Scavenger Hunts Solutions (The making of)

Scavenger Hunts Solutions (The making of) - Community & Forums Related Discussions

venam | 03-01-2018, 01:58 AM | #1

Hello fellow nixers,
Here are the solutions to past scavenger hunts:

II:

https://nixers.net/showthread.php?tid=1909
The hunt starts with this:
1. "Luke check the source"
We open the source of nixers.net and we see the following:

Code:
<!--

     h t t p : /  / n i x e r s . n e t

 ▀▀▀▀██▄ ▀▀▀▀▀ ▀▀▀ ███  ▀▀▀██▄ ▀▀▀▀██▄  ▀▀▀██▄ 

 ░░░ ███  ░░░  ░░░ ███ ░░░ ███ ░░░ ███ ░░░ ███ 

 ▒▒▒ ███  ▒▒▒  ▒▒▒ ███ ▒▒▒     ▒▒▒ ███ ▒▒▒     

 ▓▓▓ ███  ▓▓▓  ▀▓▓▄██▀ ▓▓▓▄▄   ▓▓▓▄██▀ ▀▓▓▄▄▄  

 ███ ███  ███  ███ ███ ███     ███ ███     ███ 

 ███ ███  ███  ███ ███ ███     ███ ███     ███ 

 ███ ███  ███  ███ ███ ███     ███ ███     ███ 

 ███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███ 

 ███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███ 

 ███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███ 

 ███ ███  ███  ███ ███ ███ ███ ███ ███ ███ ███ 

 ▀▀▀ ▀▀▀ ▀▀▀▀▀ ▀▀▀ ▀▀▀  ▀▀▀▀▀  ▀▀▀ ▀▀▀  ▀▀▀▀▀  

   i r c . u n i x . c h a t  #  n i x e r s  

Check the thread of the first ascii art contest we had!

-->

2. So let's open the ascii art contest: https://nixers.net/showthread.php?tid=1862
We see there's a spoiler tag with the text:
(Scavenger Hunt)
Check the profile of this contest's winner
"it's missing 10 - hint is the name of this contest"

xero was the winner of this contest, in his profile there used to be as signature a text where each letter has its ascii representation number - 10, all you had to do was add 10 back and revert the ascii number to their representation (this is the missing part).
It should output "https://podcast.nixers.net/hidden.html"
(If you still want to play it you can start from here)
3. The page mentions:
Un(image of a zipper) the nixers sticker (the one who won obviously - see thread)
We open the thread, download the winning sticker and unzip it

Code:
wget 'https://nixers.net/images/banners/nixers_sticker.png'

unzip nixers_sticker.png

This outputs another image called cat_in_bin.jpg showing a cat in a bin.
4. We simply open the image with a text editor, or just cat it.
At the end of the image there's a base64.

Code:
echo 'R28gYmFjayB0byB0aGUgaGlkZGVuIHBhZ2UsIEhJTlRTLCBTYW1lIHdheSBhcyB0aGlzIHRleHQgZGVjb2RlLCA0ICsgMyArIDIgKyBtZXRhZGF0YSwgRmluZCBsaW5rCg==' | base64 -d

Which outputs: Go back to the hidden page, HINTS, Same way as this text decode, 4 + 3 + 2 + metadata, Find link
5. There's not much on the page other than the zipper image.

Code:
wget 'https://podcast.nixers.net/zipper.gif'

It's a gif so it can contain layers, let's check them with gimp.
Indeed there's some layers with text in them. Let's put it together: YmxpbmQuaHRtb
Now what about this metadata?
In gimp we can go into image > image properties and find a comment: Ao=
Overall that gives us: YmxpbmQuaHRtbAo=, which again is base64 for "blind.html".
Let's open it: https://podcast.nixers.net/blind.html
6. It says it's the last challenge:

Connect THE DOTS :D

With a weird image like that what are we supposed to do?
It's called blind.png but the page says to connect the dots.
This is braille.

It says "cybernetic" which is the last flag.

III:
http://z3bra.org/hunt/
Mini Scavenger Hunt (June 2017 events):

1. The first hint is:

Code:
host nixers.net

This is a command that returns the ip of the server.

Code:
nixers.net has address 178.62.236.80

2. When you open http://178.62.236.80 in the browser you are presented with the following text:

Code:
x509

Which stands for the format of certificates, so let's get the SSL cert of this page.
Using openssl:

Code:
openssl s_client -showcerts -servername 178.62.236.80 -connect 178.62.236.80:443 </dev/null | openssl x509 -text

The certificate signature doesn't match, it means the certificate has been modified.
You can see there's an added:

Code:
venam.nixers.net/scavang/historys

3. Let's open that page, we get a bunch of questions:
Using the standard for terminals text (X3.64), show "hello" in bold, in the simplest way?
Using the caret notation, show ESC then arrow up AKA ALT+UP?
The answers are: \e[1mhello and ^[^[[A respectively
4.
After solving it the page prints out a QR code:

Which represent a URL: https://venam.nixers.net/scavang/nice_one_fellow
5.
The page has the following text:

The pixels (what are pixels made of? pixy dust, no?) that are not completely black or white represent an ASCII letter.

And then there's a picture with small colored dots/pixels.
Let's save the picture and try to analyze the pixels it.
You can extract the colors programatically or simply via an image editor with the color extraction tool.

The simplest thing we can do is to add up every r,g,b in the pixel and get the ascii character represented by it.

Code:
#! perl -slw

use strict;

use GD;

my $img = GD::Image->new( $ARGV[ 0 ] );

my( $w, $h ) = $img->getBounds;

for (my $i =0; $i < $h; $i++) {

    for (my $j = 0; $j < $w; $j++) {

        my ($r,$g,$b) =  $img->rgb( $img->getPixel( $j, $i ) );

        next if ( ($r == 0 and $g == 0 and $b == 0) || ($r == 255 and $g == 255 and $b == 255));

        my $sum = $r+$g+$b;

        print chr($sum);

    }

}

This gives us: telnet://188.166.241.192:9766

6. After telneting we're prompted:

Code:
454040506720134?

We enter anything and it replies with "Wrong credit card number".
This is a credit card checksum for sure, the Luhn checksum.
For example "413668426188716?" has the checksum "0".
We enter it, then:
"This is it, this is almost the end. Now check the end of the related podcast episode, the key is '!!june_love_and_nixers!!'."

7. There was an episode posted for the June events of the podcast, so let's download it. https://github.com/nixers-projects/podca...-05-30.mp3
Simply opening it with a text editor we can see that the mp3 has something concatenated at the end:

Code:
-----BEGIN PGP MESSAGE-----

jA0EBwMCDpuGjs8stoPO0r4BVuxG7gYz8jk8AuYHVIHB0MG7D7KsOJF8VY19azU8

D0r5H7hWjWHNyMKfaqmvuKoIPJ388j9xXF9HBjd/G07jHy8cmtsnVw8ko5gXMwUM

JIbuIT0GCH4rasawX23WQ93Q7eT+yJ5p27gxdQDmn1wZhPbKO86M+EmAMv0W0Wjc

0pcH35p6010p7JaTqxFEq3CR205NXCenm4G81OPUThgyg7H+0qUsIiZ70VKcW0RT

FBzhOxbsluPNzJo1HM/s

=1vrX

-----END PGP MESSAGE-----

Let's decrypt it with the key: gpg --decrypt k.gpg

Seems like it's almost the end:

Code:
Well done!

I hope you had fun with this mini-scavenger hunt.

Pm me anywhere with this key to be able to proclaim yourself a winner:

MSFfMSFfSipOM18hXyExCg==

This is certainly base64,

Code:
echo 'MSFfMSFfSipOM18hXyExCg==' | base64 -d

8. And that's it, the final flag is "1!_1!_J*N3_!_!1".

This was the whole scavenger hunt.

New Year 2018:

https://nixers.net/showthread.php?tid=2183
This hunt starts with:

Quote:_Wanderers_ of the web hate me.

Crawlers are referred to as wanderers of the web, what they usually don't like is to be limited in their search by the robots.txt file which they should respect.

Let's see what's in the robots.txt:

Quote:User-Agent: *
Disallow: /member.php?action=register
Allow: /
# 188.166.241.192:65400 - who's dead?

Hmm, there an intriguing comment in it.
Let's see what's at this ip and port using telnet.

Code:
telnet 188.166.241.192 65400

This returns a big list similar to what the ps command would return.

It's also asking about who's dead, so let's filter the zombie processes if there's any by searching for the Z in the status.
It's easier to do that by using tee to save the output:

Code:
telnet 188.166.241.192 65400 | tee scavanger

We find the following line:

Quote:nixers 765 0.0 0.0 0 0 ? Z Dec23 0:00 [firegl, look_in_firefox_content]

So let's look in the firefox_content, where we find this in one of them:

Quote:nixers 11427 0.6 6.7 2642348 375796 ? Sl Dec24 44:03 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -intPrefs 5:50|6:-[...] nixers_domain_slash_cicada" -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 11338 true tab

"nixers_domain_slash_cicada", that's intriguing, let's open it: https://nixers.net/cicada/

There's the ascii art of a cicada, the title says "TXT art and more", and the bottom text:

Code:
vnm                                      

                                  cicada.ni                                   

                              Am I not alive?                                 

                 Why am I directed instead of domainating.

There's seems to be a typo, "domainating", what does that mean, cicada.ni, TXT.
This all reminds us of domain names. Let's dig or drill it. (There also were some hints in the newsletter issue 56 https://newsletter.nixers.net/entries.php#56 about this)

Code:
dig cicada.nixers.net TXT +short

And the server replies:

Code:
"go back, think meta about the txt and its custom representation"

So we should go back to the page and think meta about it, about the txt and its custom representation...Apparently.

There's nothing else left than to check the source of the page. There doesn't seem to be anything special other than some css and a favicon. In the css there's a font called "custom", that looks deliberate.

We need to download it to inspect it locally.

But how do we actually inspect fonts, the text editor doesn't help us with anything.
(There's another hint in issue 56 of the newsletter)

The most prominent software to edit font is fontforge, maybe it will do something.

Code:
fontforge custom.ttf

A character suddenly pops up in your face. Inside the dot there's the text: "nixers.net/fix_me_bad".

Interesting. Again, we open that new page, it contains some code, let's download it locally.

This doesn't look like any language I know, it's close to C though and it says fixme.
The first lines are:

Code:
/*

 * Fixme?

 *

 * encryption scheme is: "ror2:1;~:1;rol2:2;^2:3";

 * encrypted file url: key.asc

 * key file: client.key

 * passwords: the recurring theme of the hunt

 *

 */

There are some files we can already get our hands on so let's download them for now.

You might remember we've discussed in the newsletter about weird syntaxes in C called digraphs and trigraphs, this is what is used here.
We can compile the code directly:

Code:
cc encrypt.c --trigraph -o encrypt

Looking at the code the usage is: ./encrypt <file> <encryption scheme>

Code:
./encrypt key.asc "ror2:1;~:1;rol2:2;^2:3" > key.decrypt

A big file with multiple certificates and keys part is outputed. One say PART1, another PART3, after that GPG and a GPG key with as comment "Comment: ./img.zip".

Yet another file to download... It's a file that is protected by the same gpg key.
We import it and decrypt the file, the password it asks for is the them of the hunt, "cicada".

The file it outputs, after inspection of the magic bytes, is a gzip archive (tar.gz).

Code:
tar -zxvf img.decrypt.zip

We have a new "pkg" directory to play with in which we find:

Code:
HELP

REC.IMG

The HELP says:

Quote:Issue 50 will help you analyse the file and Issue 54 for the next step

It's referring to the newsletter: https://newsletter.nixers.net/entries.php#50
We have an image of a filesystem so there must be a part that's related: "More extra content related to the podcast" mentions filesystem recursion in FAT12 and the FS seems to be FAT12.

Anyway, we mount it.

Code:
mkdir mnt

mount -o loop REC.IMG mnt

Ohh, there's a 4GB file in there... how did that fit in the small image...
Whatever, it's just trickery.
The file is an ELF, maybe it's special.

Code:
objdump -x test_x86_64 | less

In the dynamic section there is a suspicious line:

Quote:Dynamic Section:
NEEDED libc.so.6
RPATH cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=
INIT 0x00000000000005f0
FINI 0x0000000000000834

RPATH is a base64 string:

Code:
echo 'cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=' | base64 -d

# qk42UJhHQShQRbEGdg5ra3nik/ceO+QjjV8dTLHerR0Pu1y0KHsSGX0eIHLOz/Ch

This is probably the missing piece of the earlier certificate, the PART2.
let's join the certificate together and check what's inside.
It looks like it's again for the cicada domain:

Code:
openssl x509 -inform PEM -in pub_client.cert -text | less

#        Issuer: C=AU, ST=Nix, L=Nixers, O=nixers, OU=cicada

Opening https://cicada.nixers.net/ gives us:

Quote:400 Bad Request
No required SSL certificate was sent

It needs a client certificate to be opened.
We have both a private client certificate, a public client certificate, and a key.

Finally:

Code:
curl -v -k --key client.key --cert pub_client.cert:cicada https://cicada.nixers.net

Quote:Well done

That's it!

Send this code to venam:
cicada_nixers_2018_what_the_hek_why_is_this_a_sentence_I_finished

And this is it, you've done the scavenger hunt!

I and III are offline and II has a small part missing.

resk | 03-01-2018, 05:50 AM | #2

I love it!
Too bad I wasn't there for most of those hunts.
I'll try my luck with the new one https://nixers.net/showthread.php?tid=2183 ,I'm at the second step now.
The hunts look easy when reading the solutions but I bet it's difficult to find what to do next on the quest.

Also, Thanks for those.

venam | 05-02-2018, 03:25 AM | #3

I've updated this thread with the 2018 new year scavenger hunt solution.

View a Printable Version

Subscribe to this thread

Members | Stats | Night Mode | Help