Scavenger Hunts Solutions (The making of) - Community & Forums Related Discussions
Hello fellow nixers,
Here are the solutions to past scavenger hunts:
The hunt starts with this:
1. "Luke check the source"
We open the source of nixers.net and we see the following:
2. So let's open the ascii art contest: https://nixers.net/showthread.php?tid=1862
We see there's a spoiler tag with the text:
Check the profile of this contest's winner
"it's missing 10 - hint is the name of this contest"
xero was the winner of this contest, in his profile there used to be as signature a text where each letter has its ascii representation number - 10, all you had to do was add 10 back and revert the ascii number to their representation (this is the missing part).
It should output "https://podcast.nixers.net/hidden.html"
(If you still want to play it you can start from here)
3. The page mentions:
Un(image of a zipper) the nixers sticker (the one who won obviously - see thread)
We open the thread, download the winning sticker and unzip it
This outputs another image called cat_in_bin.jpg showing a cat in a bin.
4. We simply open the image with a text editor, or just cat it.
At the end of the image there's a base64.
Which outputs: Go back to the hidden page, HINTS, Same way as this text decode, 4 + 3 + 2 + metadata, Find link
5. There's not much on the page other than the zipper image.
It's a gif so it can contain layers, let's check them with gimp.
Indeed there's some layers with text in them. Let's put it together: YmxpbmQuaHRtb
Now what about this metadata?
In gimp we can go into image > image properties and find a comment: Ao=
Overall that gives us: YmxpbmQuaHRtbAo=, which again is base64 for "blind.html".
Let's open it: https://podcast.nixers.net/blind.html
6. It says it's the last challenge:
Connect THE DOTS :D
With a weird image like that what are we supposed to do?
It's called blind.png but the page says to connect the dots.
This is braille.
It says "cybernetic" which is the last flag.
Mini Scavenger Hunt (June 2017 events):
New Year 2018:
1. The first hint is:
This is a command that returns the ip of the server.
2. When you open http://126.96.36.199 in the browser you are presented with the following text:
Which stands for the format of certificates, so let's get the SSL cert of this page.
The certificate signature doesn't match, it means the certificate has been modified.
You can see there's an added:
3. Let's open that page, we get a bunch of questions:
Using the standard for terminals text (X3.64), show "hello" in bold, in the simplest way?
Using the caret notation, show ESC then arrow up AKA ALT+UP?
The answers are: \e[1mhello and ^[^[[A respectively
After solving it the page prints out a QR code:
Which represent a URL: https://venam.nixers.net/scavang/nice_one_fellow
The page has the following text:
The pixels (what are pixels made of? pixy dust, no?) that are not completely black or white represent an ASCII letter.
And then there's a picture with small colored dots/pixels.
Let's save the picture and try to analyze the pixels it.
You can extract the colors programatically or simply via an image editor with the color extraction tool.
The simplest thing we can do is to add up every r,g,b in the pixel and get the ascii character represented by it.
This gives us: telnet://188.8.131.52:9766
6. After telneting we're prompted:
We enter anything and it replies with "Wrong credit card number".
This is a credit card checksum for sure, the Luhn checksum.
For example "413668426188716?" has the checksum "0".
We enter it, then:
"This is it, this is almost the end. Now check the end of the related podcast episode, the key is '!!june_love_and_nixers!!'."
7. There was an episode posted for the June events of the podcast, so let's download it. https://github.com/nixers-projects/podca...-05-30.mp3
Simply opening it with a text editor we can see that the mp3 has something concatenated at the end:
Let's decrypt it with the key: gpg --decrypt k.gpg
Seems like it's almost the end:
This is certainly base64,
8. And that's it, the final flag is "1!_1!_J*N3_!_!1".
This was the whole scavenger hunt.
This hunt starts with:
Quote:_Wanderers_ of the web hate me.
Crawlers are referred to as wanderers of the web, what they usually don't like is to be limited in their search by the robots.txt file which they should respect.
Let's see what's in the robots.txt:
Quote:User-Agent: *Hmm, there an intriguing comment in it.
Let's see what's at this ip and port using telnet.
This returns a big list similar to what the ps command would return.
It's also asking about who's dead, so let's filter the zombie processes if there's any by searching for the Z in the status.
It's easier to do that by using tee to save the output:
We find the following line:
Quote:nixers 765 0.0 0.0 0 0 ? Z Dec23 0:00 [firegl, look_in_firefox_content]So let's look in the firefox_content, where we find this in one of them:
Quote:nixers 11427 0.6 6.7 2642348 375796 ? Sl Dec24 44:03 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -intPrefs 5:50|6:-[...] nixers_domain_slash_cicada" -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 11338 true tab
"nixers_domain_slash_cicada", that's intriguing, let's open it: https://nixers.net/cicada/
There's the ascii art of a cicada, the title says "TXT art and more", and the bottom text:
There's seems to be a typo, "domainating", what does that mean, cicada.ni, TXT.
This all reminds us of domain names. Let's dig or drill it. (There also were some hints in the newsletter issue 56 https://newsletter.nixers.net/entries.php#56 about this)
And the server replies:
So we should go back to the page and think meta about it, about the txt and its custom representation...Apparently.
There's nothing else left than to check the source of the page. There doesn't seem to be anything special other than some css and a favicon. In the css there's a font called "custom", that looks deliberate.
We need to download it to inspect it locally.
But how do we actually inspect fonts, the text editor doesn't help us with anything.
(There's another hint in issue 56 of the newsletter)
The most prominent software to edit font is fontforge, maybe it will do something.
A character suddenly pops up in your face. Inside the dot there's the text: "nixers.net/fix_me_bad".
Interesting. Again, we open that new page, it contains some code, let's download it locally.
This doesn't look like any language I know, it's close to C though and it says fixme.
The first lines are:
There are some files we can already get our hands on so let's download them for now.
You might remember we've discussed in the newsletter about weird syntaxes in C called digraphs and trigraphs, this is what is used here.
We can compile the code directly:
Looking at the code the usage is: ./encrypt <file> <encryption scheme>
A big file with multiple certificates and keys part is outputed. One say PART1, another PART3, after that GPG and a GPG key with as comment "Comment: ./img.zip".
Yet another file to download... It's a file that is protected by the same gpg key.
We import it and decrypt the file, the password it asks for is the them of the hunt, "cicada".
The file it outputs, after inspection of the magic bytes, is a gzip archive (tar.gz).
We have a new "pkg" directory to play with in which we find:
The HELP says:
Quote:Issue 50 will help you analyse the file and Issue 54 for the next step
It's referring to the newsletter: https://newsletter.nixers.net/entries.php#50
We have an image of a filesystem so there must be a part that's related: "More extra content related to the podcast" mentions filesystem recursion in FAT12 and the FS seems to be FAT12.
Anyway, we mount it.
Ohh, there's a 4GB file in there... how did that fit in the small image...
Whatever, it's just trickery.
The file is an ELF, maybe it's special.
In the dynamic section there is a suspicious line:
RPATH is a base64 string:
This is probably the missing piece of the earlier certificate, the PART2.
let's join the certificate together and check what's inside.
It looks like it's again for the cicada domain:
Opening https://cicada.nixers.net/ gives us:
Quote:400 Bad RequestIt needs a client certificate to be opened.
We have both a private client certificate, a public client certificate, and a key.
And this is it, you've done the scavenger hunt!
I and III are offline and II has a small part missing.
I love it!
Too bad I wasn't there for most of those hunts.
I'll try my luck with the new one https://nixers.net/showthread.php?tid=2183 ,I'm at the second step now.
The hunts look easy when reading the solutions but I bet it's difficult to find what to do next on the quest.
Also, Thanks for those.
I've updated this thread with the 2018 new year scavenger hunt solution.