$ xxd archive.enc | head 00000000: 6e 33 3c 3d 6c 6e 3c 3d 6e 33 3c 3d 6c 6e 3d 2c n3<=ln<=n3<=ln=, ... Those bytes look like ASCII after a simple XOR with 0x20 (space):
$ unzip codsmp.zip -d workdir Now we have a working directory:
# Extract inner.zip inner_dir = work/'inner' inner_dir.mkdir(exist_ok=True) subprocess.run(['unzip', '-q', str(inner_zip), '-d', str(inner_dir)], check=True) codsmp.zip
workdir/ ├─ README.txt ├─ payload.bin ├─ secret.py └─ archive.enc 2.1 README.txt Welcome to the CODSMP challenge!
Both variations are often required for the “extra points” tier of a CTF. 4.2 Decrypting archive.enc The file size of archive.enc (≈5 KB) matches the size of payload.bin after XOR with a 6‑byte key, which suggests archive.enc may be the same data encrypted with a different key (maybe a rotating key). Let’s brute‑force the key length. $ xxd archive
0x00001152 <.rodata>: 1152: 46 4c 41 47 7b 43 4f .byte 0x46,0x4c,0x41,0x47,0x7b,0x43,0x4f 1159: 44 53 4d 50 2d 33 37 .byte 0x44,0x53,0x4d,0x50,0x2d,0x33,0x37 1160: 31 34 38 30 7d 00 00 .byte 0x31,0x34,0x38,0x30,0x7d,0x00,0x00 The string at 0x1152 is:
$ objdump -d payload_decrypted.bin | less The binary is small (≈2 KB). Scanning the disassembly reveals a : Scanning the disassembly reveals a : if __name__
if __name__ == '__main__': main() Running it prints all four flags (the MD5/SHA‑256 ones will appear only if those derived binaries indeed contain a flag string). Adjust the extract_flag regex if the flag format differs. | Step | Tool / Command | What we learned | |------|----------------|-----------------| | 1️⃣ | file , unzip -l | Archive is not password‑protected; contains payload.bin , secret.py , archive.enc . | | 2️⃣ | Read `README