Scavenger Hunts Solutions (The making of) - Community & Forums Related Discussions
Users browsing this thread: 1 Guest(s)
|
|||
Hello fellow nixers,
Here are the solutions to past scavenger hunts: II:
https://nixers.net/showthread.php?tid=1909 The hunt starts with this: 1. "Luke check the source" We open the source of nixers.net and we see the following: Code: <!-- We see there's a spoiler tag with the text: (Scavenger Hunt) Check the profile of this contest's winner "it's missing 10 - hint is the name of this contest" xero was the winner of this contest, in his profile there used to be as signature a text where each letter has its ascii representation number - 10, all you had to do was add 10 back and revert the ascii number to their representation (this is the missing part). It should output "https://podcast.nixers.net/hidden.html" (If you still want to play it you can start from here) 3. The page mentions: Un(image of a zipper) the nixers sticker (the one who won obviously - see thread) We open the thread, download the winning sticker and unzip it Code: wget 'https://nixers.net/images/banners/nixers_sticker.png' 4. We simply open the image with a text editor, or just cat it. At the end of the image there's a base64. Code: echo 'R28gYmFjayB0byB0aGUgaGlkZGVuIHBhZ2UsIEhJTlRTLCBTYW1lIHdheSBhcyB0aGlzIHRleHQgZGVjb2RlLCA0ICsgMyArIDIgKyBtZXRhZGF0YSwgRmluZCBsaW5rCg==' | base64 -d 5. There's not much on the page other than the zipper image. Code: wget 'https://podcast.nixers.net/zipper.gif' Indeed there's some layers with text in them. Let's put it together: YmxpbmQuaHRtb Now what about this metadata? In gimp we can go into image > image properties and find a comment: Ao= Overall that gives us: YmxpbmQuaHRtbAo=, which again is base64 for "blind.html". Let's open it: https://podcast.nixers.net/blind.html 6. It says it's the last challenge: Connect THE DOTS :D With a weird image like that what are we supposed to do? It's called blind.png but the page says to connect the dots. This is braille. It says "cybernetic" which is the last flag. http://z3bra.org/hunt/ Mini Scavenger Hunt (June 2017 events):
1. The first hint is: Code: host nixers.net Code: nixers.net has address 178.62.236.80 Code: x509 Using openssl: Code: openssl s_client -showcerts -servername 178.62.236.80 -connect 178.62.236.80:443 </dev/null | openssl x509 -text You can see there's an added: Code: venam.nixers.net/scavang/historys Using the standard for terminals text (X3.64), show "hello" in bold, in the simplest way? Using the caret notation, show ESC then arrow up AKA ALT+UP? The answers are: \e[1mhello and ^[^[[A respectively 4. After solving it the page prints out a QR code: Which represent a URL: https://venam.nixers.net/scavang/nice_one_fellow 5. The page has the following text: The pixels (what are pixels made of? pixy dust, no?) that are not completely black or white represent an ASCII letter. And then there's a picture with small colored dots/pixels. Let's save the picture and try to analyze the pixels it. You can extract the colors programatically or simply via an image editor with the color extraction tool. The simplest thing we can do is to add up every r,g,b in the pixel and get the ascii character represented by it. Code: #! perl -slw 6. After telneting we're prompted: Code: 454040506720134? This is a credit card checksum for sure, the Luhn checksum. For example "413668426188716?" has the checksum "0". We enter it, then: "This is it, this is almost the end. Now check the end of the related podcast episode, the key is '!!june_love_and_nixers!!'." 7. There was an episode posted for the June events of the podcast, so let's download it. https://github.com/nixers-projects/podca...-05-30.mp3 Simply opening it with a text editor we can see that the mp3 has something concatenated at the end: Code: -----BEGIN PGP MESSAGE----- Seems like it's almost the end: Code: Well done! This is certainly base64, Code: echo 'MSFfMSFfSipOM18hXyExCg==' | base64 -d 8. And that's it, the final flag is "1!_1!_J*N3_!_!1". This was the whole scavenger hunt.
https://nixers.net/showthread.php?tid=2183 This hunt starts with: Quote:_Wanderers_ of the web hate me. Crawlers are referred to as wanderers of the web, what they usually don't like is to be limited in their search by the robots.txt file which they should respect. Let's see what's in the robots.txt: Quote:User-Agent: *Hmm, there an intriguing comment in it. Let's see what's at this ip and port using telnet. Code: telnet 188.166.241.192 65400 It's also asking about who's dead, so let's filter the zombie processes if there's any by searching for the Z in the status. It's easier to do that by using tee to save the output: Code: telnet 188.166.241.192 65400 | tee scavanger We find the following line: Quote:nixers 765 0.0 0.0 0 0 ? Z Dec23 0:00 [firegl, look_in_firefox_content]So let's look in the firefox_content, where we find this in one of them: Quote:nixers 11427 0.6 6.7 2642348 375796 ? Sl Dec24 44:03 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -intPrefs 5:50|6:-[...] nixers_domain_slash_cicada" -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 11338 true tab "nixers_domain_slash_cicada", that's intriguing, let's open it: https://nixers.net/cicada/ There's the ascii art of a cicada, the title says "TXT art and more", and the bottom text: Code: vnm This all reminds us of domain names. Let's dig or drill it. (There also were some hints in the newsletter issue 56 https://newsletter.nixers.net/entries.php#56 about this) Code: dig cicada.nixers.net TXT +short And the server replies: Code: "go back, think meta about the txt and its custom representation" So we should go back to the page and think meta about it, about the txt and its custom representation...Apparently. There's nothing else left than to check the source of the page. There doesn't seem to be anything special other than some css and a favicon. In the css there's a font called "custom", that looks deliberate. We need to download it to inspect it locally. But how do we actually inspect fonts, the text editor doesn't help us with anything. (There's another hint in issue 56 of the newsletter) The most prominent software to edit font is fontforge, maybe it will do something. Code: fontforge custom.ttf A character suddenly pops up in your face. Inside the dot there's the text: "nixers.net/fix_me_bad". Interesting. Again, we open that new page, it contains some code, let's download it locally. This doesn't look like any language I know, it's close to C though and it says fixme. The first lines are: Code: /* There are some files we can already get our hands on so let's download them for now. You might remember we've discussed in the newsletter about weird syntaxes in C called digraphs and trigraphs, this is what is used here. We can compile the code directly: Code: cc encrypt.c --trigraph -o encrypt Looking at the code the usage is: ./encrypt <file> <encryption scheme> Code: ./encrypt key.asc "ror2:1;~:1;rol2:2;^2:3" > key.decrypt A big file with multiple certificates and keys part is outputed. One say PART1, another PART3, after that GPG and a GPG key with as comment "Comment: ./img.zip". Yet another file to download... It's a file that is protected by the same gpg key. We import it and decrypt the file, the password it asks for is the them of the hunt, "cicada". The file it outputs, after inspection of the magic bytes, is a gzip archive (tar.gz). Code: tar -zxvf img.decrypt.zip Code: HELP The HELP says: Quote:Issue 50 will help you analyse the file and Issue 54 for the next step It's referring to the newsletter: https://newsletter.nixers.net/entries.php#50 We have an image of a filesystem so there must be a part that's related: "More extra content related to the podcast" mentions filesystem recursion in FAT12 and the FS seems to be FAT12. Anyway, we mount it. Code: mkdir mnt Whatever, it's just trickery. The file is an ELF, maybe it's special. Code: objdump -x test_x86_64 | less Quote:Dynamic Section: RPATH is a base64 string: Code: echo 'cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=' | base64 -d let's join the certificate together and check what's inside. It looks like it's again for the cicada domain: Code: openssl x509 -inform PEM -in pub_client.cert -text | less Quote:400 Bad RequestIt needs a client certificate to be opened. We have both a private client certificate, a public client certificate, and a key. Finally: Code: curl -v -k --key client.key --cert pub_client.cert:cicada https://cicada.nixers.net Quote:Well done And this is it, you've done the scavenger hunt! Scavenger hunt of June 2018
Scavenger hunt of June 2018 https://nixers.net/showthread.php?tid=2206 This hunt is less of a hunt and more of a linear quiz-like game. It starts here: https://venam.nixers.net/scavenger_hunt_2018_june/ Simply click the <START> Question 1: "More and more CLI are using ANSI colors by default, a website proposed a solution to this via an environment variable. What is it?" This was mentioned in issue 71 of the newsletter in the entry "Everything is color". The answer is $NO_COLOR or NO_COLOR. Linter: You are presented with a c99 code and asked to compile it using gcc and the most annoying warnings you can come up with. After compiling it using ` -std=c99 -Wall -Wextra -pedantic ` you get the following: Code: t.c: In function ‘main’: The thing that pops out are the upper case letters. If we join them we obtain: RFC_NAME_NUMBER This is the challenge solution. Rfc: The question is " Give the RFC dedicated to naming machines. ", which was in "Naming a new machine" issue 69. The RFC number is 1178. Special text: It's a page that says the text is special, plus a hint " thieves and 0s ". "Are you having fun this scavenger hunt?" There's something hidden in this text, it's clear when you paste it in vim for example, there are zero width characters in it. To get the hidden text you have to use the tool presented in "Keeping thieves away" of issue 69. You'll get back: "Github:scavjunixers", which is the solution User: There's not much here, you should use the hint of the previous hunt to continue. Go on Github and clone on your machine the only repo of the user scavjunixers. Code: git clone 'https://github.com/scavjunixers/make_me_happy' There's a hint that in this repo there's a shell script made using makeself.io So it should be a compressed directory in a script, let's execute it and get that, not much else to do here. You get back the directory "username_step" which contains "first.mp3" and "hint.sh". The hint says "metadata, zip, not-really-meta". We inspect the ID3 tags for the mp3 file, there's an image in it. You have to extract the image from the mp3. Next step is zip. That image is concatenated with a zip, executing unzip image.png does the trick and greets you with a new file "9999.mp3" Now for the "not-really-meta". call up the "strings" utility on your unix machine for this file to find a base64 encoded value, and you'll know the final answer. QR code: This page only has a Qr code. The hint is pretty clear " Do literally what it says! ". So we scan it and it tells us to give it its weight. Weight of what? Let's dig the newsletter. There's an interesting entry called "File physical weight" in 12 accompanied by an implementation code. We run it, get back the weight of the image and that's it, voilà. Email: There are two inputs, one for email and the other for the final answer. The hint says " Only the ASCII version of the text is required for the answer. " Alright, we put our email and see what happens. We receive an email with this text: Code: Scavenger Hunt - What encoding is this? It seems to be base64 at first sight, so let's try that. It still comes back as garbled but there's some readable bits in it "This is wrapper in a format loved by gpg,openssl and other encryption tools". There have been a bunch of entries in the newsletter about those tool and the format they use, so let's remind ourselves "Let's play with encoding and formats" in 71 for example. The format used for certificates and gpg key is the ASN1 format, openssl and asn1dump can help. Code: > openssl asn1parse -inform PEM -in t.pem < Alright, so there are 3 strings in here, one seems to have been dumped as hex the others are readable. The first one says UCS4, which is a unicode format. This is what the hex dump is in. Let's try to decode it then, UCS4 is close enough to UTF-32 so a website like https://www.branah.com/unicode-converter should do. That's what we get back "qᵫsti? four & five ?e neꋏ", oh that's unicode but the first hint said we needed only ascii back. So here we go to the next question. Q4 & 5: Those ones are straight forward: " An extended attribute used to avoid destroying information that is already there while still allowed editing. " and " The gcc flag that wraps together the generation of a PGO. " The answers are "a" or "+a" and "-fprofile-generate" gaufres: Also straight forward: "gopher://188.166.241.192/" Simply visit the gopher website using a client that supports the gopher protocol. it's the default page with an extra special entry, which is where the answer is. jargon: " The name of jargon file representing a period in which beginners get extremely obsessed with programming. " The answer is "larval stage" File type: This is the last challenge. There's a file with the extension "sfp" That's a Spline Font Database file, a file used in fontforge. Once opened in fontforge it becomes obvious that certain characters have something special, they are highlighted in red. They are the "n" "i" "x" "e" "r" "s" letters. They contain comments that together form the last solution. Congratz! Scavenger hunt of June 2019
Scavenger hunt of June 2019 https://nixers.net/showthread.php?tid=2275 This is probably the most advanced/hard scavenger hunt I've posted thus far. The prerequisite are a good font and openssl. The hunt starts like this, there's an irc chat log: http://venam.nixers.net/irc_chat.log with some conversation between two persons about facts, some links to snopes.com This step is about stegano so it may not be obvious what need to be done. "You should get an IP and a port, dots and the colon included. Example: 127.0.0.1:12345" You should get an IP:PORT as the answer. It's using a system based on the snopes fact system, the scale as numbers: https://www.snopes.com/fact-check-ratings/ You can read them from left to right, top to bottom, the last two beeing dot and colon. You should have the following: Code: 0. True @ 188.166.241.192:9777 "Great you were quIcker than i expected hypnophantomweb., i thouGht you'd be slow As hek with this stegano one. i've place the files you wanted at this location: `https://venam.nixers.net/hypnophantomweb/dedup/deduplication_step4.tar.gz`, have fun, i've updated the code we're using for the secret chat. it's compressed using the deduplication method that z3Bra created. next time we'll have to use another method, something not so public like stegano. i've been thinking of using emojis maYbe or someThing of that sort. gEt on the chatS LatEr so that wE can discuss. waiTing FOR your reply. ps: the password for the deduplicated access is right here within this text, another sort of obvious visual stegano, use the ascii as bytes if necessary. signed COMMANDERPETRIFY." So you should take the file found at the link: https://venam.nixers.net/hypnophantomweb...ep4.tar.gz And deduplicate it using z3bra's deduplication software: https://git.2f30.org/dedup/log.html This requires a password/key and knowing the name of the file. The file is appropriately called "backup" or `deduplication_of_backup_tar_file` In the chat, following the hint is quite obvious, take the uppercase letters. You'll get "GIGABYTESLEETFORCOMMANDERPETRIFY". The key required for decryption must be exactly 32bytes which is what we got. Insert it in the key file and deduplicate. The result of the deduplication is a git repository. A perl script along with a patch. There's also a hidden .hint file with the following content: Quote:You should do the reverse of what is done in the example encryption. The readme has the host and the port: HOST:188.166.241.192 PORT:65300 In the log history there's the IV & Key. One of the previous versions has the IP+PORT hardcoded. 188.166.241.192:65300 Key = 'WeirdSchemeUnprotectedAss' for now simply output the content of the nc 188.166.241.192 65300 to a file. Code: uRdMPxDwKFLS0v59Of7pvNhOmlt+Z5wQvRsrYIjEJj8E1HB5NlAvwm4aQe70mNnX And then stack up all the crypto in the perl script and do the reverse: Code: cat tt2 | openssl aes-256-cbc -a -d -iv 'A7870A63120DE984A7870A63120DE984' -K 'CD3E456D64FA6BAAE6355A8B952DA2E8CD3E456D64FA6BAAE6355A8B952DA2E8' | openssl cast5-cbc -a -d -iv 'A7870A63120DE984' -K 'CD3E456D64FA6BAAE6355A8B952DA2E8' | openssl rc4 -d -k 'WeirdSchemeUnprotectedAss' -a -S '4DAD277806AD473F' | openssl aes-128-cbc -d -k 'WeirdSchemeUnprotectedAss' -a -p It'll output: Quote:Message from CommanderPetrify: https://venam.nixers.net/hypnophantomweb.../step7.mp3 ... The IP: 188.166.241.192 The audio file says the following: "Hello hypnophantomweb. I've set up one of those time keeping server. You got to query it for the secret underscore variable. That'll lead you closer to me." The emphasis is on the time keeping server, an NTP server found at the IP specified. The trick here is that NTP server allow you to query variables from them, we have to query the "secret_variable", literally: Code: ntpq -n -c 'rv 0 secret_variable' psychology.wtf This outputs a link to an image: https://venam.nixers.net/hypnophantomweb.../step9.gif This is a simple multilayer image/gif. Open it with any image editor and you'll see the hidden message: https://github.com/scavjunixers/encoding_proto The gh repository contains a certain custom encoding protocol specifications. You'll have to read carefully the specifications and split the bytes in the proto, you should get the following: Code: 81 97 # tag + length of wrapper Take that encypted message from the binary and put it in a file alone, then execute: openssl aes-128-cbc -K '097890FFDEADBEEF00001337DEADDEAD' -e -pbkdf2 -iv '13371337133713371337133713371337' -d This outputs: ven㏂.nⅸe₨.net/hyp№p㏊?o㎽eb/dc㉝cf㊵㏄9563⑲92ded㊳bd㊲84d64.p㏋ ven㏂.nⅸe₨.net/hyp№p㏊?o㎽eb/dc㉝cf㊵㏄9563⑲92ded㊳bd㊲84d64.p㏋ You won't be able to see this message properly if you don't have a good unicode font. Swap the characters for ascii ones and you'll have the url: venam.nixers.net/hypnophantomweb/dc33cf40cc95631992ded38bd3784d64.php There's a page at: https://venam.nixers.net/hypnophantomweb...784d64.php asking to insert the email. After clicking you'll soon receive an email with some information saying the step should be in the xb7 header. Quote:Here are the info in the mail: It's in the header. You'll really need a mail client that doesn't mangle them. Take the xb7 header, put it in a file, cat it, and you'll see it's some ascii art. "Sc4vJune2019Bytes" Now it's time to try the psk Running at: 188.166.241.192:9971 The key is: Sc4vJune2019Bytes openssl s_client -psk "`echo -n 'Sc4vJune2019Bytes' | xxd -p`" -host 127.0.0.1 -port 9971 And you'll get the final token. I know this was extensive! I and III are offline and II has a small part missing. |
|||
|
Messages In This Thread |
Scavenger Hunts Solutions (The making of) - by venam - 03-01-2018, 01:58 AM
RE: Scavenger Hunts Solutions (The making of) - by resk - 03-01-2018, 05:50 AM
RE: Scavenger Hunts Solutions (The making of) - by venam - 05-02-2018, 03:25 AM
RE: Scavenger Hunts Solutions (The making of) - by venam - 27-06-2018, 07:44 AM
RE: Scavenger Hunts Solutions (The making of) - by xero - 16-08-2018, 11:06 AM
RE: Scavenger Hunts Solutions (The making of) - by venam - 18-07-2019, 02:13 PM
|