https://nixers.net/showthread.php?tid=1909
The hunt starts with this:
1. "Luke check the source"
We open the source of nixers.net and we see the following:
2. So let's open the ascii art contest: https://nixers.net/showthread.php?tid=1862
We see there's a spoiler tag with the text:
(Scavenger Hunt)
Check the profile of this contest's winner
"it's missing 10 - hint is the name of this contest"

xero was the winner of this contest, in his profile there used to be as signature a text where each letter has its ascii representation number - 10, all you had to do was add 10 back and revert the ascii number to their representation (this is the missing part).
It should output "https://podcast.nixers.net/hidden.html"
(If you still want to play it you can start from here)
3. The page mentions:
Un(image of a zipper) the nixers sticker (the one who won obviously - see thread)
We open the thread, download the winning sticker and unzip it
This outputs another image called cat_in_bin.jpg showing a cat in a bin.
4. We simply open the image with a text editor, or just cat it.
At the end of the image there's a base64.
Which outputs: Go back to the hidden page, HINTS, Same way as this text decode, 4 + 3 + 2 + metadata, Find link
5. There's not much on the page other than the zipper image.
It's a gif so it can contain layers, let's check them with gimp.
Indeed there's some layers with text in them. Let's put it together: YmxpbmQuaHRtb
Now what about this metadata?
In gimp we can go into image > image properties and find a comment: Ao=
Overall that gives us: YmxpbmQuaHRtbAo=, which again is base64 for "blind.html".
Let's open it: https://podcast.nixers.net/blind.html
6. It says it's the last challenge:

Connect THE DOTS :D

With a weird image like that what are we supposed to do?
It's called blind.png but the page says to connect the dots.
This is braille.

It says "cybernetic" which is the last flag.

1. The first hint is:
This is a command that returns the ip of the server.
2. When you open http://178.62.236.80 in the browser you are presented with the following text:
Which stands for the format of certificates, so let's get the SSL cert of this page.
Using openssl:
The certificate signature doesn't match, it means the certificate has been modified.
You can see there's an added:
3. Let's open that page, we get a bunch of questions:
Using the standard for terminals text (X3.64), show "hello" in bold, in the simplest way?
Using the caret notation, show ESC then arrow up AKA ALT+UP?
The answers are: \e[1mhello and ^[^[[A respectively
4.
After solving it the page prints out a QR code:

Which represent a URL: https://venam.nixers.net/scavang/nice_one_fellow
5.
The page has the following text:

The pixels (what are pixels made of? pixy dust, no?) that are not completely black or white represent an ASCII letter.

And then there's a picture with small colored dots/pixels.
Let's save the picture and try to analyze the pixels it.
You can extract the colors programatically or simply via an image editor with the color extraction tool.

The simplest thing we can do is to add up every r,g,b in the pixel and get the ascii character represented by it.
This gives us: telnet://188.166.241.192:9766

6. After telneting we're prompted:
We enter anything and it replies with "Wrong credit card number".
This is a credit card checksum for sure, the Luhn checksum.
For example "413668426188716?" has the checksum "0".
We enter it, then:
"This is it, this is almost the end. Now check the end of the related podcast episode, the key is '!!june_love_and_nixers!!'."

7. There was an episode posted for the June events of the podcast, so let's download it. https://github.com/nixers-projects/podcast/blob/master/nixers-podcast-2017-05-30.mp3
Simply opening it with a text editor we can see that the mp3 has something concatenated at the end:
Let's decrypt it with the key: gpg --decrypt k.gpg

Seems like it's almost the end:

This is certainly base64,
8. And that's it, the final flag is "1!_1!_J*N3_!_!1".

This was the whole scavenger hunt.

https://nixers.net/showthread.php?tid=2183
This hunt starts with:

Quote:_Wanderers_ of the web hate me.

Crawlers are referred to as wanderers of the web, what they usually don't like is to be limited in their search by the robots.txt file which they should respect.

Let's see what's in the robots.txt:

Quote:User-Agent: *
Disallow: /member.php?action=register
Allow: /
# 188.166.241.192:65400 - who's dead?

Hmm, there an intriguing comment in it.
Let's see what's at this ip and port using telnet.

This returns a big list similar to what the ps command would return.

It's also asking about who's dead, so let's filter the zombie processes if there's any by searching for the Z in the status.
It's easier to do that by using tee to save the output:

We find the following line:

Quote:nixers 765 0.0 0.0 0 0 ? Z Dec23 0:00 [firegl, look_in_firefox_content]

So let's look in the firefox_content, where we find this in one of them:

Quote:nixers 11427 0.6 6.7 2642348 375796 ? Sl Dec24 44:03 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -intPrefs 5:50|6:-[...] nixers_domain_slash_cicada" -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 11338 true tab

"nixers_domain_slash_cicada", that's intriguing, let's open it: https://nixers.net/cicada/

There's the ascii art of a cicada, the title says "TXT art and more", and the bottom text:
There's seems to be a typo, "domainating", what does that mean, cicada.ni, TXT.
This all reminds us of domain names. Let's dig or drill it. (There also were some hints in the newsletter issue 56 https://newsletter.nixers.net/entries.php#56 about this)


And the server replies:

So we should go back to the page and think meta about it, about the txt and its custom representation...Apparently.

There's nothing else left than to check the source of the page. There doesn't seem to be anything special other than some css and a favicon. In the css there's a font called "custom", that looks deliberate.

We need to download it to inspect it locally.

But how do we actually inspect fonts, the text editor doesn't help us with anything.
(There's another hint in issue 56 of the newsletter)

The most prominent software to edit font is fontforge, maybe it will do something.

A character suddenly pops up in your face. Inside the dot there's the text: "nixers.net/fix_me_bad".

Interesting. Again, we open that new page, it contains some code, let's download it locally.

This doesn't look like any language I know, it's close to C though and it says fixme.
The first lines are:

There are some files we can already get our hands on so let's download them for now.

You might remember we've discussed in the newsletter about weird syntaxes in C called digraphs and trigraphs, this is what is used here.
We can compile the code directly:

Looking at the code the usage is: ./encrypt <file> <encryption scheme>

A big file with multiple certificates and keys part is outputed. One say PART1, another PART3, after that GPG and a GPG key with as comment "Comment: ./img.zip".

Yet another file to download... It's a file that is protected by the same gpg key.
We import it and decrypt the file, the password it asks for is the them of the hunt, "cicada".

The file it outputs, after inspection of the magic bytes, is a gzip archive (tar.gz).
We have a new "pkg" directory to play with in which we find:

The HELP says:

Quote:Issue 50 will help you analyse the file and Issue 54 for the next step

It's referring to the newsletter: https://newsletter.nixers.net/entries.php#50
We have an image of a filesystem so there must be a part that's related: "More extra content related to the podcast" mentions filesystem recursion in FAT12 and the FS seems to be FAT12.

Anyway, we mount it.
Ohh, there's a 4GB file in there... how did that fit in the small image...
Whatever, it's just trickery.
The file is an ELF, maybe it's special.

In the dynamic section there is a suspicious line:

Quote:Dynamic Section:
NEEDED libc.so.6
RPATH cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=
INIT 0x00000000000005f0
FINI 0x0000000000000834

RPATH is a base64 string:
This is probably the missing piece of the earlier certificate, the PART2.
let's join the certificate together and check what's inside.
It looks like it's again for the cicada domain:
Opening https://cicada.nixers.net/ gives us:

Quote:400 Bad Request
No required SSL certificate was sent

It needs a client certificate to be opened.
We have both a private client certificate, a public client certificate, and a key.

Finally:

Quote:Well done

That's it!

Send this code to venam:
cicada_nixers_2018_what_the_hek_why_is_this_a_sentence_I_finished

And this is it, you've done the scavenger hunt!

Scavenger hunt of June 2018
https://nixers.net/showthread.php?tid=2206

This hunt is less of a hunt and more of a linear quiz-like game.

It starts here:

https://venam.nixers.net/scavenger_hunt_2018_june/
Simply click the <START>

---

Question 1:

"More and more CLI are using ANSI colors by default, a website proposed a solution to this via an environment variable.
What is it?"

This was mentioned in issue 71 of the newsletter in the entry "Everything is color". The answer is $NO_COLOR or NO_COLOR.

---

Linter:

You are presented with a c99 code and asked to compile it using gcc and the most annoying warnings you can come up with.

After compiling it using ` -std=c99 -Wall -Wextra -pedantic ` you get the following:


The thing that pops out are the upper case letters. If we join them we obtain:
RFC_NAME_NUMBER

This is the challenge solution.

---

Rfc:

The question is " Give the RFC dedicated to naming machines. ", which was in "Naming a new machine" issue 69. The RFC number is 1178.

---

Special text:

It's a page that says the text is special, plus a hint " thieves and 0s ".

"Are you having fun this scavenger hunt?"

There's something hidden in this text, it's clear when you paste it in vim for example, there are zero width characters in it. To get the hidden text you have to use the tool presented in "Keeping thieves away" of issue 69.

You'll get back: "Github:scavjunixers", which is the solution

---

User:

There's not much here, you should use the hint of the previous hunt to continue.
Go on Github and clone on your machine the only repo of the user scavjunixers.


There's a hint that in this repo there's a shell script made using makeself.io

So it should be a compressed directory in a script, let's execute it and get that, not much else to do here.

You get back the directory "username_step" which contains "first.mp3" and "hint.sh".

The hint says "metadata, zip, not-really-meta".

We inspect the ID3 tags for the mp3 file, there's an image in it.
You have to extract the image from the mp3.

Next step is zip. That image is concatenated with a zip, executing unzip image.png does the trick and greets you with a new file "9999.mp3"

Now for the "not-really-meta". call up the "strings" utility on your unix machine for this file to find a base64 encoded value, and you'll know the final answer.

---

QR code:

This page only has a Qr code. The hint is pretty clear " Do literally what it says! ".
So we scan it and it tells us to give it its weight.
Weight of what?
Let's dig the newsletter.

There's an interesting entry called "File physical weight" in 12 accompanied by an implementation code.
We run it, get back the weight of the image and that's it, voilà.

---

Email:

There are two inputs, one for email and the other for the final answer.
The hint says " Only the ASCII version of the text is required for the answer. "

Alright, we put our email and see what happens.

We receive an email with this text:


It seems to be base64 at first sight, so let's try that.
It still comes back as garbled but there's some readable bits in it "This is wrapper in a format loved by gpg,openssl and other encryption tools".

There have been a bunch of entries in the newsletter about those tool and the format they use, so let's remind ourselves "Let's play with encoding and formats" in 71 for example.

The format used for certificates and gpg key is the ASN1 format, openssl and asn1dump can help.


Alright, so there are 3 strings in here, one seems to have been dumped as hex the others are readable. The first one says UCS4, which is a unicode format. This is what the hex dump is in.

Let's try to decode it then, UCS4 is close enough to UTF-32 so a website like https://www.branah.com/unicode-converter should do.

That's what we get back "qᵫsti? four & five ?e neꋏ", oh that's unicode but the first hint said we needed only ascii back. So here we go to the next question.

---

Q4 & 5:

Those ones are straight forward:
" An extended attribute used to avoid destroying information that is already there while still allowed editing. "
and
" The gcc flag that wraps together the generation of a PGO. "

The answers are "a" or "+a" and "-fprofile-generate"

---

gaufres:

Also straight forward:
"gopher://188.166.241.192/"

Simply visit the gopher website using a client that supports the gopher protocol. it's the default page with an extra special entry, which is where the answer is.

---

jargon:

" The name of jargon file representing a period in which beginners get extremely obsessed with programming. "

The answer is "larval stage"

---

File type:

This is the last challenge.

There's a file with the extension "sfp"
That's a Spline Font Database file, a file used in fontforge.

Once opened in fontforge it becomes obvious that certain characters have something special, they are highlighted in red. They are the "n" "i" "x" "e" "r" "s" letters. They contain comments that together form the last solution.

---

Congratz!

Scavenger hunt of June 2019

https://nixers.net/showthread.php?tid=2275

This is probably the most advanced/hard scavenger hunt I've posted thus far.

The prerequisite are a good font and openssl.

The hunt starts like this, there's an irc chat log: http://venam.nixers.net/irc_chat.log with some conversation between two persons about facts, some links to snopes.com

This step is about stegano so it may not be obvious what need to be done.

"You should get an IP and a port, dots and the colon included. Example: 127.0.0.1:12345"

You should get an IP:PORT as the answer. It's using a system based on the snopes fact system, the scale as numbers:

https://www.snopes.com/fact-check-ratings/

You can read them from left to right, top to bottom, the last two beeing
dot and colon. You should have the following:

---

@ 188.166.241.192:9777

"Great you were quIcker than i expected hypnophantomweb., i thouGht you'd
be slow As hek with this stegano one. i've place the files you wanted at
this location: `https://venam.nixers.net/hypnophantomweb/dedup/deduplication_step4.tar.gz`, have fun, i've updated the code
we're using for the secret chat. it's compressed using the deduplication
method that z3Bra created. next time we'll have to use another method,
something not so public like stegano. i've been thinking of using emojis
maYbe or someThing of that sort. gEt on the chatS LatEr so that wE can
discuss. waiTing FOR your reply. ps: the password for the deduplicated
access is right here within this text, another sort of obvious visual
stegano, use the ascii as bytes if necessary. signed COMMANDERPETRIFY."

So you should take the file found at the link:
https://venam.nixers.net/hypnophantomweb/dedup/deduplication_step4.tar.gz

And deduplicate it using z3bra's deduplication software: https://git.2f30.org/dedup/log.html

This requires a password/key and knowing the name of the file.
The file is appropriately called "backup" or `deduplication_of_backup_tar_file`

In the chat, following the hint is quite obvious, take the uppercase letters. You'll get "GIGABYTESLEETFORCOMMANDERPETRIFY". The key required for decryption must be exactly 32bytes which is what we got. Insert it in the key file and deduplicate.

---

The result of the deduplication is a git repository. A perl script along with a patch.
There's also a hidden .hint file with the following content:

Quote:You should do the reverse of what is done in the example encryption.
Netcat is a fine tool but maybe don't pipe it directly... Maybe there's a throttling mechanism in place.

The readme has the host and the port:
HOST:188.166.241.192
PORT:65300

In the log history there's the IV & Key.

One of the previous versions has the IP+PORT hardcoded.
188.166.241.192:65300
Key = 'WeirdSchemeUnprotectedAss'

for now simply output the content of the nc 188.166.241.192 65300 to a file.


And then stack up all the crypto in the perl script and do the reverse:


It'll output:

Quote:Message from CommanderPetrify: https://venam.nixers.net/hypnophantomweb/secret_variable/step7.mp3 ... The IP: 188.166.241.192

---

The audio file says the following:

"Hello hypnophantomweb. I've set up one of those time keeping server. You got
to query it for the secret underscore variable. That'll lead you closer
to me."

The emphasis is on the time keeping server, an NTP server found at the IP specified.

The trick here is that NTP server allow you to query variables from them, we have to query the "secret_variable", literally:


This outputs a link to an image:
https://venam.nixers.net/hypnophantomweb/ntp_result/step9.gif

---

This is a simple multilayer image/gif. Open it with any image editor and you'll see the hidden message:

https://github.com/scavjunixers/encoding_proto

---

The gh repository contains a certain custom encoding protocol specifications.

You'll have to read carefully the specifications and split the bytes in the proto, you should get the following:


Take that encypted message from the binary and put it in a file alone, then execute:

openssl aes-128-cbc -K '097890FFDEADBEEF00001337DEADDEAD' -e -pbkdf2 -iv '13371337133713371337133713371337' -d

This outputs:

ven㏂.nⅸe₨.net/hyp№p㏊?o㎽eb/dc㉝cf㊵㏄9563⑲92ded㊳bd㊲84d64.p㏋

---

ven㏂.nⅸe₨.net/hyp№p㏊?o㎽eb/dc㉝cf㊵㏄9563⑲92ded㊳bd㊲84d64.p㏋

You won't be able to see this message properly if you don't have a good unicode font.

Swap the characters for ascii ones and you'll have the url:

venam.nixers.net/hypnophantomweb/dc33cf40cc95631992ded38bd3784d64.php

---

There's a page at: https://venam.nixers.net/hypnophantomweb/dc33cf40cc95631992ded38bd3784d64.php asking to insert the email.

After clicking you'll soon receive an email with some information saying the step should be in the xb7 header.

Quote:Here are the info in the mail:
TLS PSK @ 188.166.241.192:9971
The key is somewhere in this mail

It's in the header. You'll really need a mail client that doesn't mangle them.



Take the xb7 header, put it in a file, cat it, and you'll see it's some ascii art.

"Sc4vJune2019Bytes"

---

Now it's time to try the psk

Running at:
188.166.241.192:9971
The key is:
Sc4vJune2019Bytes

openssl s_client -psk "`echo -n 'Sc4vJune2019Bytes' | xxd -p`" -host 127.0.0.1 -port 9971

And you'll get the final token.

I know this was extensive!