Skip to main content
  1. CTF Writeups/
  2. NahamCon 2025 CTF/

Deflation Gangster

·
Rev 364pt 166 Solves
subzcuber
Author
subzcuber
i like to imagine i’m funny

Author: @Kkevsterrr

Like American Gangster, but for other stuff.

We are given gangster.zip which on unzipping gives us

├── important_docs
    └── important_docs.lnk

important_docs.lnk is a Windows Shortcut file that looks like its

<\
  powershell.exe h -g C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe?..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -c 
  "$name = \"important_docs\";
   $file = (get-childitem -Pa $Env:USERPROFILE -Re -Inc *$name.zip).fullname;
   $bytes= [System.IO.File]::ReadAllBytes($file);
   $size = (0..($bytes.Length - 4) | Where-Object {$bytes[$_] -eq 0x55 -and $bytes[$_+1] -eq 0x55 -and $bytes[$_+2] -eq 0x55 -and $bytes[$_+3] -eq 0x55 })[0] + 4;
   $length=53;
   $chunk=$bytes[$size..($size+$length-1)];
   $out = \"$Env:TEMP\$name.txt\";
   [System.IO.File]::WriteAllBytes($out,$chunk);
   Invoke-Item $out";
   C:\Program Files (x86)\Google\Chrome\Application\chrome.exe%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe%ProgramFiles(x86)%\Google\Chrome\Application\chrome.exe"
>
  1. linking to powershell
  2. zipping the /important_docs folder into important_docs.zip
  3. in the zipped file it looks for a 4 byte sequence 0x55 0x55 0x55 0x55
  4. It extracts the 53 bytes immediately after that sequence into /tmp/important_docs.txt
  5. opens the new file in an editor
  6. opens Google Chrome 3 times

Looking at this makes one suspicious of the gangster.zip itself. The description hints that the zip is smuggling something in (I haven’t actually watched the movie, I just read the Wikipedia article to look for hints)

Presumably the 53 byte sequence is being smuggled in by gangster.zip, so to check I ran strings on it

❯ strings gangster.zip | tail -n 5
M{^x
;DEFGZmxhZ3thZjExNTBmMDdmOTAwODcyZTE2MmUyMzBkMGVmOGY5NH0K
important_docs/PK
Z.EOH
important_docs/important_docs.lnkPK

That’s a suspiciously large string. Here we go

echo "ZmxhZ3thZjExNTBmMDdmOTAwODcyZTE2MmUyMzBkMGVmOGY5NH0K" | base64 -d
flag{af1150f07f900872e162e230d0ef8f94}

and it happens to be right after a 4 byte sequence of consecutive characters DEFG

Octoberfest7/zip_smuggling

Python3 utility for creating zip files that smuggle additional data for later extraction

Python
253
26

Octoberfest7/zip_smuggling was used to make this challenge. I might steal the idea someday.

Reply by Email

Related

FlagsFlagsFlags
Rev 97pt 285 Solves Upx Pwntools
100k flags 💀
Praise our RNG Gods
Rev 436pt 58 Solves Random() Python Bytecode Dis
prolly my fav chal of the ctf
Loginator
Rev 50pt 153 Solves
i <3 phineas&ferb