HTB-Misc Walkthrough

This document contains the Walkthrough of challenges from HackTheBox -Challenge-Misc.

Since Misc challenges are not Cryptography challenges, don’t use cryptography methods to solve them.

Challenge Solved Status

Title	Difficulty	Status
0ld is g0ld	Easy	Solved
Art	Easy	Solved
Blackhole	Easy	Solved
Eternal Loop	Easy	Solved
fs0ciety	Easy	Solved
Inferno	Easy	Solved
Longbottom’s Locker	Easy	Solved
misDIRection	Easy	Solved

Walkthrough

0ld is g0ld

Unzip the file, we have an encrypted pdf. Using the password cracking tool and dictionary

pdfcrack -w /usr/share/wordlists/rockyou.txt 0ld\ is\ g0ld.pdf # kali-linux

=> jumanji69

Open the pdf, you find the following at the bottom .-. .—- .–. … .- – ..- …– .-.. – —– .-. … …–

Seems to be morse code.

=> R1PSAMU3LM0RS3

Art

This is another esoteric programming language called Piet. Use any online tool to execute the image

Blackhole

By executing

file hawking

we see that this is a jpeg file. So add the corresponding extension.

mv hawking hawking.jpeg

Now, you need the tool steghide which is used to conceal secrets in a big file.

apt-get install steghide
steghide info hawking

It turns out that you need a password. Just try the filename “hawking” and it works. A txt file is embedded in the image. Now, extract it.

steghide extract -sf hawking # then type in the password

You now see a file flag.txt. By guessing, the content is encrypted by Base64. Decode it once. Seems another Base64, decode it twice. Then you see

Efqbtqz Iuxxumy Tmiwuzs ime mz Qzsxuet ftqadqfuomx btkeuouef, oaeyaxasuef, mzp mgftad, ita ime pudqofad ar dqeqmdot mf ftq Oqzfdq
rad Ftqadqfuomx Oaeyaxask mf ftq Gzuhqdeufk ar Omyndupsq mf ftq fuyq ar tue pqmft. Tq ime ftq Xgomeumz Bdarqeead ar Ymftqymfuoe
mf ftq Gzuhqdeufk ar Omyndupsq nqfiqqz 1979 mzp 2009. Tmiwuzs motuqhqp oayyqdoumx egooqee iuft eqhqdmx iadwe ar babgxmd eouqzoq
uz ituot tq pueogeeqe tue aiz ftqaduqe mzp oaeyaxask uz sqzqdmx. Tue naaw M Nduqr Tuefadk ar Fuyq mbbqmdqp az ftq Ndufuet Egzpmk
Fuyqe nqef-eqxxqd xuef rad m dqoadp-ndqmwuzs 237 iqqwe. Tmiwuzs ime m rqxxai ar ftq Dakmx Eaouqfk, m xurqfuyq yqynqd ar ftq
Bazfuruomx Mompqyk ar Eouqzoqe, mzp m dqoubuqzf ar ftq Bdqeupqzfumx Yqpmx ar Rdqqpay, ftq tustqef ouhuxumz mimdp uz ftq Gzufqp
Efmfqe. Uz 2002, Tmiwuzs ime dmzwqp zgynqd 25 uz ftq NNO\’e baxx ar ftq 100 Sdqmfqef Ndufaze.
TFN{Z3hqD_x3F_fT3_n4eFmDp5_S3f_K0g_p0iZ}

Seems to be a simple substitutional cipher. Use any tool you like to decrypt it. You have

Stephen William Hawking was an English theoretical physicist, cosmologist, and author, who was director of research at the Centre
for Theoretical Cosmology at the University of Cambridge at the time of his death. He was the Lucasian Professor of Mathematics
at the University of Cambridge between 1979 and 2009. Hawking achieved commercial success with several works of popular science
in which he discusses his own theories and cosmology in general. His book A Brief History of Time appeared on the British Sunday
Times best-seller list for a record-breaking 237 weeks. Hawking was a fellow of the Royal Society, a lifetime member of the
Pontifical Academy of Sciences, and a recipient of the Presidential Medal of Freedom, the highest civilian award in the United
States. In 2002, Hawking was ranked number 25 in the BBC\’s poll of the 100 Greatest Britons.
HTB{N3veR_l3T_tH3_b4sTaRd5_G3t_Y0u_d0wN}

See the flag?

Eternal Loop

The logic is :

The outside file is encrypted by the file name (without the extension) of the inner file. Say 37366.zip is the compressed file of 5900.zip using key 5900.

use unzip -t <filename> you can see the file inside.

import subprocess

filename = '37366'
while 1:
    rst = subprocess.run(['unzip', '-t', filename], stdout=subprocess.PIPE)
    key_str = str(rst).split('skipping:')[1].strip()
    key = key_str[:key_str.find('.zip')]
    print(filename, ":", key)
    subprocess.run(['unzip', '-P', key ,filename], stdout=subprocess.PIPE)
    subprocess.run(['mv', key+'.zip', filename+'.zip'], stdout=subprocess.PIPE)

Then use the “rockme.txt” and fcrackzip to break the password

=> letmeinplease

After unzipping it, you have a sqlite3 database file. You can use any editor to open it and search the keyword “HTB” and get the result!

fs0ciety

Use the kali-linux zip file cracking tool fcrackzip to crack the file. The dictionary is rockyou.txt.

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt fsociety.zip

=> password justdoit

The inside file is “sshcreds_datacenter.txt” The content is

MDExMDEwMDEgMDExMDAxMTAgMDEwMTExMTEgMDExMTEwMDEgMDAxMTAwMDAgMDExMTAxMDEgMDEwMTExMTEgMDExMDAwMTEgMDEwMDAwMDAgMDExMDExMTAgMDEwMTExM
TEgMDAxMDAxMDAgMDExMDExMDEgMDAxMTAwMTEgMDExMDExMDAgMDExMDExMDAgMDEwMTExMTEgMDExMTAxMTEgMDExMDEwMDAgMDEwMDAwMDAgMDExMTAxMDAgMDEwMT
ExMTEgMDExMTAxMDAgMDExMDEwMDAgMDAxMTAwMTEgMDEwMTExMTEgMDExMTAwMTAgMDAxMTAwMDAgMDExMDAwMTEgMDExMDEwMTEgMDEwMTExMTEgMDExMDEwMDEgMDE
xMTAwMTEgMDEwMTExMTEgMDExMDAwMTEgMDAxMTAwMDAgMDAxMTAwMDAgMDExMDEwMTEgMDExMDEwMDEgMDExMDExMTAgMDExMDAxMTE=

Looks like base64 cipher. By decryption, the content is

01101001 01100110 01011111 01111001 00110000 01110101 01011111 01100011 01000000 01101110 01011111 00100100 01101101 00110011
01101100 01101100 01011111 01110111 01101000 01000000 01110100 01011111 01110100 01101000 00110011 01011111 01110010 00110000
01100011 01101011 01011111 01101001 01110011 01011111 01100011 00110000 00110000 01101011 01101001 01101110 01100111

Turn it into ASCII, we capture the flag.

cipher = "01101001 01100110 01011111 01111001 00110000 01110101 01011111 01100011 01000000 01101110 01011111 00100100 01101101 00110011 01101100 01101100 01011111 01110111 01101000 01000000 01110100 01011111 01110100 01101000 00110011 01011111 01110010 00110000 01100011 01101011 01011111 01101001 01110011 01011111 01100011 00110000 00110000 01101011 01101001 01101110 01100111"

cipher = cipher.split(" ")

plaintext = [chr(int(c, 2)) for c in cipher]
plaintext = "".join(plaintext)
print(plaintext)

Inferno

The content in inferno.txt seems to adopt base64 encryption.

import base64
with open('inferno.txt', 'r') as file:
    cipher = file.read()
    data = base64.b64decode(cipher)
print(data)

However, the result also seems decrypted. After googling inferno, we found another esoteric programming language….. Malbolge………

Use online tool, you can get the flag.

Longbottom’s Locker

In the source code of the webpage, we find the following codes:

<script>
    document.getElementById('neville-locker-form').addEventListener('submit', function(e) {
        e.preventDefault();

        var passphrase = document.getElementById('passwd').value,
            encryptedMsg = '4cce4470203e10b395ab1787a22553a5b2503d42a965da813676d929cc16f76cU2FsdGVkX19FvUyhqWoQKHXNLBL64g8acK4UQoP6XZQ/n4MRL3rgQj8TJ/3r8Awtxte2V9s+RLfQHJOHGwYtctqRa/H2BetmxjwGG+LYKUWC8Z6WBoYbecwtATCOuwewnp+VKBzsWLme+3BZyRgKEA==',
            encryptedHMAC = encryptedMsg.substring(0, 64),
            encryptedHTML = encryptedMsg.substring(64),
            decryptedHMAC = CryptoJS.HmacSHA256(encryptedHTML, CryptoJS.SHA256(passphrase).toString()).toString();

        if (decryptedHMAC !== encryptedHMAC) {
            alert('Bad passphrase!');
            return;
        }

        var plainHTML = CryptoJS.AES.decrypt(encryptedHTML, passphrase).toString(CryptoJS.enc.Utf8);

        document.write(plainHTML);
        document.close();
    });
</script>

However, HMAC is pretty secure and so do SHA256 and AES. Brutally cracking the password is extreeeeeeeemly painful. Don’t do that. Now, calm down and try another way.

Let’s have another look at the jpg file. By running “binwalk” to the file

binwalk socute.jpg

We find that this file has some zip files embedded. We can simply change the extension from .jpg to .zip and unzip. We now have the file “donotshare”. But the content in the file seems making no sense. After googling, we figure out that it is a banner file. So the following python code is to show the banner.

import pickle

f = open('donotshare')

o = pickle.load(f)

outstr = ''
for line in o:
    for char,n in line:
        outstr += char*n
    outstr += '\n'
print(outstr)

=> key is Gu1d0-v4N-R055Um

Type in the key to the webpage, you will see the flag.

misDIRection

DO NOT USE CASE-INSENSITIVE SYSTEM!!!!

PLEASE USE LINUX!!!

DON’T USE WINDOWS / MACOS!!!!!!!!

I HAVE WASTED HUUUUGE AMOUNT OF TIME HERE!!!

After unziping, you get a folder with initial “.”, that’s why you see nothing. If you check it, you know that there is something interesting inside.

By using the “tree” command, you now have a much clearer view of the folder structure.

So, maybe the filename under the folder is the char location, and the folder name is the char.

Turn this piece of information to a dictionary. (Of course, you can come up with some smarter way)

word_dic = {'0':[6], '1':[22, 30], '2':[34], '5':[16], '9':[36], 'B':[23], 'C':[4], 'D': [26], 'E':[14], 'F':[19, 2, 27], 'N':[11, 25, 31, 33], 'p':[32], 'S':[1], 's':[24], 'U':[9], 'u':[20, 28], 'V':[35], 'X':[17, 21, 29], 'x':[15], 'd':[13], 'e':[5], 'j':[10, 12], 'J':[8], 'R':[3, 7], 'z':[18]}

flag_length = 0
for key in word_dic.keys():
    flag_length = max(flag_length, max(word_dic[key]))

flag = [""]*(flag_length+1)

for key in word_dic.keys():
    for loc in word_dic[key]:
        flag[loc] = key
rst = "".join(flag)
print(rst)

The result is not the flag. Decrypt again using base64.

import base64

print(base64.b64decode(rst))