Mercury

Challenge:

This ZIP file is hanging out with the stars in the Milky Way! Can you find the flag?

Solution:

I began by inspecting the contents of the provided zip file and it appeared to contain data from Mercurial version control (The .hg directory is where Mercurial stores its metadata, similar to .git for Git. Additionally, Hg is the chemical symbol for Mercury, so a nice clue from the challenge title).

$ unzip -l mercury.zip
Archive:  mercury.zip
  Length      Date    Time    Name
---------  ---------- -----   ----
        0  09-04-2020 19:24   mercury/
        0  09-04-2020 19:24   mercury/.hg/
        0  09-04-2020 19:24   mercury/.hg/cache/
       45  09-04-2020 19:24   mercury/.hg/cache/tags2-visible
       96  09-04-2020 19:24   mercury/.hg/cache/branch2-served
        7  09-04-2020 19:23   mercury/.hg/cache/rbc-names-v1
     1608  09-04-2020 19:24   mercury/.hg/cache/rbc-revs-v1
        0  09-04-2020 19:24   mercury/.hg/wcache/
    68724  09-04-2020 19:24   mercury/.hg/wcache/manifestfulltextcache
        0  09-04-2020 19:23   mercury/.hg/wcache/checkisexec
        0  09-04-2020 19:23   mercury/.hg/wcache/checklink-target
       16  09-04-2020 19:23   mercury/.hg/wcache/checklink
        0  09-04-2020 19:23   mercury/.hg/wcache/checknoexec
        0  09-04-2020 19:24   mercury/.hg/store/
        0  09-04-2020 19:24   mercury/.hg/store/data/
       66  09-04-2020 19:23   mercury/.hg/store/data/_y2_mz_y_tg4_mzdk_m_tg3_n_w_vj_y_tk4_mz_qz_yjcx_y_w_fi_mj_ix_njg_k.i
       66  09-04-2020 19:23   mercury/.hg/store/data/_ym_qy_m_t_ay_zjk3_nz_fh_zj_zi_o_d_y1_z_d_y5_o_d_yw_nj_u4_y_t_a0_n_g_u_k.i
       66  09-04-2020 19:23   mercury/.hg/store/data/_yj_i2_m_ddl_zm_iw_yj_e2_z_w_ew_yzk4_z_t_vh_n2_vk_m_w_e5_o_w_my_n_g_m_k.i
<snip>

Before spending cycles analyzing the Mercurial metadata I tried a quick trick that one should always try early during a CTF challenge:

$ unzip -q mercury.zip

$ grep -rF 'flag{' mercury/.hg/*

Binary file mercury/.hg/store/data/_yz_u1_yz_rk_y_w_e4_o_tgz_nz_zh_nz_ey_n_d_qw_zj_ey_z_d_ji_n2_jl_nj_e_k.i matches

Seeing how a binary file matches the flag format I dumped its strings and grep’d for the flag format.

$ strings mercury/.hg/store/data/_yz_u1_yz_rk_y_w_e4_o_tgz_nz_zh_nz_ey_n_d_qw_zj_ey_z_d_ji_n2_jl_nj_e_k.i | grep -F 'flag{'

uflag{version_control_for_the_solar_system}

I’m not sure if this was the challenge creator’s intended solution, but it was a simple and effective approach.

Published:

Updated:

Leave a comment