Sad Urara

Suatu hari, Haru Urara sedang berlatih untuk pertandingan terakhir di hidup dia. Urara ingin melihat notes yang dia simpan mengenai kompetisi yang akan dia ikuti… namun file tersebut tidak dapat diakses… sehingga Urara sedih sekali karena tidak dapat mengetahui detail kompetisi tersebut apa… Apakah anda bisa bantu Haru Urara untuk recover file yang corrupt?

RIP Haru Urara 🥀

Link: https://drive.google.com/file/d/1mxTzeQj7dSfgpF_OKmGfy_AdwPXxI0bB/view?usp=sharing

Zip Password: 2ce11ac99304ac35ee3731b270bc92d3760cf93eab7b0e420e22a888

In this challenge, we are given a .img file containing a Linux file system. After extracting the image, we can view the entire file system contents. The /home/urara/ directory contains several files and folders, but the most interesting is the trophy_case/ folder, which contains many files with the .uma extension. These .uma files appear to be encrypted.

To begin our analysis, we can examine a text file found at /home/urara/training_plans/a_letter_from_a_fan.txt, which contains a message from a fan.

To my favorite horse girl, Haru Urara! 

I'll always cheer for you! To help you, I'm sending a secret message! 

44696420796f75206b6e6f77207468617420756d6170796f6e20636f6e7461696e732066696c6520657874656e73696f6e7320666f7220612070726f6772616d6d696e67206c616e67756167653f 

Keep running! 
- Your #1 Fan

The message contains a hex string that, when decoded into plain text, provides an important clue.

>>> bytes.fromhex('44696420796f75206b6e6f77207468617420756d6170796f6e20636f6e7461696e732066696c6520657874656e73696f6e7320666f7220612070726f6772616d6d696e67206c616e67756167653f')
b'Did you know that umapyon contains file extensions for a programming language?'

This clue leads us to learn about “umapyon”. The .uma file is most likely a file generated by umapyon. We can find the binary in the /home/urara/training_plans/ folder. After further research into the umapyon file, we learn that it is a Python file binary. To extract the binary file, we can use the pyinstxtractor.py tool found on GitHub.

At this point, we learn that the .uma file is encrypted using AES in CBC mode with a known key and IV. The .uma file header also contains certain magic bytes that need to be removed before decryption.

Here is a Python script that can be used to decrypt the .uma file:

from pathlib import Path
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = bytes.fromhex('00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff')
iv  = bytes.fromhex('0102030405060708090a0b0c0d0e0f10')
magic = bytes.fromhex('554d415f454e43525950544544')  # "UMAP_ENCRYPTED"

def decrypt_file(path: Path):
    data = path.read_bytes()
    if not data.startswith(magic):
        return

    data = data[len(magic):]  # strip header

    cipher = AES.new(key, AES.MODE_CBC, iv)
    try:
        decrypted = unpad(cipher.decrypt(data), AES.block_size)
    except ValueError:
        decrypted = cipher.decrypt(data)

    out_path = path.with_suffix('.txt')
    out_path.write_bytes(decrypted)

def main():
    base = Path("trophy_case")
    for f in base.rglob("*.uma"):
        decrypt_file(f)

if __name__ == "__main__":
    main()

The flag is found inside the trophy_case/dream_trophy.txt file after the decryption process is complete.