https://nixers.net/showthread.php?tid=2183
This hunt starts with:
Quote:_Wanderers_ of the web hate me.
Crawlers are referred to as wanderers of the web, what they usually don't like is to be limited in their search by the robots.txt file which they should respect.
Let's see what's in the robots.txt:
Quote:User-Agent: *
Disallow: /member.php?action=register
Allow: /
# 188.166.241.192:65400 - who's dead?
Hmm, there an intriguing comment in it.
Let's see what's at this ip and port using telnet.
Code:
telnet 188.166.241.192 65400
This returns a big list similar to what the ps command would return.
It's also asking about who's dead, so let's filter the zombie processes if there's any by searching for the Z in the status.
It's easier to do that by using tee to save the output:
Code:
telnet 188.166.241.192 65400 | tee scavanger
We find the following line:
Quote:nixers 765 0.0 0.0 0 0 ? Z Dec23 0:00 [firegl, look_in_firefox_content]
So let's look in the firefox_content, where we find this in one of them:
Quote:nixers 11427 0.6 6.7 2642348 375796 ? Sl Dec24 44:03 /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -intPrefs 5:50|6:-[...] nixers_domain_slash_cicada" -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appdir /usr/lib/firefox/browser 11338 true tab
"nixers_domain_slash_cicada", that's intriguing, let's open it:
https://nixers.net/cicada/
There's the ascii art of a cicada, the title says "TXT art and more", and the bottom text:
Code:
vnm
cicada.ni
Am I not alive?
Why am I directed instead of domainating.
There's seems to be a typo, "domainating", what does that mean, cicada.ni, TXT.
This all reminds us of domain names. Let's dig or drill it. (There also were some hints in the newsletter issue 56
https://newsletter.nixers.net/entries.php#56 about this)
Code:
dig cicada.nixers.net TXT +short
And the server replies:
Code:
"go back, think meta about the txt and its custom representation"
So we should go back to the page and think meta about it, about the txt and its custom representation...Apparently.
There's nothing else left than to check the source of the page. There doesn't seem to be anything special other than some css and a favicon. In the css there's a font called "custom", that looks deliberate.
We need to download it to inspect it locally.
But how do we actually inspect fonts, the text editor doesn't help us with anything.
(There's another hint in issue 56 of the newsletter)
The most prominent software to edit font is fontforge, maybe it will do something.
Code:
fontforge custom.ttf
A character suddenly pops up in your face. Inside the dot there's the text: "nixers.net/fix_me_bad".
Interesting. Again, we open that new page, it contains some code, let's download it locally.
This doesn't look like any language I know, it's close to C though and it says fixme.
The first lines are:
Code:
/*
* Fixme?
*
* encryption scheme is: "ror2:1;~:1;rol2:2;^2:3";
* encrypted file url: key.asc
* key file: client.key
* passwords: the recurring theme of the hunt
*
*/
There are some files we can already get our hands on so let's download them for now.
You might remember we've discussed in the newsletter about weird syntaxes in C called digraphs and trigraphs, this is what is used here.
We can compile the code directly:
Code:
cc encrypt.c --trigraph -o encrypt
Looking at the code the usage is: ./encrypt <file> <encryption scheme>
Code:
./encrypt key.asc "ror2:1;~:1;rol2:2;^2:3" > key.decrypt
A big file with multiple certificates and keys part is outputed. One say PART1, another PART3, after that GPG and a GPG key with as comment "Comment: ./img.zip".
Yet another file to download... It's a file that is protected by the same gpg key.
We import it and decrypt the file, the password it asks for is the them of the hunt, "cicada".
The file it outputs, after inspection of the magic bytes, is a gzip archive (tar.gz).
Code:
tar -zxvf img.decrypt.zip
We have a new "pkg" directory to play with in which we find:
The HELP says:
Quote:Issue 50 will help you analyse the file and Issue 54 for the next step
It's referring to the newsletter:
https://newsletter.nixers.net/entries.php#50
We have an image of a filesystem so there must be a part that's related: "More extra content related to the podcast" mentions filesystem recursion in FAT12 and the FS seems to be FAT12.
Anyway, we mount it.
Code:
mkdir mnt
mount -o loop REC.IMG mnt
Ohh, there's a 4GB file in there... how did that fit in the small image...
Whatever, it's just trickery.
The file is an ELF, maybe it's special.
Code:
objdump -x test_x86_64 | less
In the dynamic section there is a suspicious line:
Quote:Dynamic Section:
NEEDED libc.so.6
RPATH cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=
INIT 0x00000000000005f0
FINI 0x0000000000000834
RPATH is a base64 string:
Code:
echo 'cWs0MlVKaEhRU2hRUmJFR2RnNXJhM25pay9jZU8rUWpqVjhkVExIZXJSMFB1MXkwS0hzU0dYMGVJSExPei9DaAo=' | base64 -d
# qk42UJhHQShQRbEGdg5ra3nik/ceO+QjjV8dTLHerR0Pu1y0KHsSGX0eIHLOz/Ch
This is probably the missing piece of the earlier certificate, the PART2.
let's join the certificate together and check what's inside.
It looks like it's again for the cicada domain:
Code:
openssl x509 -inform PEM -in pub_client.cert -text | less
# Issuer: C=AU, ST=Nix, L=Nixers, O=nixers, OU=cicada
Opening
https://cicada.nixers.net/ gives us:
Quote:400 Bad Request
No required SSL certificate was sent
It needs a client certificate to be opened.
We have both a private client certificate, a public client certificate, and a key.
Finally:
Code:
curl -v -k --key client.key --cert pub_client.cert:cicada https://cicada.nixers.net
Quote:Well done
That's it!
Send this code to venam:
cicada_nixers_2018_what_the_hek_why_is_this_a_sentence_I_finished
And this is it, you've done the scavenger hunt!