Scavenger Hunts Solutions (The making of) - Community & Forums Related Discussions

Users browsing this thread: 1 Guest(s)
Hello fellow nixers,
Here are the solutions to past scavenger hunts:

The hunt starts with this:
1. "Luke check the source"
We open the source of and we see the following:

     h t t p : /  / n i x e r s . n e t

▀▀▀▀██▄ ▀▀▀▀▀ ▀▀▀ ███  ▀▀▀██▄ ▀▀▀▀██▄  ▀▀▀██▄
░░░ ███  ░░░  ░░░ ███ ░░░ ███ ░░░ ███ ░░░ ███
▒▒▒ ███  ▒▒▒  ▒▒▒ ███ ▒▒▒     ▒▒▒ ███ ▒▒▒    
▓▓▓ ███  ▓▓▓  ▀▓▓▄██▀ ▓▓▓▄▄   ▓▓▓▄██▀ ▀▓▓▄▄▄  
███ ███  ███  ███ ███ ███     ███ ███     ███
███ ███  ███  ███ ███ ███     ███ ███     ███
███ ███  ███  ███ ███ ███     ███ ███     ███
███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███
███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███
███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███
███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███
▀▀▀ ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀▀  ▀▀▀▀▀  ▀▀▀ ▀▀▀  ▀▀▀▀▀  

Check the thread of the first ascii art contest we had!
2. So let's open the ascii art contest:
We see there's a spoiler tag with the text:
(Scavenger Hunt)
Check the profile of this contest's winner
"it's missing 10 - hint is the name of this contest"

xero was the winner of this contest, in his profile there used to be as signature a text where each letter has its ascii representation number - 10, all you had to do was add 10 back and revert the ascii number to their representation (this is the missing part).
It should output ""
(If you still want to play it you can start from here)
3. The page mentions:
Un(image of a zipper) the nixers sticker (the one who won obviously - see thread)
We open the thread, download the winning sticker and unzip it
wget ''
unzip nixers_sticker.png
This outputs another image called cat_in_bin.jpg showing a cat in a bin.
4. We simply open the image with a text editor, or just cat it.
At the end of the image there's a base64.
echo 'R28gYmFjayB0byB0aGUgaGlkZGVuIHBhZ2UsIEhJTlRTLCBTYW1lIHdheSBhcyB0aGlzIHRleHQgZGVjb2RlLCA0ICsgMyArIDIgKyBtZXRhZGF0YSwgRmluZCBsaW5rCg==' | base64 -d
Which outputs: Go back to the hidden page, HINTS, Same way as this text decode, 4 + 3 + 2 + metadata, Find link
5. There's not much on the page other than the zipper image.
wget ''
It's a gif so it can contain layers, let's check them with gimp.
Indeed there's some layers with text in them. Let's put it together: YmxpbmQuaHRtb
Now what about this metadata?
In gimp we can go into image > image properties and find a comment: Ao=
Overall that gives us: YmxpbmQuaHRtbAo=, which again is base64 for "blind.html".
Let's open it:
6. It says it's the last challenge:

Connect THE DOTS :D
[Image: blind.png]
With a weird image like that what are we supposed to do?
It's called blind.png but the page says to connect the dots.
This is braille.

It says "cybernetic" which is the last flag.
Mini Scavenger Hunt (June 2017 events):
1. The first hint is:
This is a command that returns the ip of the server.
Code: has address
2. When you open in the browser you are presented with the following text:
Which stands for the format of certificates, so let's get the SSL cert of this page.
Using openssl:
openssl s_client -showcerts -servername -connect </dev/null | openssl x509 -text
The certificate signature doesn't match, it means the certificate has been modified.
You can see there's an added:
3. Let's open that page, we get a bunch of questions:
Using the standard for terminals text (X3.64), show "hello" in bold, in the simplest way?
Using the caret notation, show ESC then arrow up AKA ALT+UP?
The answers are: \e[1mhello and ^[^[[A respectively
After solving it the page prints out a QR code:
[Image: qr_scav_hunt.png]
Which represent a URL:
The page has the following text:

The pixels (what are pixels made of? pixy dust, no?) that are not completely black or white represent an ASCII letter.

And then there's a picture with small colored dots/pixels.
Let's save the picture and try to analyze the pixels it.
You can extract the colors programatically or simply via an image editor with the color extraction tool.

The simplest thing we can do is to add up every r,g,b in the pixel and get the ascii character represented by it.
#! perl -slw
use strict;
use GD;

my $img = GD::Image->new( $ARGV[ 0 ] );
my( $w, $h ) = $img->getBounds;
for (my $i =0; $i < $h; $i++) {
    for (my $j = 0; $j < $w; $j++) {
        my ($r,$g,$b) =  $img->rgb( $img->getPixel( $j, $i ) );
        next if ( ($r == 0 and $g == 0 and $b == 0) || ($r == 255 and $g == 255 and $b == 255));
        my $sum = $r+$g+$b;
        print chr($sum);
This gives us: telnet://

6. After telneting we're prompted:
We enter anything and it replies with "Wrong credit card number".
This is a credit card checksum for sure, the Luhn checksum.
For example "413668426188716?" has the checksum "0".
We enter it, then:
"This is it, this is almost the end. Now check the end of the related podcast episode, the key is '!!june_love_and_nixers!!'."

7. There was an episode posted for the June events of the podcast, so let's download it.
Simply opening it with a text editor we can see that the mp3 has something concatenated at the end:

Let's decrypt it with the key: gpg --decrypt k.gpg

Seems like it's almost the end:
Well done!
I hope you had fun with this mini-scavenger hunt.
Pm me anywhere with this key to be able to proclaim yourself a winner:


This is certainly base64,
echo 'MSFfMSFfSipOM18hXyExCg==' | base64 -d

8. And that's it, the final flag is "1!_1!_J*N3_!_!1".

This was the whole scavenger hunt.
New Year 2018:
This hunt starts with:
Quote:_Wanderers_ of the web hate me.

Crawlers are referred to as wanderers of the web, what they usually don't like is to be limited in their search by the robots.txt file which they should respect.

Let's see what's in the robots.txt:
Quote:User-Agent: *
Disallow: /member.php?action=register
Allow: /
# - who's dead?
Hmm, there an intriguing comment in it.
Let's see what's at this ip and port using telnet.

telnet 65400
This returns a big list similar to what the ps command would return.

It's also asking about who's dead, so let's filter the zombie processes if there's any by searching for the Z in the status.
It's easier to do that by using tee to save the output:
telnet 65400 | tee scavanger

We find the following line:
Quote:nixers 765 0.0 0.0 0 0 ? Z Dec23 0:00 [firegl, look_in_firefox_content]
So let's look in the firefox_content, where we find this in one of them:
Quote:nixers 11427 0.6 6.7 2642348 375796 ? Sl Dec24 44:03 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -intPrefs 5:50|6:-[...] nixers_domain_slash_cicada" -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 11338 true tab

"nixers_domain_slash_cicada", that's intriguing, let's open it:

There's the ascii art of a cicada, the title says "TXT art and more", and the bottom text:
                              Am I not alive?                                
                 Why am I directed instead of domainating.
There's seems to be a typo, "domainating", what does that mean,, TXT.
This all reminds us of domain names. Let's dig or drill it. (There also were some hints in the newsletter issue 56 about this)

dig TXT +short

And the server replies:
"go back, think meta about the txt and its custom representation"

So we should go back to the page and think meta about it, about the txt and its custom representation...Apparently.

There's nothing else left than to check the source of the page. There doesn't seem to be anything special other than some css and a favicon. In the css there's a font called "custom", that looks deliberate.

We need to download it to inspect it locally.

But how do we actually inspect fonts, the text editor doesn't help us with anything.
(There's another hint in issue 56 of the newsletter)

The most prominent software to edit font is fontforge, maybe it will do something.
fontforge custom.ttf

A character suddenly pops up in your face. Inside the dot there's the text: "".

Interesting. Again, we open that new page, it contains some code, let's download it locally.

This doesn't look like any language I know, it's close to C though and it says fixme.
The first lines are:
* Fixme?
* encryption scheme is: "ror2:1;~:1;rol2:2;^2:3";
* encrypted file url: key.asc
* key file: client.key
* passwords: the recurring theme of the hunt

There are some files we can already get our hands on so let's download them for now.

You might remember we've discussed in the newsletter about weird syntaxes in C called digraphs and trigraphs, this is what is used here.
We can compile the code directly:
cc encrypt.c --trigraph -o encrypt

Looking at the code the usage is: ./encrypt <file> <encryption scheme>
./encrypt key.asc "ror2:1;~:1;rol2:2;^2:3" > key.decrypt

A big file with multiple certificates and keys part is outputed. One say PART1, another PART3, after that GPG and a GPG key with as comment "Comment: ./".

Yet another file to download... It's a file that is protected by the same gpg key.
We import it and decrypt the file, the password it asks for is the them of the hunt, "cicada".

The file it outputs, after inspection of the magic bytes, is a gzip archive (tar.gz).
tar -zxvf
We have a new "pkg" directory to play with in which we find:

The HELP says:
Quote:Issue 50 will help you analyse the file and Issue 54 for the next step

It's referring to the newsletter:
We have an image of a filesystem so there must be a part that's related: "More extra content related to the podcast" mentions filesystem recursion in FAT12 and the FS seems to be FAT12.

Anyway, we mount it.
mkdir mnt
mount -o loop REC.IMG mnt
Ohh, there's a 4GB file in there... how did that fit in the small image...
Whatever, it's just trickery.
The file is an ELF, maybe it's special.

objdump -x test_x86_64 | less
In the dynamic section there is a suspicious line:
Quote:Dynamic Section:
INIT 0x00000000000005f0
FINI 0x0000000000000834

RPATH is a base64 string:
echo 'cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=' | base64 -d
# qk42UJhHQShQRbEGdg5ra3nik/ceO+QjjV8dTLHerR0Pu1y0KHsSGX0eIHLOz/Ch
This is probably the missing piece of the earlier certificate, the PART2.
let's join the certificate together and check what's inside.
It looks like it's again for the cicada domain:
openssl x509 -inform PEM -in pub_client.cert -text | less
#        Issuer: C=AU, ST=Nix, L=Nixers, O=nixers, OU=cicada
Opening gives us:
Quote:400 Bad Request
No required SSL certificate was sent
It needs a client certificate to be opened.
We have both a private client certificate, a public client certificate, and a key.

curl -v -k --key client.key --cert pub_client.cert:cicada

Quote:Well done

That's it!

Send this code to venam:

And this is it, you've done the scavenger hunt!

Scavenger hunt of June 2018
Scavenger hunt of June 2018

This hunt is less of a hunt and more of a linear quiz-like game.

It starts here:
Simply click the <START>

Question 1:

"More and more CLI are using ANSI colors by default, a website proposed a solution to this via an environment variable.
What is it?"

This was mentioned in issue 71 of the newsletter in the entry "Everything is color". The answer is $NO_COLOR or NO_COLOR.


You are presented with a c99 code and asked to compile it using gcc and the most annoying warnings you can come up with.

After compiling it using ` -std=c99 -Wall -Wextra -pedantic ` you get the following:

t.c: In function ‘main’:
t.c:30:7: error: unused variable ‘Run’ [-Werror=unused-variable]
  int *Run = p;
t.c:14:26: error: unused parameter ‘Fast’ [-Werror=unused-parameter]
int main(int nope, char *Fast[], char **Chips)
t.c:14:41: error: unused parameter ‘Chips’ [-Werror=unused-parameter]
int main(int nope, char *Fast[], char **Chips)
t.c: At top level:
t.c:11:14: error: ‘_NAME_NUMBER’ defined but not used [-Werror=unused-variable]
static char *_NAME_NUMBER = "Memory alloc test";
cc1: all warnings being treated as errors

The thing that pops out are the upper case letters. If we join them we obtain:

This is the challenge solution.


The question is " Give the RFC dedicated to naming machines. ", which was in "Naming a new machine" issue 69. The RFC number is 1178.

Special text:

It's a page that says the text is special, plus a hint " thieves and 0s ".

"Are you having fun this scavenger hunt?"

There's something hidden in this text, it's clear when you paste it in vim for example, there are zero width characters in it. To get the hidden text you have to use the tool presented in "Keeping thieves away" of issue 69.

You'll get back: "Github:scavjunixers", which is the solution


There's not much here, you should use the hint of the previous hunt to continue.
Go on Github and clone on your machine the only repo of the user scavjunixers.

git clone ''

There's a hint that in this repo there's a shell script made using

So it should be a compressed directory in a script, let's execute it and get that, not much else to do here.

You get back the directory "username_step" which contains "first.mp3" and "".

The hint says "metadata, zip, not-really-meta".

We inspect the ID3 tags for the mp3 file, there's an image in it.
You have to extract the image from the mp3.

Next step is zip. That image is concatenated with a zip, executing unzip image.png does the trick and greets you with a new file "9999.mp3"

Now for the "not-really-meta". call up the "strings" utility on your unix machine for this file to find a base64 encoded value, and you'll know the final answer.

QR code:

This page only has a Qr code. The hint is pretty clear " Do literally what it says! ".
So we scan it and it tells us to give it its weight.
Weight of what?
Let's dig the newsletter.

There's an interesting entry called "File physical weight" in 12 accompanied by an implementation code.
We run it, get back the weight of the image and that's it, voilà.


There are two inputs, one for email and the other for the final answer.
The hint says " Only the ASCII version of the text is required for the answer. "

Alright, we put our email and see what happens.

We receive an email with this text:

Scavenger Hunt - What encoding is this?


It seems to be base64 at first sight, so let's try that.
It still comes back as garbled but there's some readable bits in it "This is wrapper in a format loved by gpg,openssl and other encryption tools".

There have been a bunch of entries in the newsletter about those tool and the format they use, so let's remind ourselves "Let's play with encoding and formats" in 71 for example.

The format used for certificates and gpg key is the ASN1 format, openssl and asn1dump can help.

> openssl asn1parse -inform PEM -in t.pem                                             <
    0:d=0  hl=3 l= 183 cons: appl [ 7 ]        
    3:d=1  hl=2 l=   1 prim: INTEGER           :07
    6:d=1  hl=2 l=   4 prim: OCTET STRING      :UCS4
   12:d=1  hl=3 l= 171 cons: SEQUENCE          
   15:d=2  hl=2 l=  92 prim: OCTET STRING      [HEX DUMP]:0000007100001D6B0000FB06000000690001F51B00000020000000660000006F00000075000000720000002000000026000000200000FB010000007600000065000000200001F70700000065000000200000006E000000650000A2CF
  109:d=2  hl=2 l=  75 prim: OCTET STRING      :This is wrapper in a format loved by gpg,openssl and other encryption tools

Alright, so there are 3 strings in here, one seems to have been dumped as hex the others are readable. The first one says UCS4, which is a unicode format. This is what the hex dump is in.

Let's try to decode it then, UCS4 is close enough to UTF-32 so a website like should do.

That's what we get back "qᵫsti? four & five ?e neꋏ", oh that's unicode but the first hint said we needed only ascii back. So here we go to the next question.

Q4 & 5:

Those ones are straight forward:
" An extended attribute used to avoid destroying information that is already there while still allowed editing. "
" The gcc flag that wraps together the generation of a PGO. "

The answers are "a" or "+a" and "-fprofile-generate"


Also straight forward:

Simply visit the gopher website using a client that supports the gopher protocol. it's the default page with an extra special entry, which is where the answer is.


" The name of jargon file representing a period in which beginners get extremely obsessed with programming. "

The answer is "larval stage"

File type:

This is the last challenge.

There's a file with the extension "sfp"
That's a Spline Font Database file, a file used in fontforge.

Once opened in fontforge it becomes obvious that certain characters have something special, they are highlighted in red. They are the "n" "i" "x" "e" "r" "s" letters. They contain comments that together form the last solution.


Scavenger hunt of June 2019
Scavenger hunt of June 2019

This is probably the most advanced/hard scavenger hunt I've posted thus far.

The prerequisite are a good font and openssl.

The hunt starts like this, there's an irc chat log: with some conversation between two persons about facts, some links to

This step is about stegano so it may not be obvious what need to be done.

"You should get an IP and a port, dots and the colon included. Example:"

You should get an IP:PORT as the answer. It's using a system based on the snopes fact system, the scale as numbers:

You can read them from left to right, top to bottom, the last two beeing
dot and colon. You should have the following:

0. True
1. Mostly True
2. Mixture
3. Mostly False
4. False
5. Unproven
6. Outdated
7. Miscaptioned
8. Correct Attribution
9. Misattributed
10. Scam (.)
11. Legend (:)



"Great you were quIcker than i expected hypnophantomweb., i thouGht you'd
be slow As hek with this stegano one. i've place the files you wanted at
this location: ``, have fun, i've updated the code
we're using for the secret chat. it's compressed using the deduplication
method that z3Bra created. next time we'll have to use another method,
something not so public like stegano. i've been thinking of using emojis
maYbe or someThing of that sort. gEt on the chatS LatEr so that wE can
discuss. waiTing FOR your reply. ps: the password for the deduplicated
access is right here within this text, another sort of obvious visual
stegano, use the ascii as bytes if necessary. signed COMMANDERPETRIFY."

So you should take the file found at the link:

And deduplicate it using z3bra's deduplication software:

This requires a password/key and knowing the name of the file.
The file is appropriately called "backup" or `deduplication_of_backup_tar_file`

In the chat, following the hint is quite obvious, take the uppercase letters. You'll get "GIGABYTESLEETFORCOMMANDERPETRIFY". The key required for decryption must be exactly 32bytes which is what we got. Insert it in the key file and deduplicate.

The result of the deduplication is a git repository. A perl script along with a patch.
There's also a hidden .hint file with the following content:

Quote:You should do the reverse of what is done in the example encryption.
Netcat is a fine tool but maybe don't pipe it directly... Maybe there's a throttling mechanism in place.

The readme has the host and the port:

In the log history there's the IV & Key.

One of the previous versions has the IP+PORT hardcoded.
Key = 'WeirdSchemeUnprotectedAss'

for now simply output the content of the nc 65300 to a file.


And then stack up all the crypto in the perl script and do the reverse:

cat tt2 | openssl aes-256-cbc -a -d -iv 'A7870A63120DE984A7870A63120DE984' -K 'CD3E456D64FA6BAAE6355A8B952DA2E8CD3E456D64FA6BAAE6355A8B952DA2E8' | openssl cast5-cbc -a -d -iv 'A7870A63120DE984' -K 'CD3E456D64FA6BAAE6355A8B952DA2E8' | openssl rc4 -d -k 'WeirdSchemeUnprotectedAss' -a -S '4DAD277806AD473F' | openssl aes-128-cbc -d -k 'WeirdSchemeUnprotectedAss' -a -p

It'll output:

Quote:Message from CommanderPetrify: ... The IP:

The audio file says the following:

"Hello hypnophantomweb. I've set up one of those time keeping server. You got
to query it for the secret underscore variable. That'll lead you closer
to me."

The emphasis is on the time keeping server, an NTP server found at the IP specified.

The trick here is that NTP server allow you to query variables from them, we have to query the "secret_variable", literally:

ntpq -n -c 'rv 0 secret_variable'

This outputs a link to an image:

This is a simple multilayer image/gif. Open it with any image editor and you'll see the hidden message:

The gh repository contains a certain custom encoding protocol specifications.

You'll have to read carefully the specifications and split the bytes in the proto, you should get the following:

81 97                # tag + length of wrapper
    82 01 02     # algorith = AES
    83 01 04     # text encoding = UCS4
    84 2D        # tag + length of wrapper for parameters
        80 01 10   # block size = 16
        81 01 01   # padding = yes
        82 10 13371337133713371337133713371337 # the IV
        83 10 097890FFDEADBEEF00001337DEADDEAD # the key
        84 01 01 # default derivation
    85 60   15dae6264763692f3a01daf27b1d408199945b2f8b45ff82cdd19160acfa9bba77e42ac14f6fb4cfdb3fd580459c91d5afd7cdabe46653a9d3b876ae72c9e495d521ec8d9fe288a249908c10ec86f2ab4a60b8b263cd67e315474e4e64d74d94   # the encrypted message

Take that encypted message from the binary and put it in a file alone, then execute:

openssl aes-128-cbc -K '097890FFDEADBEEF00001337DEADDEAD' -e -pbkdf2 -iv '13371337133713371337133713371337' -d

This outputs:



You won't be able to see this message properly if you don't have a good unicode font.

Swap the characters for ascii ones and you'll have the url:

There's a page at: asking to insert the email.

After clicking you'll soon receive an email with some information saying the step should be in the xb7 header.

Quote:Here are the info in the mail:
The key is somewhere in this mail

It's in the header. You'll really need a mail client that doesn't mangle them.

Take the xb7 header, put it in a file, cat it, and you'll see it's some ascii art.


Now it's time to try the psk

Running at:
The key is:

openssl s_client -psk "`echo -n 'Sc4vJune2019Bytes' | xxd -p`" -host -port 9971

And you'll get the final token.

I know this was extensive!

I and III are offline and II has a small part missing.
I love it!
Too bad I wasn't there for most of those hunts.
I'll try my luck with the new one ,I'm at the second step now.
The hunts look easy when reading the solutions but I bet it's difficult to find what to do next on the quest.

Also, Thanks for those.
I've updated this thread with the 2018 new year scavenger hunt solution.
The solution to the "Scavenger hunt of June 2018" has been added for those who wants to cheat. This hunt will stay online for a long while, so don't open the spoiler alert if you want to play it someday.
Long time nixers
i will share {this,these} step{,s} from the original that are still online:
I've posted the solution for the scavenger hunt of June 2019. This was a hard one, maybe you'll enjoy reading the solution.