the given hexstring

1f8b08089c452c530003737465703900edd85b6ec3300c44d1ffae86dcffe61ac7e1437403e42b1a171745d02a946c890713383537f3c7cb3c7e8e37ec7c99d7fb39cbe3afaa5bac89f1735e5c3597bf263e571ef52ab549d6d759bb5eed2de6d7c56bf76d3f6de47d76ac8e9567c9bdefb0d7dbe16c3d67ded997bbb71eae3d8d7db8d796d6fed7fda317f808fb5ceaf848f9b48ee1a3e833ebf868f9901f6d9f59c747cb87fca8faacfbc1079fbbf8ccfa469f1ce323999f4b1d9f6b7d8f4f1e161ff2732b1ff2a3eda3911f7cb47d78bed6f6213fef7c667da3cfa58e0ff9c1071f7cf0f986cface3830f3e1f7fffb9d4f1c147dd67d6f7f8f43ee0d37d34f29387c547d6a7c6f828faf48ee1e335191f611ff283cf673e35c647d1a7770c1f2d9fb33ff8a8fa909f3bf8cc3a3e5a3ee447d9a7c6f8a8f9f8da157c14ff7f80cf1f3e1af9895ee0a3e973cec147d5270f8b8fa40fcf07da3ed10b7ca6cfacefcc8f8d3a3e2af9e1f3ed9d8f467ef2b0f8e8e6071f599fe8053e9a3ee4e7063e39c647d287fce0830f3effd327f6808fa6cfd2317cb47c7a1ff0d1f3213fda3ee447db87fc68fbb4fbe123e8e36b57f0499f59df989fd6317ce4f2137bc067f1d1c8cfd99f65ddebe0a976fcfef9059996b432616b0000

in a cascade of different methods.For the decoding of hexstrings and binary strings we wrote two python scripts

#!/usr/bin/env python
import sys
if len(sys.argv) != 3:
	print "Usage: "+sys.argv[0]+" &lt;input-file&gt; &lt;output-file&gt;"

input=str(sys.argv[1])
output=str(sys.argv[2])
infile=open(input,"r")
data=infile.read()

i=0
f=open(output,"wb")
while i+1 &lt; len(data):
	f.write(chr(int(data[i:i+2],16)))
	i+=2

#!/usr/bin/env python
import sys
if len(sys.argv) != 3:
	print "Usage: "+sys.argv[0]+" &lt;input-file&gt; &lt;output-file&gt;"

input=str(sys.argv[1])
output=str(sys.argv[2])
infile=open(input,"r")
data=infile.read()

i=0
f=open(output,"wb")
while i+7 &lt; len(data):
	f.write(chr(int(data[i:i+8],2)))
	i+=8

Afterwards all we had to do was parsing the data in the following order

./decode_hex.py task task_d16
mv task_d16 task_d16.gz
gzip -d task_d16.gz
./decode_bin.py task_d16 task_d16_d2
cat task_d16_d2 | base64 -d &gt; task_d16_d2_b64
cat task_d16_d2_b64 | grep -e "[0-9]\{2\}" -o | tr -d "\n"&gt; task_d16_d2_b64_grep
./decode_hex.py task_d16_d2_b64_grep task_d16_d2_b64_grep_d16
cat task_d16_d2_b64_grep_d16 | tr -d "%" &gt; task_d16_d2_b64_grep_d16_tr
./decode_hex.py task_d16_d2_b64_grep_d16_tr task_d16_d2_b64_grep_d16_tr_d16
./decode_hex.py task_d16_d2_b64_grep_d16_tr_d16 task_d16_d2_b64_grep_d16_tr_d16_d16

The last text file contained this:
uggc://cnfgr.hohagh.pbz/7130554/

which is rot13 of this link:
http://paste.ubuntu.com/7130554/

Here we found the flag:
5d3144233c46404dba4afc766601b997

backdoorCTF 2014 WriteUp - crypto200