Skip to content

Latest commit

 

History

History
1634 lines (1212 loc) · 55.9 KB

File metadata and controls

1634 lines (1212 loc) · 55.9 KB

HackyEaster 2017

Overview

Title                                    Difficulty  Flag
---------------------------------------- ---------- -----------------------------
Teaser                                              one do3s not simply s0lve a tea3er 0f hacky easter
Challenge 01: Puzzle This!               Easy       C5LHYOifJSLOnYmKjBmS
Challenge 02: Lots of Dots               Easy       pJ94m6jt3AYbogL2gv9i
Challenge 03: Favourite Letters          Easy       Sf2MF6QPqpTrB7Eh2is7
Challenge 04: Cool Car                   Easy       MuxlR4DSDdQDUeyKhKnT
Challenge 05: Key Strokes                Easy       2MmSpjmlU6NPAhCUVyUP
Challenge 06: Message Ken                Easy       uktVsuNNyPVQarmXTuYU
Challenge 07: Crypto for Rookies         Easy       2owhVG07plVCwLD1Ggmn
Challenge 08: Snd Mny                    Easy       t10fBcKFNKShxwos5g0e
Challenge 09: Microscope                 Easy       rcwuXWsHjUcU7BbOLC18
Challenge 10: An egg or not...           Medium     UALYyPlhy2aYfYpzcJHA
Challenge 11: Tweaked Tweet              Medium
Challenge 12: Once Upon a File           Medium     duRpDmUeN0d71XzeF8ae
Challenge 13: Lost the Thread            Medium
Challenge 14: Shards                     Medium
Challenge 15: P Cap                      Medium
Challenge 16: Pathfinder                 Medium     xdzEPrFsO8jZH0OHLweM
Challenge 17: Monster Party              Medium
Challenge 18: Nitwit's Doormat Key       Medium
Challenge 19: Disco Time                 Hard
Challenge 20: Spaghetti Hash             Hard       ICBXMH6GJqMqYDsjkaCn
Challenge 21: MonKey                     Hard
Challenge 22: Game, Set and Hash         Hard       fl3uB75EGl1sadBNycvx
Challenge 23: Lovely Vase                Hard
Challenge 24: Your Passport, please      Hard  

Teaser

Challenge

  1. Solve the riddles and get a solution fragment from each.
  2. Combine all the fragments in the right manner.
  3. Decode the result to get the final solution string.
  4. Sign-Up on Hacking-Lab, if you don't have an account yet.
  5. Submit your solution in Hacking-Lab HERE.
  6. Wait for April 4, when HackyEaster 2017 starts!

Solutions

Riddle 1

MBD2A !ysaep ,ysaE

Reverse: Easy, peasy! A2DBM

Riddle 2

UGllY2Ugb2YgY2FrZSEgWlhHSUQ=

b64 decode: Piece of cake! ZXGID

Riddle 3

One for free here: 404 - not found!

invisible text on webpage: One for free here: 404 - not found! XIZLS

Riddle 4

eval(function(p,a,c,k,e,d){e=function(c){return c};if(!''.replace(/^/,String)){while(c--){d[c]=k[c]||c}
k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(
new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('0(\'1\');',2,2,'alert|VYGY6'.split('|'),0,{}))

run the javascript: VYGY6

Riddle 5

3a3ea00cfc35332cedf6e5e9a32e94da
9d5ed678fe57bcca610140957afab571
f09564c9ca56850d4cd6b3319e541aee
5dbc98dcc983a70728bd082d1a47546e
7fc56270e7a70fa81a5935b72eacbe29

md5: EBQSA

Riddle 6

--- -. . / -- --- .-. . / .... . .-. . ---... / .--- .- --- -- -.--

morse code: ONEMOREHERE: JAOMY

Riddle 7

Hwldp wx, Euxwh! QYAVL

ROT23: Etiam tu, Brute! NVXSI

Riddle 8

84 97 107 101 32 116 104 105 115 58 32 71 89 53 84 70

ascii: Take this: GY5TF

Riddle 9

Just a bit: /2mi4AMj

bit.ly: 5DFME

Riddle 10

No Comment

HTML comment: <!-- A43JN-->

Riddle 11

👻👽👻👻👻👻👽👽👻👽👻👻👽👽👽👽👻👽👻👻👽👽👽👻👻👽👻👻👻👽👽👽👻👽👻👽👻👻👽👻👻👽👻👻👻👻👻👽
👻👽👻👽👻👽👻👻👻👽👻👽👻👻👽👽👻👻👽👻👻👻👻👽👻👻👽👻👻👻👻👻👻👽👻👻👽👽👽👻👻👻👽👽👻👽👻👽👻
👽👻👽👽👻👻👻👻👽👻👻👻👽👽👽👻👽👻👻👽👻👽👽

Binary: CONGRATS! N5XGK

Riddle 12

697c611778601371647d12177e7d060572
3133333731333337313333373133333731

xor the strings together:

a="697c611778601371647d12177e7d060572"
b="3133333731333337313333373133333731"
out=''

for i in range(0,len(a),2):
    c = int(a[i:i+2],16)
    d = int(b[i:i+2],16)

    out += chr(c^d)

print out

xor: XOR IS FUN! ON52C

Riddle 13

URER LBH TB: MJX4E

ROT13: HERE YOU GO: ZWK4R

Riddle 14

89504E470D0A1A0A0000000D494844520000001D0000000708020000007BBCD1A5000000017352474200AECE1CE90
000000467414D410000B18F0BFC6105000000097048597300000EC300000EC301C76FA8640000001874455874536F
667477617265007061696E742E6E657420342E302E36FC8C63DF000001AA4944415428534D513DC8416118BD7E4A1
9180C0665A0582C8C7E22DF20C5480A130629060CF29792C16CB06293C82283C2F0C562540693C94F297F2983FB9D
EBF9BEDB77A673CE7DEE799FF3BE0CFB81C160904824C4098542C1E17098CDE672B90C399D4E9D4EA740208846A39
BCD2693C9300CF3F5079A29168B56ABD5E572B5DBEDDF5C954A85B9D3E944D2EBF5D66AB5DBEDF67EBF5BADD6EBF5
1A8D4676BB1D9F7ABD9EDFEF877FBFDFE3F1782E97BB5EAFF0B1473A9D063F1C0E1A8D86CB1D8FC7D8CBE3F1341A0
DC8C964A2502840FE83CF050987C3642693C96AB54A1C558810B8DC4824321C0E178B85CD66836C369BD80244A7D3
A194DBED7E3C1E8893CBE5E804743A1DEE57964DA552F57A1D64B7DB994C2632095CAE4C260B8542C160502A95AED
7EBC160100804E05F2E97E3F1882054E6F7DDEFF770CEE73378369BA5DCE7F3899B04E1C174BBDD582CF6FD01162F
954AD84EA9542E974B9A108BC5FF7301AD564B2F91CFE729174033BC1BF17EBFCFF87CBEF97C4E7ABBDDEAF57A90D
96C66341A3FA519FE5AD56A35A44824C2D99F71B652A9F0B9ABD5CA62B1604028142612891FA2F7838B729D41E800
00000049454E44AE426082

turned out to be hex representation of png image, convert back:

import binascii

ct = '89504E470D0A1A0A0000000D494844520000001D0000000708020000007BBCD1A5000000017352474200AECE1CE90000000467414D410000B18F0BFC6105000000097048597300000EC300000EC301C76FA8640000001874455874536F667477617265007061696E742E6E657420342E302E36FC8C63DF000001AA4944415428534D513DC8416118BD7E4A19180C0665A0582C8C7E22DF20C5480A130629060CF29792C16CB06293C82283C2F0C562540693C94F297F2983FB9DEBF9BEDB77A673CE7DEE799FF3BE0CFB81C160904824C4098542C1E17098CDE672B90C399D4E9D4EA740208846A39BCD2693C9300CF3F5079A29168B56ABD5E572B5DBEDDF5C954A85B9D3E944D2EBF5D66AB5DBEDF67EBF5BADD6EBF51A8D4676BB1D9F7ABD9EDFEF877FBFDFE3F1782E97BB5EAFF0B1473A9D063F1C0E1A8D86CB1D8FC7D8CBE3F1341A0DC8C964A2502840FE83CF050987C3642693C96AB54A1C558810B8DC4824321C0E178B85CD66836C369BD80244A7D3A194DBED7E3C1E8893CBE5E804743A1DEE57964DA552F57A1D64B7DB994C2632095CAE4C260B8542C160502A95AED7EBC160100804E05F2E97E3F1882054E6F7DDEFF770CEE73378369BA5DCE7F3899B04E1C174BBDD582CF6FD01162F954AD84EA9542E974B9A108BC5FF7301AD564B2F91CFE729174033BC1BF17EBFCFF87CBEF97C4E7ABBDDEAF57A90D96C66341A3FA519FE5AD56A35A44824C2D99F71B652A9F0B9ABD5CA62B1604028142612891FA2F7838B729D41E80000000049454E44AE426082'

with open('teaser.png', 'w+') as fout:
    fout.write(binascii.unhexlify(ct))

PNG image: AGBTC

Riddle 16

FRIDAY THE THIRTEENTH, 4:00 PM
/([FOR]*)([ID]{2})([^N]*)(.)(.*)/g
$2E$44

regex: IDEN4

Riddle 16

<~<+oue+DGm>FD,5.CghC,+E)./+Ws0B9h&:~>

Base85 decode: DFMFZ

Final Solution

We suspect the solution fragments are part of a base32 encoded string, so we try different possible permutations of the fragments which yield valid outputs:

import itertools
import base64
import string

def extend_solution(partialsolution, mychunks):
    ''' try adding different permutations of 4 pieces to current solution, recurse til solution found'''
    for i in itertools.permutations(mychunks, 4):
        t = partialsolution + ''.join(i)
        padded = t +  '=' * (-len(t) % 8)
        oldchunks = mychunks[:]
        try:
            d = base64.b32decode(padded)

            valid = True
            for c in d:
                #if c not in string.printable:
                if not (c.isalnum() or c == ' '):
                    valid = False
                    break

            if valid:
                if len(t) >= 80:
                    print "possible solution: " + d + " (" + t + ")"

                #recursion
                for x in i:
                    mychunks.remove(x)
                extend_solution(partialsolution+''.join(i), mychunks)
        except Exception as e:
            print e
            exit()

        mychunks = oldchunks[:]


chunks= ['A2DBM','ZXGID','XIZLS','VYGY6','EBQSA','JAOMY','NVXSI','GY5TF',
         '5DFME','A43JN','N5XGK','ON52C','ZWK4R','AGBTC','IDEN4','DFMFZ']

print "solving.."
extend_solution('',chunks)

this outputs various possible solutions:

solving..
possible solution:  a tea3s not haeply s1terone do3er 0f sikky earlve (EBQSA5DFMEZXGIDON52CA2DBMVYGY6JAOMYXIZLSN5XGKIDEN4ZWK4RAGBTCA43JNNVXSIDFMFZGY5TF)
possible solution:  a tea3s not haeply s0lveone do3er 0f sikky easter (EBQSA5DFMEZXGIDON52CA2DBMVYGY6JAOMYGY5TFN5XGKIDEN4ZWK4RAGBTCA43JNNVXSIDFMFZXIZLS)
possible solution:  a tea3s not hacky easterone do3er 0f simply s0lve (EBQSA5DFMEZXGIDON52CA2DBMNVXSIDFMFZXIZLSN5XGKIDEN4ZWK4RAGBTCA43JNVYGY6JAOMYGY5TF)
possible solution:  a tea3s not hacky earlveone do3er 0f simply s1ter (EBQSA5DFMEZXGIDON52CA2DBMNVXSIDFMFZGY5TFN5XGKIDEN4ZWK4RAGBTCA43JNVYGY6JAOMYXIZLS)
[..]
possible solution: one do3s not simply s1ter a tea3er 0f hacky earlve (N5XGKIDEN4ZXGIDON52CA43JNVYGY6JAOMYXIZLSEBQSA5DFMEZWK4RAGBTCA2DBMNVXSIDFMFZGY5TF)
possible solution: one do3s not simply s0lve a tea3er 0f hacky easter (N5XGKIDEN4ZXGIDON52CA43JNVYGY6JAOMYGY5TFEBQSA5DFMEZWK4RAGBTCA2DBMNVXSIDFMFZXIZLS)
possible solution: one do3s not sikky easter a tea3er 0f haeply s0lve (N5XGKIDEN4ZXGIDON52CA43JNNVXSIDFMFZXIZLSEBQSA5DFMEZWK4RAGBTCA2DBMVYGY6JAOMYGY5TF)
[..]
possible solution: one do3er 0f sikky earlve a tea3s not haeply s1ter (N5XGKIDEN4ZWK4RAGBTCA43JNNVXSIDFMFZGY5TFEBQSA5DFMEZXGIDON52CA2DBMVYGY6JAOMYXIZLS)

and best one and our solution is:

one do3s not simply s0lve a tea3er 0f hacky easter (N5XGKIDEN4ZXGIDON52CA43JNVYGY6JAOMYGY5TFEBQSA5DFMEZWK4RAGBTCA2DBMNVXSIDFMFZXIZLS)

Flag

one do3s not simply s0lve a tea3er 0f hacky easter

Challenge 01: Puzzle This!

Challenge

An easy one to start with.

Solution

Shuffled, looks like no rotations.

Flag

C5LHYOifJSLOnYmKjBmS

Challenge 02: Lots of Dots

Challenge

The dots in the following image contain a secret message. Can you find it?

Solution

Had a non-colourblind person look at it, he said nothing was there. Split out LSB and bingo:

Pop into the egg-o-matic:

Flag

pJ94m6jt3AYbogL2gv9i

Challenge 03: Favourite Letters

Francesca's favourite letter is s
Riley's favourite letter is o
Ellie's favourite letter is a
Vince's favourite letter is p
Quintain's favourite letter is r
Otto's favourite letter is i
David's favourite letter is p
Tom's favourite letter is l
Paul's favourite letter is e
Ulrich's favourite letter is y
Henry's favourite letter is w
Norman's favourite letter is h
Louis' favourite letter is i
Zane's favourite letter is s
York's favourite letter is c
Bob's favourite letter is h
Meave's favourite letter is s
Ian's favourite letter is o
Sidney's favourite letter is g
George's favourite letter is s
Kitty's favourite letter is d
Wilbert's favourite letter is h
Adam's favourite letter is t
Xander's favourite letter is i
Callum's favourite letter is e
Jack's favourite letter is r

Solution

All names start with different letter and there are 26 of them, so lets take the first letter of the name as a hint for the positioning of the favourite letters:

ABCDEFGHIJKLMNOPQRSTUVWXYZ
thepasswordishieroglyphics

put hieroglyphics into the egg-o-matic to get our egg5

Flag

Sf2MF6QPqpTrB7Eh2is7

Challenge 04: Cool Car

Challenge

(Mobile Challenge)

Borat wants to impress the girls. Can you help him find a cool car for his purpose?

Solution

There is a meter we presumably need to fill, source code from decompiled apk shows:

function setLevel(l) {
  if (l>1000) l=1000;
  $('#level').css('width',(l/4)+'px');
  $('#level').css('background-color', 'rgba(' + Math.round((1000-l)*0.255) + ',' + Math.round(l*0.255) + ',0,1.0)');
  $('#level').text(""+Math.round(l));
}
function requestLevels() {
    window.location.href="ps://sensors";
}
function sensorFeedback(json) {
    var jsonResp = JSON.parse(json);
    setLevel(jsonResp.l);
    if (jsonResp.k) {
        decryptScrambledEggWithKey(jsonResp.k);
        clearInterval(intervalId);
    }
}
var intervalId = setInterval(requestLevels, 2000);

so it checks some sensor level, and looks like this needs to be 1000 to get our egg

hmm, Borat and cars, we find this youtube video https://www.youtube.com/watch?v=yAuu3xOsorQ in which Borat wants a car with a pussy magnet ..hmm, magnets?

I held a fridge magnet to my phone and the meter filled right up to 1000 and gave me the egg

Flag

MuxlR4DSDdQDUeyKhKnT

Challenge 05: Key Strokes

Challenge

esc i c e l a n d esc a y a n k e e space f o x
space esc o f l o w e r up esc $ esc i y esc e esc a
y esc / l a return esc r w esc right right right
right esc x i f r esc e esc X x x : s / c e / a g i
c / return esc down d d esc i m esc Z Z

Solution

Oh my gosh this is VIM! That's awesome :D

Entering the keystrokes as they provide spells out: magicwandfrankfoxy

Flag

2MmSpjmlU6NPAhCUVyUP

Challenge 06: Message to Ken

Challenge

Barbie has written a secret message for her sweetheart Ken. Can you decrypt it?

Fabrgal JaeM Hsa faonah uiff;rnl tf btuxbrffuinhzoroyhitbM Fincta dd

Hint: Shift+Lock+1

Solution
Holy crap this is AWESOME. This relies on you knowing about the barbie typewriters made in the 90s that had a secret code mechanism. http://www.cryptomuseum.com/crypto/mehano/barbie/#e118

So this is key 2 for coding.

norm: abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 0123456789
   1: torbiudfhgzcvanqyepskx¢1w; RC>GHAPND<VUBLIKJETOYXM2QF 63405789-¨
   2: icolapxstvybjeruknfhqg;dzw >FAUTCYOLVJDZINQKSEHG<.1PB 523406789-
   3: hrnctqlpsxwogiekzaufyd+b;¢ SARYO>QIUX<GFDLJVTHNP1Z3KC 7405689-¨§
   4: sneohkbufd;rxtaywiqpzl%c¢+ E>SPNRKLG1XYCUDV<HOIQ2B4JA 805679-¨§£

'Beloved KenM The secret password is lipglosspartycocktailM Barbie xx'

put the password into the egg-o-matic:

Flag

uktVsuNNyPVQarmXTuYU

Challenge 07: Crypto for Rookies

Challenge

This crypto is not hard to crack.

Solution

Line Cipher Result
1: dancing men cipher BONTBBOK
2: base64 decode BONTEAOK
3: alphabet position BONTEBRK
4: rot13 BANTEBOK
5: pigpen cipher CONTEBOK
6: reversed? BONTEBOA
7: rot23? BOPTEBOK
8: hex: BONYEBOK

  • final solution: changed letters per line? If so: EABRAOCOBAPKNY
  • Update: not working. Maybe I copied them wrong? Or somethnig else? :S
  • Odd one out per position: CAPYBARA

pop this in egg-o-matic and get our egg:

Flag

2owhVG07plVCwLD1Ggmn

Challenge 08: Snd Mny

Challenge

(Mobile Challenge)

Please, I'm begging you!

Solution

find the relevant code in decompiled apk:

public class SndActivity extends Activity {
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        requestWindowFeature(1);
        getWindow().setFlags(AccessibilityNodeInfoCompat.ACTION_NEXT_HTML_ELEMENT, AccessibilityNodeInfoCompat.ACTION_NEXT_HTML_ELEMENT);
        setContentView(C0085R.layout.activity_snd);
        Intent intent = getIntent();
        String action = intent.getAction();
        String type = intent.getType();
        if ("android.intent.action.SEND".equals(action) && type != null && HTTP.PLAIN_TEXT_TYPE.equals(type)) {
            String text = intent.getStringExtra("android.intent.extra.TEXT");
            if (text != null && "c95259de1fd719814daef8f1dc4bd64f9d885ff0".equals(sha1(text.toLowerCase()))) {
                ((TextView) findViewById(C0085R.id.sndTextView)).setText("Thank you!!");
                ImageView image = (ImageView) findViewById(C0085R.id.sndImageView);
                byte[] decodedString = Base64.decode(new StringBuilder(getString(C0085R.string.f16e) + "ROBVi").reverse().toString(), 0);
                image.setImageBitmap(BitmapFactory.decodeByteArray(decodedString, 0, decodedString.length));
            }
        }
    }

[..]

}

c95259de1fd719814daef8f1dc4bd64f9d885ff0 is the SHA-1 hash for the string money

send this string to the app somehow?

ah, we notice there is now a new entry in the share menu to share to the hackyeaster SndActivity app.

we share something random and get the following:

we presumably need to send just the string money downloaded an app called Clipboard Actions which lets you share anything on your clipboard

Flag

t10fBcKFNKShxwos5g0e

Challenge 09: Microscope

Challenge

(Mobile Challenge)

In order to see this easter egg, you have to look closely!

Solution

When we click the button, we see a page with a tiny tiny egg on it

We look at the source for the challenge from the decompiled APK

package ps.hacking.hackyeaster.android;

import android.app.Activity;
import android.os.Bundle;
import android.support.v4.view.accessibility.AccessibilityNodeInfoCompat;
import android.webkit.HttpAuthHandler;
import android.webkit.WebResourceError;
import android.webkit.WebResourceRequest;
import android.webkit.WebView;
import android.webkit.WebViewClient;

public class MicroscopeActivity extends Activity {

    /* renamed from: ps.hacking.hackyeaster.android.MicroscopeActivity.1 */
    class C00841 extends WebViewClient {
        C00841() {
        }

        public void onReceivedHttpAuthRequest(WebView view, HttpAuthHandler handler, String host, String realm) {
            handler.proceed("he2017", "egggghunthackinglab");
        }

        public void onReceivedError(WebView view, WebResourceRequest request, WebResourceError error) {
            view.loadDataWithBaseURL(null, "<html>&#128048;</html>", "text/html", "utf-8", null);
        }
    }

    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        requestWindowFeature(1);
        getWindow().setFlags(AccessibilityNodeInfoCompat.ACTION_NEXT_HTML_ELEMENT, AccessibilityNodeInfoCompat.ACTION_NEXT_HTML_ELEMENT);
        setContentView(C0085R.layout.activity_microscope);
        WebView webview = (WebView) findViewById(C0085R.id.microscopeWebView);
        webview.getSettings().setJavaScriptEnabled(true);
        webview.setWebViewClient(new C00841());
        webview.loadUrl("https://hackyeaster.hacking-lab.com/hackyeaster/challenge09_su6z47IoTT7.html".replace('6', '5'));
    }
}

We see the webpage the app opens with the tiny egg on it: https://hackyeaster.hacking-lab.com/hackyeaster/challenge09_su5z47IoTT7.html

We open this page:

<html>
  <head>
    <meta http-equiv="cache-control" content="max-age=0" />
    <meta http-equiv="cache-control" content="no-cache" />
    <meta http-equiv="expires" content="0" />
    <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
    <meta http-equiv="pragma" content="no-cache" />
  </head>
  <body style="background: url('images/background.jpg') no-repeat center center fixed;  -webkit-background-size: cover; -moz-background-size: cover; -o-background-size: cover; background-size: cover;">
  <table width=100% height=100% border="0">
    <tr>
        <td style="text-align: center; vertical-align: middle;">
          <div style="padding: 20px; width: 180px; height: 180px; position: absolute; left: 50%; top: 50%; margin-top: -110px; margin-left: -110px;">
            <img src="images/challenge/egg09_fs0sYle2SN.png" style="width: 12px; height: 12px;" />
          </div>
        </td>
    </tr>
  </table>
  </body>
</html>

and find the location of the egg image and can view it full-size:

Flag

rcwuXWsHjUcU7BbOLC18

Challenge 10: An egg or not ...

Challenge
... an egg, that's the question!

Are you able to answer this question and find the (real) egg?

(original svg verson here)

Solution
The QR code is made of individual dots. Some are doubled up, I think we remove the doubles.

I stripped out the <use ...> statements and then transformed into a TSV:

data = open('tmp', 'r').read()
q = [x.split('\t') for x in data.split('\n')]
haveSeen = {}

for i in q:
        k = "%s,%s" % (i[0], i[1])
        if k not in haveSeen:
                print """<use x="%s" y="%s" xlink:href="#%s"/>""" % (*i)
        haveSeen[k] = True

(original svg verson here)

Flag

UALYyPlhy2aYfYpzcJHA

Challenge 11: Tweaked Tweet

Challenge

(Mobile Challenge)

Blue little birdie create a fancy message, please tweet it!

Solution

When we click the button, it prepares a tweet for us:

We check the decompiled sources and see the code to generate the tweet:

private void startTweakedTweet() {
    try {
        startActivity(new Intent("android.intent.action.VIEW", Uri.parse("https://twitter.com/intent/tweet?text=%23%EF%BC%A8a%EF%BD%83%EF%BD%8By%CE%95%EF%BD%81ste%EF%BD%92%E2%80%A9201%EF%BC%97%E2%80%A9%E2%85%B0%EF%BD%93%E2%80%80a%E2%80%84l%EF%BD%8F%EF%BD%94%E2%80%80%CE%BFf%E2%80%89%EF%BD%86un%EF%BC%81%E2%80%A8%23%D1%81tf%E2%80%88%23%EF%BD%88%EF%BD%81%CF%B2king-lab")));
    } catch (Exception e) {
        e.printStackTrace();
    }
}

The tweet text:

#HackyΕaster
2017
ⅰs a lot οf fun!
#сtf #haϲking-lab

in hex:

23efbca861efbd83efbd8b79ce95efbd81737465efbd92e280a9323031efbc97e280
a9e285b0efbd93e2808061e280846cefbd8fefbd94e28080cebf66e28089efbd8675
6eefbc81e280a823d1817466e2808823efbd88efbd81cfb26b696e672d6c6162

Flag


Challenge 12: Once Upon a File

Challenge
Once upon a file there was a hidden egg. It's still waiting to be saved by a noble prince or princess.

Solution

Hmm. Zipped file containing a single file, nothing interesting in zipdetails.

[hxr@leda:~/Downloads]$ file file
file: DOS/MBR boot sector, code offset 0x52+2, OEM-ID "NTFS    ", sectors/cluster 8, Media descriptor 0xf8, sectors/track 63, hidden sectors 1, dos < 4.0 BootSector (0x80), FAT (1Y bit by descriptor); NTFS, sectors/track 63, sectors 10239, $MFT start cluster 426, $MFTMirror start cluster 2, bytes/RecordSegment 2^(-1*246), clusters/index block 1, serial number 09850f88350f86a00

Ok, that's interesting.

qemu-system-x86_64 -drive format=raw,file=disk.img

Not sure where to go from here. tcpdump where it's pixieing to? EDIT: apparently this is standard qemu/seabios behaviour. Whoops. No idea. Tried photorec on the disk image with no luck.

next we tried binwalk

$ binwalk -e file

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
36447         0x8E5F          Unix path: /0/1/2/3/4/5/6/7/8/9/:/;/</=/>/?/@/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/[/\/]/^/_/`/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o
184320        0x2D000         Zip archive data, at least v2.0 to extract, compressed size: 439156, uncompressed size: 5242880, name: file
623596        0x983EC         End of Zip archive

$ ls _file.extracted
2D000.zip  file

$ cd _file.extracted  

$ binwalk -e file

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
36447         0x8E5F          Unix path: /0/1/2/3/4/5/6/7/8/9/:/;/</=/>/?/@/A/B/C/D/E/F/G/H/I/J/K/L/M/N/O/P/Q/R/S/T/U/V/W/X/Y/Z/[/\/]/^/_/`/a/b/c/d/e/f/g/h/i/j/k/l/m/n/o
1093632       0x10B000        Microsoft Cabinet archive data, 17834 bytes, 1 file
2832320       0x2B37C0        Microsoft Cabinet archive data, 17834 bytes, 1 file
3116030       0x2F8BFE        Microsoft executable, MS-DOS
3788479       0x39CEBF        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
3793983       0x39E43F        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
4477995       0x44542B        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: SHA-1 hash
5073287       0x4D6987        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
5075359       0x4D719F        mcrypt 2.2 encrypted data, algorithm: blowfish-448, mode: CBC, keymode: 8bit
5173248       0x4EF000        PNG image, 480 x 480, 8-bit colormap, non-interlaced
5173767       0x4EF207        Zlib compressed data, best compression

$ ls _file.extracted
10B000.cab  2B37C0.cab  4EF207  4EF207.zlib  egg12.png  eg?Z2.png

and there we see we get our egg

Nugget

duRpDmUeN0d71XzeF8ae

Challenge 14: Shards

Challenge
Oh no! What a mess!

Solution
Image reassembly software??

Nugget

Challenge 15: P Cap

Challenge
What about a little P cap?

Solution
Lotsa SMB traffic, looks like a file named R05h4L.jpg is tranferred. Dollars to doughnuts that's an egg.

opened with wireshark, extracted the objects transferred, seems like two versions of that image, and two webpages:

R05h4L.jpg (incomplete)

R05h4L(1).jpg:

perdu.com (html file) (site):

<html>
    <head>
        <title>Vous Etes Perdu ?</title>
    </head>
    <body>
        <h1>Perdu sur l'Internet ?</h1>
        <h2>Pas de panique, on va vous aider</h2>
        <strong><pre>    * <----- vous &ecirc;tes ici</pre></strong>
    </body>
</html>

nothinghere.pl (html file) (site):

--> find login credentials to this site in pcap and log in?

Nugget

Challenge 16: Pathfinder

Challenge
Can you find the right path?

Solution

$ curl -i hackyeaster.hacking-lab.com:9999  
HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Content-Length: 39
Date: Thu, 06 Apr 2017 04:19:00 GMT
Connection: keep-alive

{"Answer":"I only talk to PathFinder!"}

aha, let's pretend we're PathFinder by setting our user-agent as such:

curl hackyeaster.hacking-lab.com:9999 --user-agent 'PathFinder'

{"Answer":"Follow one of the possible paths","paths":[1,3,5,8]}

Ok, looks like we need to find our way in a maze of some sort. After trying many things, it turned out to be url path, let's choose path 1 by adding /1 to url

curl hackyeaster.hacking-lab.com:9999/1 --user-agent 'PathFinder'

{"Answer":"Go on! Follow one of the possible paths","paths":[5]}

we are given new options, so we can now visit /15 etc until we find our flag:

we automate this in a python script:

import requests
import json
import pprint

count = 0

def findpath(current_url, mypaths):
    global count
    for p in mypaths:
        count += 1
        if count %100 == 0:
            print "currently trying: " + current_url
        new_url = current_url+str(p)
        r = s.get(new_url, headers=headers)
        response = json.loads(r.text)

        if response['Answer'] == "You've left the path!":
            print "error"
            exit()

        # recurse
        elif response['Answer'] == "Go on! Follow one of the possible paths":
            findpath(new_url, response['paths'])

        # if other response, we found it maybe?
        elif response['Answer'] != "This leads to nowhere, so turn around!":
            pprint.pprint(response)
            exit()

    # backtrack


url = 'http://hackyeaster.hacking-lab.com:9999/'
headers = {'User-Agent': 'PathFinder'}
s = requests.Session()

# recursively follow path until we get to an ending
r = s.get(url, headers=headers)
response = json.loads(r.text)
findpath(url, response['paths'])

this outputs:

currently trying: http://hackyeaster.hacking-lab.com:9999/153274689269185
currently trying: http://hackyeaster.hacking-lab.com:9999/153274689269385174847196523496
currently trying: http://hackyeaster.hacking-lab.com:9999/1532746892698531748471965239265
currently trying: http://hackyeaster.hacking-lab.com:9999/153284679269315
currently trying: http://hackyeaster.hacking-lab.com:9999/15328467926975148384
currently trying: http://hackyeaster.hacking-lab.com:9999/153284697269175
currently trying: http://hackyeaster.hacking-lab.com:9999/1532846972697154838
currently trying: http://hackyeaster.hacking-lab.com:9999/15329468724937
currently trying: http://hackyeaster.hacking-lab.com:9999/153294687269385
currently trying: http://hackyeaster.hacking-lab.com:9999/1572846932497
currently trying: http://hackyeaster.hacking-lab.com:9999/15728469326931587484
currently trying: http://hackyeaster.hacking-lab.com:9999/157284693269375184348196527926
currently trying: http://hackyeaster.hacking-lab.com:9999/1572846932697
currently trying: http://hackyeaster.hacking-lab.com:9999/157284693269753184843196527
currently trying: http://hackyeaster.hacking-lab.com:9999/15729468326
currently trying: http://hackyeaster.hacking-lab.com:9999/15729468326935817434817652992654
currently trying: http://hackyeaster.hacking-lab.com:9999/15729468326935817434871652949658371282597134673
currently trying: http://hackyeaster.hacking-lab.com:9999/1572946832693581743487165924
currently trying: http://hackyeaster.hacking-lab.com:9999/157294683269358174843176592
currently trying: http://hackyeaster.hacking-lab.com:9999/15729468326935817484371652949658371252897134673164289567

{u'Answer': u'Thanks PathFinder you saved my life by giving me the solution to this sudoku!',
 u'Secret': u'https://hackyeaster.hacking-lab.com/hackyeaster/images/challenge/egg16_UYgXzJqpfc.png',
 u'sudoku': [[0, 0, 0, 2, 0, 4, 6, 0, 0],
             [2, 0, 9, 0, 0, 0, 0, 0, 0],
             [0, 0, 0, 0, 0, 6, 5, 0, 0],
             [0, 0, 6, 5, 0, 0, 7, 1, 0],
             [0, 0, 0, 9, 0, 0, 0, 4, 0],
             [7, 3, 1, 0, 0, 0, 0, 0, 0],
             [0, 7, 0, 0, 3, 0, 0, 0, 8],
             [0, 8, 0, 0, 2, 7, 0, 3, 1],
             [0, 1, 4, 0, 6, 0, 0, 0, 0]],
 u'your_solution': [[1, 5, 7, 2, 9, 4, 6, 8, 3],
                    [2, 6, 9, 3, 5, 8, 1, 7, 4],
                    [8, 4, 3, 7, 1, 6, 5, 2, 9],
                    [4, 9, 6, 5, 8, 3, 7, 1, 2],
                    [5, 2, 8, 9, 7, 1, 3, 4, 6],
                    [7, 3, 1, 6, 4, 2, 8, 9, 5],
                    [9, 7, 2, 1, 3, 5, 4, 6, 8],
                    [6, 8, 5, 4, 2, 7, 9, 3, 1],
                    [3, 1, 4, 8, 6, 9, 2, 5, 7]]}

Aha! we've reached the end and the Secret url give us our egg:

Flag

xdzEPrFsO8jZH0OHLweM

Challenge 18: Nitwit's doormat key

Challenge

Solution

we check the source

<!DOCTYPE html>
<html>
	<head>
		<title>Awesome login by me!</title>
		<meta charset="UTF-8">
        <meta name="viewport" content="width=device-width, initial-scale=1">
		<script src="script.js" type="text/javascript"></script>
		<link rel="stylesheet" href="style.css" type="text/css"/>
	</head>
	<body>
    <div id="container1">
  		<div class="form">
          <input id="uzr" type="text" placeholder="username"/>
          <input id="puzzwerd" placeholder="password" type="password"/>
          <input id="sub" type="button" value="Login!">
        </div>
    </div>
    <div id="container2">
	 <img id="egg" src="../images/egg_gray.png">
    </div>
	<script>
    v06b9e817c4ddcf60fbd82113f8c1f49b = [function(va587d4b34c724ca63a1afcbaeca7f254) {
    return '1407c2b75f43d3691c240e28204533da74ee4054f5f2538e87b69ec590b04de2c2bd190b';
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    return v16441ef9304a5520d663e6580bf16679.createElement(va587d4b34c724ca63a1afcbaeca7f254);
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    return va587d4b34c724ca63a1afcbaeca7f254[0].getContext(va587d4b34c724ca63a1afcbaeca7f254[1]);
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    return va587d4b34c724ca63a1afcbaeca7f254[0].text = va587d4b34c724ca63a1afcbaeca7f254[1];
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    return null;
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    '6d363479c97439b921ad2bcba054992d8eda9a0c971df8f80920b84ab4eeae83cae6b76c';
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    return 'e77a763321d6cf825534ab228e1dfa33e71447c1637dc3b97dcf2d564e2003f67e7c26aa';
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    va587d4b34c724ca63a1afcbaeca7f254.style.display = 'none';
    return va587d4b34c724ca63a1afcbaeca7f254;
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    v159851e0e855ec9a87293bada9f49593.onload = va587d4b34c724ca63a1afcbaeca7f254
}, function(va587d4b34c724ca63a1afcbaeca7f254) {
    v159851e0e855ec9a87293bada9f49593.src = va587d4b34c724ca63a1afcbaeca7f254;
}, new Function("va587d4b34c724ca63a1afcbaeca7f254", "return unescape(decodeURIComponent(window.atob(va587d4b34c724ca63a1afcbaeca7f254)))"), function(va587d4b34c724ca63a1afcbaeca7f254) {
    vbe3ae157bcaf01bd49ec5a9b228e92fb = new Function('va587d4b34c724ca63a1afcbaeca7f254', v06b9e817c4ddcf60fbd82113f8c1f49b[10](v21a3d2d3fc5c2c1e1f3a633bd8f16f7e[va587d4b34c724ca63a1afcbaeca7f254]));
    return vbe3ae157bcaf01bd49ec5a9b228e92fb;
}];
v1341746e3d58a8c0d7ce43b877b6beb1 = [0, 255, 0];
v21a3d2d3fc5c2c1e1f3a633bd8f16f7e = ['cmV0dXJuJTIwJ2NhbnZhcyclM0I=', 'cmV0dXJuJTIwJ25vbmUnJTNC', 'cmV0dXJuJTIwJzJkJyUzQg==', 'cmV0dXJuJTIwJ3NjcmlwdCclM0I=', '', 'vd547050f5153d6953e12ea54b398855a', 'v6b31cf3f4c1305942d60342286cd09c5', 'cmV0dXJuJTIwJ2RhdGElM0FpbWFnZSUyRnBuZyUzQmJhc2U2NCUyQyclM0I=', '', 'iVBORw0KGgoAAAANSUhEUgAAAC0AAAAtCAIAAAC1eHXNAAANt0lEQVRYhU2USVMciJGFP6pALCUBYk8tgFi0dUstPST3Grbby0RM9M3hn6CIOc3/82Wix3MYT8f0PEmtllogxCKWZCvWgoIqqPKhbY/z9L2Il3l6L1ueSUZf4E5pzZTlQ6hBWLfErD2N9uRt66o8b90VF3gB6tYUPoJp1A1b8gr0WGPyGjTQAb6N5vAUlKBhreCGVLNHxIqpo2noFDumtSKN4XazhvthB31h9vFzudO6jxbFfbSBh1E3PrIWpKe4Jq+YadFlNnC7VRfXRNn0o6Z4axVwDTXFt9AnN6ySPY1WIGESd8CauUDFTiin6oprjqpy2HGMP6DrEaPJpiia78IzyUlkKdjPJLMndRAxGtEk32WUyYriCd5zViCVPUQz3JFsKUccpeCEKIUrqUu4J/OScizZR+uK++HCl9KMSLwmOqwT3CldlSfhLWziI/lzcyLWrIY1gkbRAK5Au12Fc3yCpswcOpKa0ILOzC2oS09NTZ61S7BgjcGeKKFhsyodyTOmYFq34Ax/Zn2Pq6gJGzCKlu1JtGHGxCqas8dwqzhEL+1XYsbsoxdmCh6KNXNot4oJcQWO5Yo1ClX00h5FN3EfHEEV1WERqnYT+vGeaO2xi9L/yn2mifvEuKnDJfQjfizKZkt0mxRV08BF+NSc4iGpFxfRIrQImZfo1KyJLpgWCzACkzABO+ZIauJHeAuq0hR02ovoPhRmod18BDVRRjdQDUpiWb4v1uFY9OAKum9tiZI0A6doRXqP71od+Mgc4Au4aoyvwKA1Cw37tRlGO/gIFmAAbcGKuGd6zKF0TexC60PxxjTRI6jgbesEqvZNsYjOzWOoyzW5BMPmGpShASVYRE15AY3BEOxBGSalPtjErTAPn8rL5lg00GfwHo9Zdbkd74hlOITfW4UKauCG+Q+4QFX5BLqlTasTNmEP5tCoeWUewCKuoW1YswfsI3MHhqCO2kRdjOJ1XJTKqFP6YM7gKRJehClYhvuwL15aTfM12oDiV6iinIjoMFu4PVlRDju3yDuZQ+QhsRjUI+5n7Cl2I2uRDzLP4YH0IXKbqITbHC8yGkkl4zzzo8hh50nEZMYiMZasKVrND5mPFPOOwcjBiKOIU8h0se8b7lpzyRnugUlx2SzBE3SovAhtpa9kbmR2KY+Jccdi5ElQD0acQ6ETuE1sJw/wVWIEqsqSNUd0Bv3pq8pqxkHyHr4kTsItET86RtOXM7cy74jiH4hdxUB4K3WH2Ml4Qd6XltOkTtKj4lqokPEu83LmNaI74tBZCr2IqNqnGQPpOeVp6kgQ7ofTjD68GhEZ65lVck9BcJI+CIrkTMRm5msURH9Gceybb87gteNY1IOh8GCqI90urYc7k75kPROiTDwgD8hSRDXygLhnLohxuRnUrDPRBotkmC5igZhK3ovWjA9kNXMq8lJwD31PtjvqykcRxXA1o+Xfn2kWzeAX0DCPoAW2xDJqwCnutRqiZE9JK2ZOTOJRax1fSAtQhxvmFlRxB5xKy/ZVcRMSXcCc/SWcwGVYhQMxAfto2G6KJTi1Cu/NY7xteuAefCvtoBfQD5+ZW1CDgj0Kb8ygfMfug12xC0341B7DD8Rr+TLahTY4l8Las7btAfM7OEFrYkOahGEwujBFtGDOUFm0fP5MvVZdtMAT/AJqZggN4HlRQ9O4ZJagKG5Cq1lG52IeOnGvmRLzaNx8kDusXfhYvIcxeIsfwpG1Im6bLrwqzcIvAFMXHXgF7qLWW1YZ96Edsy3VYErutX9EXeYUvxTDUEQ7cBPmAfkDfGGqaB1m8Qx+KxLahUwZSvDe3pPmzZlogTb4UdRMQ26idWiHDjMhXuHCptwnhqEdL8K0KaMyuoAqfILumZuoF8/gNNehan1tTqEi2uV71pLVDiNQgip+Cxf2bXQdn4sndps9D1OohH+FDqGET2AWDq1Nq/iYGE7WIkup1nS/csdxC0rylYxF3C/eZE7DXmoNl8h9okxcEOXg0HEuNzN3QlPEZWiPPCcnQ++CM8dA0kbskmdEb3pE+gDYN6Qb5kxxEm5mFhKtQgG25AmxijpFDXfDAXRKBXRbvBKtMCgVRSs+x9Oi0+4XN6EOD82+OYFlU4dDvAk9cr+8KnqgW26Hd/a+PSgq8Aafm/dwWxTu4WMxAjNmHRahD46lLdMPdVyCI3RhymLTvjCnaFwCWqR28yOaQnNiV4xjoN8aQbL7zKIVpgxjMCcdiyFUMB/gSAzg38IOKlTgIfw3rEg1qwde4g17X3qDr8MybJqGGDadYl8q44K9CJ+YPZg0s9BlavgYAX3yX6AkNVANF8RNacGahDLqxitSyZStJnwwS9Dyh2fP7pgNOMEL8DlaELdMGY9Jm+YFbkr9cBPWoWlm8Ftp2bTLQnvmDA/AVfQaquKOaZPfmQ5pF38M780YeosfiiO0gu+YE7EDK6aJWv7t2bNNaDXz8qfWKn+r2YS9KSrWDOzjdbiBCnIbmsV//zHM4xpMSyVYwkXrJv6zNIXrZhdOYRgVxa59F9VgSH5h3RGzuIaG8IBp/QA1PI3GrCXogC14iquoigt/i7DW8I4t2MKXzYH0E76O6tYUdMAbqKMdvCIG8Z71WPwAJXwTlu2HaAs30ct/CvK43Q+rovgEWpN+5UJGAY8oh52rwUVkBT0NXiVtQZN4FLHgGI74EPGx3R/sEXeDs2DV7ow8cXykqDvrybZiDXcQF+QokZH1zAmpnr4Cp8oLqxA5nbyDk6TQgm6gOVOBQdRhdqQuNA6f2q+hhN/DbXvFdMl/MbfNOryEK3DFNO0usYw+ljdgShoS/wr3YNNsme/NsLUvfY8HpbJYN2viNtoSXTCFCmOwhEtSN+7AbxFm0FSsMnxsduDXcIQCBuC3Yh0X0O9g0PwERzCLZCpWCc/iAbOBj8118UsYxatiCu6jH0y7+Ro9hD27DEfwnVxYhk5RgLtwKJ3CrrD8AS+gbfEAKvau2MQ91r55gEZw1azKy6ImwOeihAfhE7MjjZgFGLcrooQqdidehpR70bE4N1eh3Xok3bdad6EbruHX0okZx73WG1GHbvEcj4gO6yOoS1v2ulgxU6iKN9CXNlBCx7AtPsB9aJgX8GuxY9ZRUzyGsrUsvoBOsYbH4E/iN7BiN0RrAY+jVbwK7fiqeIs3rV8Adgeahd/If4ZpcyE14YnYstdh0r4iXlnr4i6esAbEmujBj80P6IEo2K1oWXoolnG7tYCR/ge+xm/shniEin+M2Ilch3bnU+kNeQb3InszTogt8VH4v2AE7ialzFLkkeM5cU05Fqygo3C341rmsfLE2Z4xFLmfmg/XHYOKveQ4vE7sODuUhAr4YWY52ZVmiBNo3UHH5hCeyoe4Yd2DLtgR7WYcl9CkacUXcIEaMCR67UFTlt7CDWtFHkHH0IQx2ENLcsHcFNvQkEuoYgRrqMcelZbhAg7Nn/AtUfwq1CXXIoFVa0IQ3o48I1qDDnLWcR1KitaMA/m5sxIxFbmeqqU7MsfIUlAn6jAQXs4YCA+gqcgNZyPiiuNq+oiYJ9qCe5HrxHj4csaguBJZhNYlGIVW1Guq+LL1Bo1DCTfRktSNu6X/xH2oaV3It2ER7svfoSr02g1zSy6YJdQpLqEKLpuGuAUVUYUJ3IZG8Y8wgXctxBnsmgYUAp+iNXsJT4s9PAU1OEL7omLvoSL+GLbEDfgXdIRHzVvrtuk1PTAgvrWei135rXkHTWigJtShCs/NBlrHc6Zh3lkl+RCquAjborAKi/aw1IQVdIzquE18gDW4iWbwhvXcKthd4hVeM5twTxzKPXgZdcGE6Dab5itRN2U4hGswj4egF63gK9ADm6JDpDUADfgI3TPF7vhmWDnhuES8Tu+TIerOAlnNDMVuxEnSCQ+J4/B7NBgxnfFDcIm8HupMn4R67FXxy9BP0EjfD42kZ1NtGe/Cpxm9mRfBefDAVDKm5efkLXSQfoOKj75hwjrGXWRVfBWaJQ4j7ybXpCV8Ruwkh3AsH1pXw0uOHugLXjvGgnLEqXmleEwc2AcZ40Rb+idoV4ynr4T6kj1l0RSTqrge8a3zl8n7yLng9xHFP/LNknwavAg+R69NdzIVeRgcEheO1vSEsjtizwlB5mXlbuQCMZMsp5sZw5BJNXwQepTuVPwUcSlzN2OEXI2sRVSJRxlF5Zw5z/iEWFFcIgumN7M4HbrIOI14TBzCfPoKOZxk8Iacyegll0LnsBLxNDiMfGBWk0ZkV2QxmMzogAK0Z05FHiZHkWVnTXqa/EicZq5lPsw4xsdBJfgsYwM3Mt+lHpB7olgI3YXu9GLkAXE1cinVQ/Yk00Ej4m1EGx52DmUsB5eIdxGPM6+k1iNOndeUbyKm03OwmFSgLfWBGAhIDysaGWVlRBxnHgVPzA+Kk8h7qSl4r2wxha/lOj5Hl8wmjKEnckV8BydwYNfsYeiSGvIo7JkZ2Jde4kv4jpg3HfB/8LF0V/SLY/iVXDJDUtNehjCr5lCasPZQE3pMAbbwDWsXitcV7cFKZCOYcVTCXdBi7sF2qofYV143OxFHxB7cSTbCdaItsxZ0WT+R3ZHjwQJxQDQcd0USs0G/3YABclA6Tt/P2MQbih68E2pPL8FVchJavnmmDhhHbfYr6IQxUUFN2LYX4YpYQWAAC/H//PPI/J3wPxj0s/ynlZ8N+sc1kH6GvwKgeIkcWQxJLQAAAABJRU5ErkJggg==', 'cmV0dXJuJTIwdjE2NDQxZWY5MzA0YTU1MjBkNjYzZTY1ODBiZjE2Njc5LmdldEVsZW1lbnRCeUlkKHZhNTg3ZDRiMzRjNzI0Y2E2M2ExYWZjYmFlY2E3ZjI1NCklM0I=', 'cmV0dXJuJTIwZG9jdW1lbnQ=', 'Zm9yKHZiOTMyYjI4NGE0YTdlYTdjZWJlMzc5ZTk3MzlhNjYwZSUzRHYxMzQxNzQ2ZTNkNThhOGMwZDdjZTQzYjg3N2I2YmViMSU1QjIlNUQlM0IlMjB2YjkzMmIyODRhNGE3ZWE3Y2ViZTM3OWU5NzM5YTY2MGUlMjAlM0MlMjB2NGM5NWEyNTliYTJmOWQyZGMwMTBkYzEwMzc5Y2FlZjIuZGF0YS5sZW5ndGglM0IlMjB2YjkzMmIyODRhNGE3ZWE3Y2ViZTM3OWU5NzM5YTY2MGUlMkIlM0Q0KXZhNjI3YjZjOGVlMTAzNDk0NGE4Njc5ODNjNTBlNDlhYSUyQiUzRCh2NGM5NWEyNTliYTJmOWQyZGMwMTBkYzEwMzc5Y2FlZjIuZGF0YSU1QnZiOTMyYjI4NGE0YTdlYTdjZWJlMzc5ZTk3MzlhNjYwZSU1RCElM0R2MTM0MTc0NmUzZDU4YThjMGQ3Y2U0M2I4NzdiNmJlYjElNUIxJTVEKSUzRnY5OGI5NjM0NGQxNzMxNzFlNzAzNzY1ODMzOTI0M2EyYSh2NGM5NWEyNTliYTJmOWQyZGMwMTBkYzEwMzc5Y2FlZjIuZGF0YSU1QnZiOTMyYjI4NGE0YTdlYTdjZWJlMzc5ZTk3MzlhNjYwZSU1RCklM0F2MjFhM2QyZDNmYzVjMmMxZTFmM2E2MzNiZDhmMTZmN2UlNUI0JTVEJTNCJTIwdmE2MjdiNmM4ZWUxMDM0OTQ0YTg2Nzk4M2M1MGU0OWFhJTNEdmE2MjdiNmM4ZWUxMDM0OTQ0YTg2Nzk4M2M1MGU0OWFhLnRyaW0oKSUzQg==', 'cmV0dXJuJTIwbmV3JTIwSW1hZ2UoKSUzQg==', 'cmV0dXJuJTIwU3RyaW5nLmZyb21DaGFyQ29kZSh2YTU4N2Q0YjM0YzcyNGNhNjNhMWFmY2JhZWNhN2YyNTQpJTNC'];
v16441ef9304a5520d663e6580bf16679 = v06b9e817c4ddcf60fbd82113f8c1f49b[11](11)();
v62647b9bbd4174f7dfe26356c2d80254 = new Function('va587d4b34c724ca63a1afcbaeca7f254', v06b9e817c4ddcf60fbd82113f8c1f49b[10](v21a3d2d3fc5c2c1e1f3a633bd8f16f7e[10]));
v159851e0e855ec9a87293bada9f49593 = v06b9e817c4ddcf60fbd82113f8c1f49b[7](v06b9e817c4ddcf60fbd82113f8c1f49b[11](13)());
v06b9e817c4ddcf60fbd82113f8c1f49b[8](function() {
    vf47cdd4c73ada3018bb2235586095298 = v62647b9bbd4174f7dfe26356c2d80254(v21a3d2d3fc5c2c1e1f3a633bd8f16f7e[5]);
    v14b0e537ea8314aa8eff15a14130f2dc = v06b9e817c4ddcf60fbd82113f8c1f49b[1](v06b9e817c4ddcf60fbd82113f8c1f49b[11](0)());
    v14b0e537ea8314aa8eff15a14130f2dc.width = v159851e0e855ec9a87293bada9f49593.width;
    v14b0e537ea8314aa8eff15a14130f2dc.height = v159851e0e855ec9a87293bada9f49593.height;
    v14b0e537ea8314aa8eff15a14130f2dc.style.display = v06b9e817c4ddcf60fbd82113f8c1f49b[11](1)();
    va627b6c8ee1034944a867983c50e49aa = v21a3d2d3fc5c2c1e1f3a633bd8f16f7e[4];
    v22f584e55a18700bb1e819235e9faec2 = v06b9e817c4ddcf60fbd82113f8c1f49b[2]([v14b0e537ea8314aa8eff15a14130f2dc, v06b9e817c4ddcf60fbd82113f8c1f49b[11](2)()]);
    v98b96344d173171e7037658339243a2a = new Function('va587d4b34c724ca63a1afcbaeca7f254', v06b9e817c4ddcf60fbd82113f8c1f49b[10](v21a3d2d3fc5c2c1e1f3a633bd8f16f7e[14]));
    v22f584e55a18700bb1e819235e9faec2.drawImage(v159851e0e855ec9a87293bada9f49593, v1341746e3d58a8c0d7ce43b877b6beb1[0], v1341746e3d58a8c0d7ce43b877b6beb1[0]);
    v4c95a259ba2f9d2dc010dc10379caef2 = v22f584e55a18700bb1e819235e9faec2.getImageData(v1341746e3d58a8c0d7ce43b877b6beb1[0], v1341746e3d58a8c0d7ce43b877b6beb1[0], v14b0e537ea8314aa8eff15a14130f2dc.width, v14b0e537ea8314aa8eff15a14130f2dc.height);
    v312f239ab11ab792bbc638880cef0016 = v06b9e817c4ddcf60fbd82113f8c1f49b[11](12)();
    (new Function(v06b9e817c4ddcf60fbd82113f8c1f49b[10](va627b6c8ee1034944a867983c50e49aa)))();
    vd547050f5153d6953e12ea54b398855a = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v159851e0e855ec9a87293bada9f49593 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](vd547050f5153d6953e12ea54b398855a);
    v14b0e537ea8314aa8eff15a14130f2dc = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v14b0e537ea8314aa8eff15a14130f2dc);
    v22f584e55a18700bb1e819235e9faec2 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v4c95a259ba2f9d2dc010dc10379caef2);
    v4c95a259ba2f9d2dc010dc10379caef2 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    vb932b284a4a7ea7cebe379e9739a660e = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    va627b6c8ee1034944a867983c50e49aa = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v0acc8db6e0b9f93a7f5e1fba4e39431f = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    ve7773f4e18e20899677477e2e500daef = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    vd547050f5153d6953e12ea54b398855a = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v1362f0e27add34a3855900a0346601e2 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v16441ef9304a5520d663e6580bf16679 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v312f239ab11ab792bbc638880cef0016 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v21a3d2d3fc5c2c1e1f3a633bd8f16f7e = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    v1341746e3d58a8c0d7ce43b877b6beb1 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    va587d4b34c724ca63a1afcbaeca7f254 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
    va587d4b34c724ca63a1afcbaeca7f254 = v06b9e817c4ddcf60fbd82113f8c1f49b[4](vf47cdd4c73ada3018bb2235586095298);
    v06b9e817c4ddcf60fbd82113f8c1f49b = v06b9e817c4ddcf60fbd82113f8c1f49b[4](v22f584e55a18700bb1e819235e9faec2);
});
v312f239ab11ab792bbc638880cef0016 = v06b9e817c4ddcf60fbd82113f8c1f49b[9](v06b9e817c4ddcf60fbd82113f8c1f49b[11](7)() + v21a3d2d3fc5c2c1e1f3a633bd8f16f7e[9]);

	</script>
	</body>
</html>

Let's try to deobfuscate a bit:

my_function_array = [
    //0
    function(my_var) {
        return '1407c2b75f43d3691c240e28204533da74ee4054f5f2538e87b69ec590b04de2c2bd190b';
    },
    //1
    function(my_var) {
        return charlie.createElement(my_var);
    },
    //2
    function(my_var) {
        return my_var[0].getContext(my_var[1]);
    },
    //3
    function(my_var) {
        return my_var[0].text = my_var[1];
    },
    //4
    function(my_var) {
        return null;
    },
    //5
    function(my_var) {
        '6d363479c97439b921ad2bcba054992d8eda9a0c971df8f80920b84ab4eeae83cae6b76c';
    },
    //6
    function(my_var) {
        return 'e77a763321d6cf825534ab228e1dfa33e71447c1637dc3b97dcf2d564e2003f67e7c26aa';
    },
    //7
    function(my_var) {
        my_var.style.display = 'none';
        return my_var;
    },
    //8
    function(my_var) {
        foxtrot.onload = my_var
    },
    //9
    function(my_var) {
        foxtrot.src = my_var;
    },
    //10
    new Function("my_var",
        "return unescape(decodeURIComponent(window.atob(my_var)))"),

    //11
    function(my_var) {
        my_new_function = new Function('my_var',
            my_function_array[10]( my_data_array[my_var] ));
        return my_new_function;
    }
];

my_list = [0, 255, 0];
my_data_array = [
    "return 'canvas';",
    "return 'none';",
    "return '2d';",
    "return 'script';",
    '',
    'tango',
    'v6b31cf3f4c1305942d60342286cd09c5',
    '<png image, see writeupfiles/chall18.png>',
    'return document',
    '<just data? see writeupfiles/chall18_justdata>',
    'return new Image();',
    'return String.fromCharCode(my_var);'
];

charlie = my_function_array[11](11)();
hotel = new Function('my_var', my_function_array[10](my_data_array[10]));
foxtrot = my_function_array[7](my_function_array[11](13)());
my_function_array[8](function() {
    kilo = hotel(my_data_array[5]);
    bravo = my_function_array[1](my_function_array[11](0)());
    bravo.width = foxtrot.width;
    bravo.height = foxtrot.height;
    bravo.style.display = my_function_array[11](1)();

    lima = my_data_array[4];
    alpha = my_function_array[2]([bravo, my_function_array[11](2)()]);
    mike = new Function('my_var', my_function_array[10](my_data_array[14]));
    alpha.drawImage(foxtrot, my_list[0], my_list[0]);
    romeo = alpha.getImageData(my_list[0], my_list[0], bravo.width, bravo.height);
    sierra = my_function_array[11](12)();

    (new Function(my_function_array[10](lima)))();

    tango = my_function_array[4](alpha);
    foxtrot = my_function_array[4](tango);
    bravo = my_function_array[4](bravo);
    alpha = my_function_array[4](romeo);
    romeo = my_function_array[4](alpha);
    uniform = my_function_array[4](alpha);
    lima = my_function_array[4](alpha);

    victor = my_function_array[4](alpha);
    yankee = my_function_array[4](alpha);
    tango = my_function_array[4](alpha);
    zulu = my_function_array[4](alpha);
    charlie = my_function_array[4](alpha);
    sierra = my_function_array[4](alpha);
    my_data_array = my_function_array[4](alpha);
    my_list = my_function_array[4](alpha);
    my_var = my_function_array[4](alpha);
    my_var = my_function_array[4](kilo);
    my_function_array = my_function_array[4](alpha);
});
sierra = my_function_array[9](my_function_array[11](7)() + my_data_array[9]);

Challenge 20: Spaghetti hash

Challenge
Lazy Larry needs to improve the security of his password hashing implementation. He decides to use SHA-512 as a new hashing algorithm in order to be super secure. Unfortunately, the database column for the hash can only hold 128 bit. As Bob is too lazy to extend the column and all the code related to it, he decides to shrink the output of the SHA-512 operation, to 128 bit. For this purpose he picks certain characters from the SHA-512 output for producing the new value.

You got hold of four password hashes, calculated with Bob's new implementation. Can you find the corresponding passwords?

hash 1: 87017a3ffc7bdd5dc5d5c9c348ca21c5
hash 2: ff17891414f7d15aa4719689c44ea039
hash 3: 5b9ea4569ad68b85c7230321ecda3780
hash 4: 6ad211c3f933df6e5569adf21d261637

Lucky you, you know that the following web service is calculating Bob's algorithm. However, the web service only accepts strings of length 4 or less - brute-forcing a password list thus is no option, since the passwords you are looking for are all longer.

https://hackyeaster.hacking-lab.com/hackyeaster/hash?string=abcd

Solution

First we use the web service to determine how the smaller hashes are obtained from the full hashes, next we use a dictionary to test whether the smaller hashes match any of the four we are looking for

import requests
import hashlib

url="https://hackyeaster.hacking-lab.com/hackyeaster/hash?string="

def all_occurrences(s, ch):
    return [i for i, ltr in enumerate(s) if ltr == ch]

# first, determine where each character in new hashes came from in original
# by looking at multiple ones
pairs = []
for c in "abcde":
    m = hashlib.sha512()
    m.update(c)
    r = requests.get(url+c)
    pairs.append([m.hexdigest(), r.text])

origins = []
for i in range(0, len(pairs[0][1])):
    #print "pos: "+str(i)
    possibilities = []
    for j in range(0, len(pairs)):
        n = all_occurrences(pairs[j][0], pairs[j][1][i])
        #print n
        if possibilities == []:
            possibilities = set(n)
        else:
            possibilities = possibilities.intersection(n)
    origins += list(possibilities)

print "\nOrigin of each position in small hash:"
print origins
# [65, 17, 115, 31, 45, 11, 67, 92, 0, 7, 123, 37, 5, 22, 87, 124, 25, 89, 38, 61, 90, 109, 63, 28, 102, 12, 47, 59, 110, 86, 24, 18]

def get_mini_hash(pt, positions):
    m = hashlib.sha512()
    m.update(pt)
    longhash = m.hexdigest()
    smallhash = ''
    for i in positions:
        smallhash += longhash[i]

    return smallhash


# now we know how smaller hashes are derived from larger ones, try word from
# a dictionary to see which match hashes we are looking for
targets = ['87017a3ffc7bdd5dc5d5c9c348ca21c5',
           'ff17891414f7d15aa4719689c44ea039',
           '5b9ea4569ad68b85c7230321ecda3780',
           '6ad211c3f933df6e5569adf21d261637']

found = 0
with open('wordlist.txt') as f:
    while found < 4:
        w = f.readline().strip()
        smallh = get_mini_hash(w, origins)
        if smallh in targets:
            print "\nFound!"
            print w
            print smallh
            found += 1

This outputs the following solutions:

Origin of each position in small hash:
[65, 17, 115, 31, 45, 11, 67, 92, 0, 7, 123, 37, 5, 22, 87, 124, 25, 89, 38, 61, 90, 109, 63, 28, 102, 12, 47, 59, 110, 86, 24, 18]

Found!
12345678
6ad211c3f933df6e5569adf21d261637

Found!
benchmark
5b9ea4569ad68b85c7230321ecda3780

Found!
Cleveland
ff17891414f7d15aa4719689c44ea039

Found!
Prodigy
87017a3ffc7bdd5dc5d5c9c348ca21c5

we fill these four solutions into the egg-o-matic to get our egg:

Flag

ICBXMH6GJqMqYDsjkaCn

Challenge 22: Game, Set, and Hash

Challenge

Can you beat the tennis master?

hackyeaster.hacking-lab.com:8888

Solution

We connect to the service and see the following:

$ nc hackyeaster.hacking-lab.com 8888

Ready for the game?
y
Let's go!
5cc3f82838ba7260203e4590ce03d00e1663d41f6a5167144f5c95d6be2166a0
y
Wrong! Point for me.
----------------------
Player > 0 0
Master   0 15
----------------------
75fba329cb6ee8907a1f009b69353d8c0e9a8228b25a1095c7976efc1eaa259d
k
Wrong! Point for me.
----------------------
Player > 0 0
Master   0 30
----------------------
ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2
h
Wrong! Point for me.
----------------------
Player > 0 0
Master   0 40
----------------------
1a8d9de9490302d2d234f9c92bc2c854910ebf70c5eae016b86f03427fef03b7
h
Wrong! Point for me.
----------------------
Player   0 0
Master > 1 0
----------------------
4ac2ffdb1428fe6572cb751b5b4b861563dc15978e7b140a7f5212cf69ccd35e
h
Wrong! Point for me.
----------------------
Player   0 0
Master > 1 15
----------------------
5867183bb6a671e056f39df1b528221c66b7d7cd999e6660537f95fc95f8487d

..looks like we're playing hash tennis :)

They all appear to be hashes of the same length, and using crackstation we find that:

5cc3f82838ba7260203e4590ce03d00e1663d41f6a5167144f5c95d6be2166a0	sha256	office
75fba329cb6ee8907a1f009b69353d8c0e9a8228b25a1095c7976efc1eaa259d	sha256	enjoy
ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2	sha256	aaaaa
1a8d9de9490302d2d234f9c92bc2c854910ebf70c5eae016b86f03427fef03b7	sha256	blazer
4ac2ffdb1428fe6572cb751b5b4b861563dc15978e7b140a7f5212cf69ccd35e	sha256	sharapova
5867183bb6a671e056f39df1b528221c66b7d7cd999e6660537f95fc95f8487d	sha256	m080617

ok, so they're SHA-256 hashes, and they look to be mostly strings commonly found on wordlists ..this shouldn't be too bad.

To speed this process up, we use this python implementation of crackstation's hash lookup tables https://github.com/moloch--/hashlookup.

We use a wordlist (hashkiller), index it, sort the index:

$ git clone git clone [email protected]:moloch--/hashlookup.git

$ cd hashlookup

# we used hashkiller's list as wordlist.txt here
$ ./createidx.py -a sha2-256 -w wordlist.txt

[*] Creating Secure Hashing Algorithm 2 (256 bit) index ...
[*] Reading wordlist.txt ...
[*] Completed index file hashkiller.com-sha2-256.idx
[$] All Done.

$ make

$ ./sortidx -r 2048 wordlist-sha2-256.idx
Sorting file hashkiller.com-sha2-256.idx ...

# let's test one
$ ./LookupTable.py -a sha2-256 -i wordlist-sha2-256.idx -w wordlist.txt -c 5cc3f82838ba7260203e4590ce03d00e1663d41f6a5167144f5c95d6be2166a0

		*** Results ***

0)  5cc3f82838ba7260203e4590ce03d00e1663d41f6a5167144f5c95d6be2166a0 -> office
[*] Total lookup time: 0.000882
[$] Cracked 1 of 1 (100.00%)

awesome, this works, and is fast, let's use it to play some tennis:

import telnetlib
import hashlib
import sys
sys.path.append('hashlookup')
from LookupTable import LookupTable

server = "hackyeaster.hacking-lab.com"
port = 8888

# start the match
tn = telnetlib.Telnet(server, port)
print tn.read_until("Ready for the game?")
tn.write("y\n" )
print tn.read_until("Let's go!\n")


l = LookupTable('sha2-256', 'wordlist-sha2-256.idx', 'wordlist.txt')

# play the game
while True:
    # get it
    h = tn.read_until('\n').strip()
    print "h: "+h

    # crack it
    t = l.get_all([h])
    t = str(t[h])

    # return it
    print "Sending answer: " + t
    tn.write(t+"\n" )

    # print scoreboard
    print tn.read_until("----------------------")
    print tn.read_until("----------------------")
    print tn.read_until('\n')

we run this and win the game!

$ python chall22_tennis.py
Ready for the game?

Let's go!

h: a1bd1312d23002be258c9bb4642bbea77580353869a8ee8844e6940b7e0278b7
Sending answer: qweasd
Correct! Point for you.
----------------------

Player > 0 15
Master   0 0
----------------------


h: 1f8b6d5a89242a0984816601b1a527ed239e16e213182481301d2706f4396703
Sending answer: 4444444
Correct! Point for you.
----------------------

Player > 0 30
Master   0 0
----------------------


h: c90d569a30a14c7da4fcd1347792813a87d982c995f8376411d361289f161e09
Sending answer: None
Wrong! Point for me.
----------------------

Player > 0 30
Master   0 15
----------------------


h: f527721c54550e8a0a7aac8da3116976e0b8f3083d67b614d169e15f3df1a76a
Sending answer: estefania
Correct! Point for you.
----------------------

Player > 0 40
Master   0 15
----------------------


[..]

h: c9bf553d456365516965e2977ec01d38ae7d30d57fae2c99aee02bea6f61ec32
Sending answer: teamo2.
Correct! Point for you.
----------------------

Player   6 6 5 30
Master > 0 0 0 0
----------------------


h: 08a5c5fd12ecee53f4217d0b44369537c27389f7a75711028f5a1ad94845cccf
Sending answer: bangfist
Correct! Point for you.
----------------------

Player   6 6 5 40
Master > 0 0 0 0
----------------------


h: 62fff1a28571a19d7a3126cbf190bc33e9115511d2ee4d6d5e8111410f0e93be
Sending answer: tre2ike
Correct! Point for you.
----------------------

Player > 6 6 6
Master   0 0 0
----------------------


h: You win! Solution is: !stan-the_marth0n$m4n

we put the string !stan-the_marth0n$m4n into the egg-o-matic to get our egg:

Flag

fl3uB75EGl1sadBNycvx

Dec X: Title

Challenge
Solution
Nugget

HV16-