352 lines
12 KiB
Markdown
352 lines
12 KiB
Markdown
---
|
|
title: Scavenger Hunt Solution
|
|
date: 2020-11-25
|
|
tags:
|
|
- ctf
|
|
- wasm
|
|
- steganography
|
|
- stenography
|
|
---
|
|
|
|
# Scavenger Hunt Solution
|
|
|
|
On November 22, I sent a
|
|
[tweet](https://twitter.com/theprincessxena/status/1330532765482311687) that
|
|
contained the following text:
|
|
|
|
```
|
|
#467662 #207768 #7A7A6C #6B2061 #6F6C20 #6D7079
|
|
#7A6120 #616C7A #612E20 #5A6C6C #206F61 #61773A
|
|
#2F2F6A #6C6168 #6A6C68 #752E6A #736269 #2F6462
|
|
#796675 #612E6E #747020 #6D7679 #207476 #796C20
|
|
#70756D #767974 #686170 #76752E
|
|
```
|
|
|
|
This was actually the first part of a scavenger hunt/mini CTF that I had set up
|
|
in order to see who went down the rabbit hole to solve it. I've had nearly a
|
|
dozen people report back to me telling that they solved all of the puzzles and
|
|
nearly all of them said they had a lot of fun. Here's how to solve each of the
|
|
layers of the solution and how I created them.
|
|
|
|
## Layer 1
|
|
|
|
The first layer was that encoded tweet. If you notice, everything in it is
|
|
formatted as HTML color codes. HTML color codes just so happen to be encoded in
|
|
hexadecimal. Looking at the codes you can see `20` come up a lot, which happens
|
|
to be the hex-encoded symbol for the spacebar. So, let's turn this into a
|
|
continuous hex string with `s/#//g` and `s/ //g`:
|
|
|
|
[If you've seen a `%20` in a URL before, that is the URL encoded form of the
|
|
spacebar!](conversation://Mara/hacker)
|
|
|
|
```
|
|
4676622077687A7A6C6B20616F6C206D7079
|
|
7A6120616C7A612E205A6C6C206F6161773A
|
|
2F2F6A6C61686A6C68752E6A7362692F6462
|
|
796675612E6E7470206D7679207476796C20
|
|
70756D76797468617076752E
|
|
```
|
|
|
|
And then turn it into an ASCII string:
|
|
|
|
> Fvb whzzlk aol mpyza alza. Zll oaaw://jlahjlhu.jsbi/dbyfua.ntp mvy tvyl pumvythapvu.
|
|
|
|
[Wait, what? this doesn't look like much of anything...wait, look at the
|
|
`oaaw://`. Could that be `http://`?](conversation://Mara/hmm)
|
|
|
|
Indeed it is my perceptive shark friend! Let's decode the rest of the string
|
|
using the [Caeser Cipher](https://en.wikipedia.org/wiki/Caesar_cipher):
|
|
|
|
> You passed the first test. See http://cetacean.club/wurynt.gmi for more information.
|
|
|
|
Now we're onto something!
|
|
|
|
## Layer 2
|
|
|
|
Opening http://cetacean.club/wurynt.gmi we see the following:
|
|
|
|
> wurynt
|
|
>
|
|
> a father of modern computing, <br />
|
|
> rejected by his kin, <br />
|
|
> for an unintentional sin, <br />
|
|
> creator of a machine to break <br />
|
|
> the cipher that this message is encoded in
|
|
>
|
|
> bq cr di ej kw mt os px uz gh
|
|
>
|
|
> VI 1 1
|
|
> I 17 1
|
|
> III 12 1
|
|
>
|
|
> qghja xmbzc fmqsb vcpzc zosah tmmho whyph lvnjj mpdkf gbsjl tnxqf ktqia mwogp
|
|
> eidny awoxj ggjqz mbrcm tkmyd fogzt sqkga udmbw nmkhp jppqs xerqq gdsle zfxmq
|
|
> yfdfj kuauk nefdc jkwrs cirut wevji pumqt hrxjr sfioj nbcrc nvxny vrphc r
|
|
>
|
|
> Correction for the last bit
|
|
>
|
|
> gilmb egdcr sowab igtyq pbzgv gmlsq udftc mzhqz exbmx zaxth isghc hukhc zlrrk
|
|
> cixhb isokt vftwy rfdyl qenxa nljca kyoej wnbpf uprgc igywv qzuud hrxzw gnhuz
|
|
> kclku hefzk xtdpk tfjzu byfyi sqmel gweou acwsi ptpwv drhor ahcqd kpzde lguqt
|
|
> wutvk nqprx gmiad dfdcm dpiwb twegt hjzdf vbkwa qskmf osjtk tcxle mkbnv iqdbe
|
|
> oejsx lgqc
|
|
|
|
[Hmm, "a father of computing", "rejected by his kin", "an unintentional sin",
|
|
"creator of a machine to break a cipher" could that mean Alan Turing? He made
|
|
something to break the Enigma cipher and was rejected by the British government
|
|
for being gay right?](conversation://Mara/hmm)
|
|
|
|
Indeed. Let's punch these settings into an [online enigma
|
|
machine](https://cryptii.com/pipes/enigma-machine) and see what we get:
|
|
|
|
```
|
|
congr adula tions forfi gurin goutt hisen igmao famys teryy ouhav egott enfar
|
|
thert hanan yonee lseha sbefo rehel pmebr eakfr eefol lowth ewhit erabb ittom
|
|
araht tpyvz vgjiu ztkhf uhvjq roybx dswzz caiaq kgesk hutvx iplwa donio n
|
|
|
|
httpc olons lashs lashw hyvec torze dgamm ajayi ndigo ultra zedfi vetan gokil
|
|
ohalo fineu ltrah alove ctorj ayqui etrho omega yotta betax raysi xdonu tseve
|
|
nsupe rwhyz edzed canad aasia indig oasia twoqu ietki logam maeps ilons uperk
|
|
iloha loult rafou rtang ovect orsev ensix xrayi ndigo place limaw hyasi adelt
|
|
adoto nion
|
|
```
|
|
|
|
And here is where I messed up with this challenge. Enigma doesn't handle
|
|
numbers. It was designed to encode the 26 letters of the Latin alphabet. If you
|
|
look at the last bit of the output you can see `onio n` and `o nion`. This
|
|
points you to a [Tor hidden
|
|
service](https://www.linuxjournal.com/content/tor-hidden-services), but because
|
|
I messed this up the two hints point you at slightly wrong onion addresses (tor
|
|
hidden service addresses usually have numbers in them). Once I realized this, I
|
|
made a correction that just gives away the solution so people could move on to
|
|
the next step.
|
|
|
|
Onwards to
|
|
http://yvzvgjiuz5tkhfuhvjqroybx6d7swzzcaia2qkgeskhu4tv76xiplwad.onion/!
|
|
|
|
## Layer 3
|
|
|
|
Open your [tor browser](https://www.torproject.org/download/) and punch in the
|
|
onion URL. You should get a page that looks like this:
|
|
|
|
![Mara's
|
|
Realm](https://cdn.christine.website/file/christine-static/blog/Screenshot_20201125_101515.png)
|
|
|
|
This shows some confusing combinations of letters and some hexadecimal text.
|
|
We'll get back to the hexadecimal text in a moment, but let's take a closer look
|
|
at the letters. There is a hint here to search the plover dictionary.
|
|
[Plover](http://www.openstenoproject.org/) is a tool that allows hobbyists to
|
|
learn [stenography](https://en.wikipedia.org/wiki/Stenotype) to type at the rate
|
|
of human speech. My moonlander has a layer for typing out stenography strokes,
|
|
so let's enable it and type them out:
|
|
|
|
> Follow the white rabbit
|
|
>
|
|
> Go to/test. w a s m
|
|
|
|
Which we can reinterpret as:
|
|
|
|
> Follow the white rabbit
|
|
>
|
|
> Go to /test.wasm
|
|
|
|
[The joke here is that many people seem to get stenography and steganography
|
|
confused, so that's why there's stenography in this steganography
|
|
challenge!](conversation://Mara/hacker)
|
|
|
|
Going to /test.wasm we get a WebAssembly download. I've uploaded a copy to my
|
|
blog's CDN
|
|
[here](https://cdn.christine.website/file/christine-static/blog/test.wasm).
|
|
|
|
## Layer 4
|
|
|
|
Going back to that hexadecimal text from above, we see that it says this:
|
|
|
|
> go get tulpa.dev/cadey/hlang
|
|
|
|
This points to the source repo of [hlang](https://h.christine.website), which is
|
|
a satirical "programming language" that can only print the letter `h` (or the
|
|
lojbanic h `'` for that sweet sweet internationalisation cred). Something odd
|
|
about hlang is that it uses [WebAssembly](https://webassembly.org/) to execute
|
|
all programs written in it (this helps it reach its "no sandboxing required" and
|
|
"zero* dependencies" goals).
|
|
|
|
Let's decompile this WebAssembly file with
|
|
[`wasm2wat`](https://webassembly.github.io/wabt/doc/wasm2wat.1.html)
|
|
|
|
```console
|
|
$ wasm2wat /data/test.wasm
|
|
<output too big, see https://git.io/Jkyli>
|
|
```
|
|
|
|
Looking at the decompilation we can see that it imports a host function `h.h` as
|
|
the hlang documentation suggests and then constantly calls it a bunch of times:
|
|
|
|
```lisp
|
|
(module
|
|
(type (;0;) (func (param i32)))
|
|
(type (;1;) (func))
|
|
(import "h" "h" (func (;0;) (type 0)))
|
|
(func (;1;) (type 1)
|
|
i32.const 121
|
|
call 0
|
|
i32.const 111
|
|
call 0
|
|
i32.const 117
|
|
call 0
|
|
; ...
|
|
```
|
|
|
|
There's a lot of `32` in the output. `32` is the base 10 version of `0x20`,
|
|
which is the space character in ASCII. Let's try to reformat the numbers to
|
|
ascii characters and see what we get:
|
|
|
|
> you made it, this is the end of the line however. writing all of this up takes
|
|
> a lot of time. if you made it this far, email me@christine.website to get your
|
|
> name entered into the hall of heroes. be well.
|
|
|
|
## How I Implemented This
|
|
|
|
Each layer was designed independently and then I started building them together
|
|
later.
|
|
|
|
One of the first steps was to create the website for Mara's Realm. I started by
|
|
writing out all of the prose into a file called `index.md` and then I ran
|
|
[sw](https://github.com/jroimartin/sw) using [Pandoc](https://pandoc.org/) for
|
|
markdown conversion.
|
|
|
|
Then I created the WebAssembly binary by locally hacking a copy of hlang to
|
|
allow arbitrary strings. I stuck it in the source directory for the website and
|
|
told `sw` to not try and render it as markdown.
|
|
|
|
Once I had the HTML source, I copied it to a machine on my network at
|
|
`/srv/http/marahunt` using this command:
|
|
|
|
```console
|
|
$ rsync \
|
|
-avz \
|
|
site.static/ \
|
|
root@192.168.0.127:/srv/http/marahunt
|
|
```
|
|
|
|
And then I created a tor hidden service using the
|
|
[services.tor.hiddenServices](https://search.nixos.org/options?channel=20.09&from=0&size=30&sort=relevance&query=services.tor.hiddenServices)
|
|
options:
|
|
|
|
```nix
|
|
services.tor = {
|
|
enable = true;
|
|
|
|
hiddenServices = {
|
|
"hunt" = {
|
|
name = "hunt";
|
|
version = 3;
|
|
map = [{
|
|
port = 80;
|
|
toPort = 80;
|
|
}];
|
|
};
|
|
};
|
|
};
|
|
```
|
|
|
|
Once I pushed this config to that server, I grabbed the hostname from
|
|
`/var/lib/tor/onion/hunt/hostname` and set up an nginx virtualhost:
|
|
|
|
```nix
|
|
services.nginx = {
|
|
virtualHosts."yvzvgjiuz5tkhfuhvjqroybx6d7swzzcaia2qkgeskhu4tv76xiplwad.onion" =
|
|
{
|
|
root = "/srv/http/marahunt";
|
|
};
|
|
};
|
|
```
|
|
|
|
And then I pushed the config again and tested it with curl:
|
|
|
|
```console
|
|
$ curl -H "Host: yvzvgjiuz5tkhfuhvjqroybx6d7swzzcaia2qkgeskhu4tv76xiplwad.onion" http://127.0.0.1 | grep title
|
|
% Total % Received % Xferd Average Speed Time Time Time Current
|
|
Dload Upload Total Spent Left Speed
|
|
100 3043 100 3043 0 0 2971k 0 --:--:-- --:--:-- --:--:-- 2971k
|
|
<title>Mara's Realm</title>
|
|
.headerSubtitle { font-size: 0.6em; font-weight: normal; margin-left: 1em; }
|
|
<a href="index.html">Mara's Realm</a> <span class="headerSubtitle">sh0rk in the cloud</span>
|
|
```
|
|
|
|
Once I was satisfied with the HTML, I opened up an enigma encoder and started
|
|
writing out the message congradulating the user for figuring out "this enigma of
|
|
a mystery". I also included the onion URL (with the above mistake) in that
|
|
message.
|
|
|
|
Then I started writing the wurynt page on my
|
|
[gemini](https://gemini.circumlunar.space/) server. wurynt was coined by blindly
|
|
pressing 6 keys on my keyboard. I added a little poem about Alan Turing to give
|
|
a hint that this was an enigma cipher and then copied the Enigma settings on the
|
|
page just in case. It turned out that I was using the default settings for the
|
|
[Cryptee Enigma simulator](https://cryptii.com/pipes/enigma-machine), so this
|
|
was not needed; however it was probably better to include them regardless.
|
|
|
|
This is where I messed up as I mentioned earlier. Once I realized my mistake in
|
|
trying to encode the onion address twice, I decided it would be best to just
|
|
give away the answer on the page, so I added the correct onion URL to the end of
|
|
the enigma message so that it wouldn't break flow for people.
|
|
|
|
The final part was to write and encode the message that I would tweet out. I
|
|
opened a scratch buffer and wrote out the "You passed the first test" line and
|
|
then encoded it using the ceasar cipher and encoded the result of that into hex.
|
|
After a lot of rejiggering and rewriting to make it have a multiple of 3
|
|
characters of text, I reformatted it as HTML color codes and tweeted it without
|
|
context.
|
|
|
|
## Feedback I Got
|
|
|
|
Some of the emails and twitter DM's I got had some useful and amusing feedback.
|
|
Here's some of my favorites:
|
|
|
|
> my favourite part was the opportunity to go down different various rabbit
|
|
> holes (I got to learn about stenography and WASM, which I'd never looked
|
|
> into!)
|
|
|
|
> I want to sleep. It's 2 AM here, but a friend sent me the link an hour ago and
|
|
> I'm a cat, so the curiosity killed me.
|
|
|
|
> That was a fun little game. Thanks for putting it together.
|
|
|
|
> oh *noooo* this is going to nerd snipe me
|
|
|
|
> I'm amused that you left the online enigma emulator on default settings.
|
|
|
|
> I swear to god I'm gonna beach your orca ass
|
|
|
|
## Improvements For Next Time
|
|
|
|
Next time I'd like to try and branch out from just using ascii. I'd like to
|
|
throw other encodings into the game (maybe even have a stage written in EBCDIC
|
|
formatted Esperanto or something crazy like that). I was also considering having
|
|
some public/private key crypto in the mix to stretch people's skillsets.
|
|
|
|
Something I will definitely do next time is make sure that all of the layers are
|
|
solveable. I really messed up with the enigma step and I had to unblock people
|
|
by DMing them the answer. Always make sure your puzzles can be solved.
|
|
|
|
## Hall of Heroes
|
|
|
|
(in no particular order)
|
|
|
|
- Saphire Lattice
|
|
- Open Skies
|
|
- Tramoline
|
|
- AstroSnail
|
|
- Dominika
|
|
- pbardera
|
|
- Max Hollman
|
|
- Vojtěch
|
|
- [object Object]
|
|
- Bytewave
|
|
|
|
Thank you for solving this! I'm happy this turned out so successfully. More to
|
|
come in the future.
|
|
|
|
🙂
|