{"id":461,"date":"2018-05-22T06:12:12","date_gmt":"2018-05-22T06:12:12","guid":{"rendered":"https:\/\/devel0pment.de\/?p=461"},"modified":"2018-05-22T06:12:12","modified_gmt":"2018-05-22T06:12:12","slug":"hacky-easter-2018-writeup","status":"publish","type":"post","link":"https:\/\/devel0pment.de\/?p=461","title":{"rendered":"Hacky Easter 2018 writeup"},"content":{"rendered":"<style>\n  .spanFlag {\n    color:#0000ff;\n    font-weight:bold;\n  }\n<\/style>\n<table>\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/logo.png\" alt=\"\" width=\"64\" height=\"64\" class=\"alignnone size-full wp-image-472\" \/><\/td>\n<td>\nAs every year <a href=\"https:\/\/www.hacking-lab.com\/index.html\" rel=\"noopener\" target=\"_blank\">hacking-lab.com<\/a> carried out the annual <b>Hacky Easter<\/b> event with 27 challenges. I could not spend as much time as I would have liked to on solving the challenges, but after all I managed to collect 25 of the 27 eggs and focused on this writeup.\n<\/td>\n<\/tr>\n<\/table>\n<table style=\"display:table-cell;vertical-align:top;\">\n<tr>\n<td width=\"75\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_easy.png\" alt=\"\" width=\"480\" height=\"480\" class=\"alignnone size-full wp-image-463\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_easy.png 480w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_easy-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_easy-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_easy-100x100.png 100w\" sizes=\"(max-width: 480px) 100vw, 480px\" \/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#54AF79; text-shadow:1px 1px #000000;\">Easy<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg01\"><b>01<\/b> Prison Break<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg02\"><b>02<\/b> Babylon<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg03\"><b>03<\/b> Pony Coder<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg04\"><b>04<\/b> Memeory<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg05\"><b>05<\/b> Sloppy &#038; Paste (mobile)<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg06\"><b>06<\/b> Cooking for Hackers<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg07\"><b>07<\/b> Jigsaw<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg08\"><b>08<\/b> Disco Egg<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg09\"><b>09<\/b> Dial Trial (mobile)<\/a>\n<\/td>\n<\/tr>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_medium.png\" alt=\"\" width=\"480\" height=\"480\" class=\"alignnone size-full wp-image-467\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_medium.png 480w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_medium-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_medium-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_medium-100x100.png 100w\" sizes=\"(max-width: 480px) 100vw, 480px\" \/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#9CAF54; text-shadow:1px 1px #000000;\">Medium<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg10\"><b>10<\/b> Level Two<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg11\"><b>11<\/b> De Egg you must <span style=\"font-size:smaller;\">(not solved)<\/span><\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg12\"><b>12<\/b> Patience (mobile)<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg13\"><b>13<\/b> Sagittarius&#8230;<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg14\"><b>14<\/b> Same same&#8230;<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg15\"><b>15<\/b> Manila greetings<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg16\"><b>16<\/b> git cloak &#8211;hard<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg17\"><b>17<\/b> Space Invaders<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg18\"><b>18<\/b> Egg Factory<\/a>\n<\/td>\n<\/tr>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hard.png\" alt=\"\" width=\"480\" height=\"480\" class=\"alignnone size-full wp-image-466\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hard.png 480w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hard-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hard-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hard-100x100.png 100w\" sizes=\"(max-width: 480px) 100vw, 480px\" \/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#AF5458; text-shadow:1px 1px #000000;\">Hard<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg19\"><b>19<\/b> Virtual Hen<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg20\"><b>20<\/b> Artist: No Name Yet <span style=\"font-size:smaller;\">(not solved)<\/span><\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg21\"><b>21<\/b> Hot Dog<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg22\"><b>22<\/b> Block Jane<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg23\"><b>23<\/b> Rapbid Learning<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg24\"><b>24<\/b> ELF<\/a>\n<\/td>\n<\/tr>\n<tr>\n<td><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hidden.png\" alt=\"\" width=\"480\" height=\"480\" class=\"alignnone size-full wp-image-469\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hidden.png 480w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hidden-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hidden-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/flag_hidden-100x100.png 100w\" sizes=\"(max-width: 480px) 100vw, 480px\" \/><\/td>\n<td><span style=\"font-size:larger; font-weight:bold; color:#5481AF; text-shadow:1px 1px #000000;\">Hidden<\/span><\/td>\n<\/tr>\n<tr>\n<td colspan=\"2\">\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg25\"><b>25<\/b> Hidden Egg #1<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg26\"><b>26<\/b> Hidden Egg #2<\/a><br \/>\n<a href=\"https:\/\/devel0pment.de\/?p=461#chlg27\"><b>27<\/b> Hidden Egg #3<\/a>\n<\/td>\n<\/tr>\n<\/table>\n<p><!--more--><\/p>\n<h1 id=\"chlg01\">01 &#8211; Prison Break<\/h1>\n<p>The encryption method is taken from the television serial Prison Break (see <a href=\"http:\/\/www.wonderlandblog.com\/wonderland\/2006\/08\/prison_break_se.html\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>The prefix of the phone numbers (555) can be ignored. The other digits determine which key on a cellphone-keyboard should be pressed and the dots on the origami determine how often the key should be pressed:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_01-300x270.png\" alt=\"\" width=\"200\" class=\"alignnone size-medium wp-image-478\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_01-300x270.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_01.png 386w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Example:<\/p>\n<pre>\r\nPhone Number: 7\r\nDots on Origami: ... (3)\r\n--&gt; Pressing the key 7 three times: R\r\n\r\nPhone Number: 2\r\nDots on Origami: .. (2)\r\n--&gt; Pressing the key 2 two times: B\r\n<\/pre>\n<p>By combining the phone numbers and the dots on the origami this way the message can be decoded:<\/p>\n<pre>\r\nLink\r\n----\r\nPhone Numbers:\t7  7   4   7    6  6  3\r\nOrigami:\t. ... ... .... ... .. ..\r\n\t\t1  3   3   4    3  2  2\r\nPlaintext:\tP  R   I   S    O  N  E\r\n\r\nSara\r\n----\r\nPhone Numbers:\t 7   4   7   5   4  6  4\r\nOrigami:\t... ... .... .. ... .. .\r\n\t\t 3   3   4   2   3  2  1\r\nPlaintext:\t R   I   S   K   I  N  G\r\n<\/pre>\n<p>The password is <code><span class=\"spanFlag\">PRISONERISKING<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-479\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg02\">02 &#8211; Babylon<\/h1>\n<p>The hint <i>walls and shelves<\/i> refers to the Library of Babel (see <a href=\"https:\/\/libraryofbabel.info\/\" target=\"_blank\" rel=\"noopener\">here<\/a>).<\/p>\n<p>The library can be browsed (see <a href=\"https:\/\/libraryofbabel.info\/browse.cgi\" target=\"_blank\" rel=\"noopener\">here<\/a>) by entering:<\/p>\n<ul>\n<li>a hex name (the challenge&#8217;s attachment: babylon.txt)<\/li>\n<li>a wall (the first digit: 4)<\/li>\n<li>a shelf (the second digit: 4)<\/li>\n<li>a volume (the third digit: 28)<\/li>\n<li>a page (the fourth digit: 355)<\/li>\n<\/ul>\n<p>The page contains the following text:<\/p>\n<pre>the super secret hackyeaster password is checkthedatayo<\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_01.png\" alt=\"\" width=\"639\" class=\"alignnone size-full wp-image-483\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_01.png 939w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_01-300x199.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_01-768x510.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The password is <code><span class=\"spanFlag\">checkthedatayo<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-484\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg02_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg03\">03 &#8211; Pony Coder<\/h1>\n<p>The title <i>Pony Coder<\/i> refers to the <i>Punycode<\/i> specified in RFC 3492 (see here: <a href=\"https:\/\/www.ietf.org\/rfc\/rfc3492.txt\" target=\"_blank\" rel=\"noopener\">RFC 3492<\/a>, <a href=\"https:\/\/en.wikipedia.org\/wiki\/Punycode\" target=\"_blank\" rel=\"noopener\">wikipedia<\/a>). Punycode is used to encode Unicode characters as ASCII characters in order to use them as DNS names.<\/p>\n<p>When decoding the provided string <code>gn tn-gha87be4e<\/code> with an online-decoder like <a href=\"https:\/\/www.punycoder.com\/\" target=\"_blank\" rel=\"noopener\">www.punycoder.com<\/a> we need to prefix the string with <code>xn--<\/code>:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_01.png\" alt=\"\" width=\"633\" class=\"alignnone size-full wp-image-485\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_01.png 933w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_01-289x300.png 289w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_01-768x798.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The password is <code><span class=\"spanFlag\">gin tonic<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-486\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg03_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg04\">04 &#8211; Memeory<\/h1>\n<p>A single memeory card is represented by a <i>figure<\/i>-element:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;figure id=&quot;legespiel_card_0&quot;&gt;\r\n  &lt;a href=&quot;#card_0&quot;&gt;\r\n    &lt;img class=&quot;boxFront&quot; src=&quot;.\/lib\/1.jpg&quot; \/&gt;\r\n    &lt;img class=&quot;boxWhite&quot; src=&quot;.\/lib\/shadow_card.png&quot; \/&gt;\r\n    &lt;img class=&quot;boxBack&quot; src=&quot;.\/lib\/back.jpg&quot;  \/&gt;\r\n  &lt;\/a&gt;\r\n  &lt;img class=&quot;boxStretch&quot; src=&quot;.\/lib\/shim.gif&quot; \/&gt;\r\n&lt;\/figure&gt;\r\n<\/pre>\n<p>Two adjacent cards have the same picture and thus belong together:<\/p>\n<pre>\r\nlegespiel_card_0 &lt;--&gt; legespiel_card_1\r\nlegespiel_card_2 &lt;--&gt; legespiel_card_3\r\nlegespiel_card_4 &lt;--&gt; legespiel_card_5\r\n...\r\n<\/pre>\n<p>This means that we just have to click the cards in the order of their id (0,1,2,3,4,5&#8230;). We can simply emulate these clicks by running javascript code in the console-window of our browser (<i>F12<\/i>):<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_01.png\" alt=\"\" width=\"667\" class=\"alignnone size-full wp-image-487\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_01.png 967w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_01-300x266.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_01-768x682.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<pre>\r\nfor (var i = 0; i &lt; 100; i++) $(\"#legespiel_card_\"+i+\" a\").click();\r\n<\/pre>\n<p>This single line clicks one card after the other finally yielding the egg:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_02.png\" alt=\"\" width=\"667\" class=\"alignnone size-full wp-image-488\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_02.png 967w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_02-300x266.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg04_02-768x682.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<h1 id=\"chlg05\">05 &#8211; Sloppy &#038; Paste (mobile)<\/h1>\n<p>When trying to copy the base64-string displayed in the app, another base64-string is loaded in the clipboard. Decoding this string yields a locked egg:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg5# echo &quot;iVBORw0KGgoAAAANSUhEUgAAAeAAAAHgCAMAAABKCk6nAAACQ1BM...pKUAAAAASUVORK5CYII=&quot; | base64 -d &gt; egg05_locked.png\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_01-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-489\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_01-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_01-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_01-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_01.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>I used the <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.gmail.heagoo.apkeditor&#038;hl=de\" target=\"_blank\" rel=\"noopener\">APK Editor<\/a> app to extract the challenge&#8217;s html-file from the hacky easter app:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_02.png\" alt=\"\" width=\"280\" class=\"alignnone size-full wp-image-490\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_02.png 1080w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_02-191x300.png 191w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_02-768x1207.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_02-651x1024.png 651w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The html-file contains the actual base64-string being displayed:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n...\r\n&lt;p&gt;The egg is right here. Just copy it!&lt;\/p&gt;\r\n&lt;p&gt;&lt;button onclick=&quot;doClip();&quot;&gt;Copy to Clipboard&lt;\/button&gt;&lt;\/p&gt;\r\n&lt;textarea id=&quot;area&quot; style=&quot;width:100%; height: 240px; word-break: break-all;&quot;&gt; iVBORw0KGgoAAAANSUhEUgAAAeAAAAHgCAMAAABKCk6nAAACQ1BM...BwAAAABJRU5ErkJggg==&lt;\/textarea&gt;\r\n...\r\n<\/pre>\n<p>Decoding this string&#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg5# echo &quot;iVBORw0KGgoAAAANSUhEUgAAAeAAAAHgCAMAAABKCk6nAAACQ1BM...BwAAAABJRU5ErkJggg==&quot; | base64 -d &gt; egg05.png\r\n<\/pre>\n<p>&#8230;yields the actual egg:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_03-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-491\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_03-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_03-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_03-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg05_03.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg06\">06 &#8211; Cooking for Hackers<\/h1>\n<p>The ingredients seem to be base64-encoded:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~$ echo &quot;c2FsdA==&quot; | base64 -d\r\nsalt\r\n\r\nusr@host:~$ echo &quot;b2ls&quot; | base64 -d\r\noil\r\n\r\nusr@host:~$ echo &quot;dDd3Mmc=&quot; | base64 -d\r\nt7w2g\r\n\r\nusr@host:~$ echo &quot;bnRkby4=&quot; | base64 -d\r\nntdo.\r\n\r\nusr@host:~$ echo &quot;b25pb24=&quot; | base64 -d\r\nonion\r\n<\/pre>\n<p>Because of the <code>.onion<\/code> at the end, we can assume that this is a TOR hidden service address, which can for example be accessed using the <a href=\"https:\/\/www.torproject.org\/projects\/torbrowser.html.en\" target=\"_blank\" rel=\"noopener\">Tor Browser<\/a>. The complete address simply is the concatenation of all ingredients: <code>saltoilt7w2gntdo.onion<\/code>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg06_01.png\" alt=\"\" width=\"636\" class=\"alignnone size-full wp-image-492\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg06_01.png 736w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg06_01-300x243.png 300w\" sizes=\"(max-width: 736px) 100vw, 736px\" \/><\/p>\n<h1 id=\"chlg07\">07 &#8211; Jigsaw<\/h1>\n<p>I started by writing a python-script, which extracts all single tiles from the provided image and saves each tile in an own file:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg7# cat egg7.py\r\n#!\/usr\/bin\/env python\r\n\r\nimport Image\r\n\r\nimg = Image.open(&quot;jigsaw.png&quot;)\r\npix = img.load()\r\n\r\nimg_arr = &#x5B;]\r\npix_arr = &#x5B;]\r\nfor i in range(1280\/40):\r\n  img_arr.append(&#x5B;])\r\n  pix_arr.append(&#x5B;])\r\n  for j in range(720\/40):\r\n    img_arr&#x5B;i].append(Image.new(&quot;RGB&quot;, (40, 40), &quot;white&quot;))\r\n    pix_arr&#x5B;i].append(img_arr&#x5B;i]&#x5B;j].load())\r\n\r\nfor w in range(img.size&#x5B;0]):\r\n  for h in range(img.size&#x5B;1]):\r\n    pix_arr&#x5B;w\/40]&#x5B;h\/40]&#x5B;w%40,h%40] = pix&#x5B;w,h]\r\n\r\nfor i in range(1280\/40):\r\n  for j in range(720\/40):\r\n    img_arr&#x5B;i]&#x5B;j].save(&quot;title_&quot;+str(i)+&quot;_&quot;+str(j)+&quot;.png&quot;)\r\n<\/pre>\n<p>At next I wrote another python-script, which generates an html-page, containing all image-tiles:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg7# cat gen_html.py\r\nprint(&quot;&lt;html&gt;&quot;)\r\nprint(&quot;&lt;style&gt;.sel { border:1px solid red; }&lt;\/style&gt;&quot;)\r\nprint(&quot;&lt;body&gt;&quot;)\r\nprint(&quot;&lt;table&gt;&quot;)\r\nfor i in range(18):\r\n  print(&quot;&lt;tr&gt;&quot;),\r\n  for j in range(32):\r\n    print(&quot;&lt;td&gt;&lt;img id=\\&quot;img&quot;+str(j)+&quot;_&quot;+str(i)+&quot;\\&quot; onclick=\\&quot;clicked(this)\\&quot;\/&gt;&lt;\/td&gt;&quot;)\r\n  print(&quot;&lt;\/tr&gt;&quot;)\r\nprint(&quot;&lt;\/table&gt;&quot;)\r\nprint(&quot;&lt;script src=\\&quot;jigsaw.js\\&quot;&gt;&lt;\/script&gt;&quot;)\r\nprint(&quot;&lt;\/body&gt;&quot;)\r\nprint(&quot;&lt;\/html&gt;&quot;)\r\n<\/pre>\n<p>The html-page includes the following javascript:<\/p>\n<pre class=\"brush: jscript; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg7# cat jigsaw.js\r\nfor (var i = 0; i &lt; 32; i++) {\r\n  for (var j = 0; j &lt; 18; j++) {\r\n    document.getElementById(&quot;img&quot;+i+&quot;_&quot;+j).src = &quot;title_&quot;+i+&quot;_&quot;+j+&quot;.png&quot;;\r\n  }\r\n}\r\n\r\nsel = null;\r\n\r\nfunction clicked(elem) {\r\n  if (sel == null) {\r\n    sel=elem;\r\n    sel.addClass(&quot;sel&quot;);\r\n  }\r\n  else {\r\n    sel.removeClass(&quot;sel&quot;);\r\n    tmp = sel.src;\r\n    sel.src = elem.src;\r\n    elem.src = tmp;\r\n    sel = null;\r\n  }\r\n}\r\n<\/pre>\n<p>The javascript highlights a tile which has been clicked (<code>addClass(\"sel\")<\/code>) and changes it with the next tile being clicked.<\/p>\n<p>This way I puzzled the image until the password became visible:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_01.png\" alt=\"\" width=\"700\" class=\"alignnone size-full wp-image-493\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_01.png 1600w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_01-300x169.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_01-768x432.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_01-1024x576.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The password is <code><span class=\"spanFlag\">goodsheepdontalwayswearwhite<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-494\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg07_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg08\">08 &#8211; Disco Egg<\/h1>\n<p>The provided website displays the egg with a blinking background and each pixel of the qrcode continuously changing colors:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_01.png\" alt=\"\" width=\"682\" class=\"alignnone size-full wp-image-495\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_01.png 782w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_01-300x252.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_01-768x646.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>I started by saving the website offline in order to change the html-code.<\/p>\n<p>Each pixel of the qrcode is represented by a cell (<code>td<\/code> element) within a <code>table<\/code>:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;td class=&quot;cyan black green darkgreen blue orange red darkgrey brown&quot; style=&quot;background-color: rgb(251, 89, 3);&quot;&gt;&lt;\/td&gt;...\r\n<\/pre>\n<p>Each cell either has the class <code>black<\/code> or <code>white<\/code>, which equals the actual pixel-color of the qrcode.<\/p>\n<p>The qrcode can be displayed by making three changes in the html-file:<\/p>\n<p><u>1. Remove initial background-color<\/u><\/p>\n<p>The initial color of each cell is set by the <code>style<\/code> defined in the <code>td<\/code> element. By removing all occurrences of <code>background-color<\/code> there is no initial color.<\/p>\n<p>Before:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;td class=&quot;cyan black green darkgreen blue orange red darkgrey brown&quot; style=&quot;background-color: rgb(251, 89, 3);&quot;&gt;&lt;\/td&gt;\r\n<\/pre>\n<p>After change:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;td class=&quot;cyan black green darkgreen blue orange red darkgrey brown&quot; style=&quot;: rgb(251, 89, 3);&quot;&gt;&lt;\/td&gt;\r\n<\/pre>\n<p>(The css within the style attribute is not valid anymore, but we don&#8217;t care for now.)<\/p>\n<p><u>2. Comment out javascript<\/u><\/p>\n<p>The colors are changed via javascript. We don&#8217;t want the colors to be changed.<\/p>\n<p>Before:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;script src=&quot;.\/Disco Egg_files\/jquery-1.12.4.js.Download&quot;&gt;&lt;\/script&gt;\r\n&lt;script src=&quot;.\/Disco Egg_files\/jquery-ui.js.Download&quot;&gt;&lt;\/script&gt;\r\n&lt;script&gt;bgcolors = &#x5B; &quot;#1FB714&quot;, &quot;#FBF305&quot;, &quot;#006412&quot;, ... &lt;\/script&gt;\r\n<\/pre>\n<p>After change:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;!--\r\n&lt;script src=&quot;.\/Disco Egg_files\/jquery-1.12.4.js.Download&quot;&gt;&lt;\/script&gt;\r\n&lt;script src=&quot;.\/Disco Egg_files\/jquery-ui.js.Download&quot;&gt;&lt;\/script&gt;\r\n&lt;script&gt;bgcolors = &#x5B; &quot;#1FB714&quot;, &quot;#FBF305&quot;, &quot;#006412&quot;, ... &lt;\/script&gt;\r\n--&gt;\r\n<\/pre>\n<p><u>3. Add color to class black<\/u><\/p>\n<p>At last only the cells which have the class <code>black<\/code> should be colored. We can achieve this by adding the <code>background-color<\/code> property within the css definition.<\/p>\n<p>Before:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n.black, .white, .green, ...\r\n<\/pre>\n<p>After change:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n.black {background-color:#000000; } .white, .green, ...\r\n<\/pre>\n<p>After hitting F5 in order to reload the page we get the qrcode:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_02-238x300.png\" alt=\"\" width=\"238\" height=\"300\" class=\"alignnone size-medium wp-image-496\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_02-238x300.png 238w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg08_02.png 374w\" sizes=\"(max-width: 238px) 100vw, 238px\" \/><\/p>\n<h1 id=\"chlg09\">09 &#8211; Dial Trial (mobile)<\/h1>\n<p>When pushing the <code>Dial!<\/code> button in the app, the sound of dialing phone is played.<\/p>\n<p>Like in <a href=\"https:\/\/devel0pment.de\/?p=461#chlg05\">challenge 05<\/a> I used the <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.gmail.heagoo.apkeditor&#038;hl=de\" target=\"_blank\" rel=\"noopener\">APK Editor<\/a> app to extract the mp3-file <code>res\/raw\/dial.mp3<\/code> from the hacky easter app:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_01.png\" alt=\"\" width=\"280\" class=\"alignnone size-full wp-image-497\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_01.png 1080w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_01-193x300.png 193w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_01-768x1195.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_01-658x1024.png 658w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The dialing sound is called <i>Dual-tone multi-frequency signaling (DTMF)<\/i> (see <a href=\"https:\/\/en.wikipedia.org\/wiki\/Dual-tone_multi-frequency_signaling\" target=\"_blank\" rel=\"noopener\">wikipedia<\/a>) and can for example be decoded <a href=\"http:\/\/dialabc.com\/sound\/detect\/\" target=\"_blank\" rel=\"noopener\">here<\/a>.<\/p>\n<p>The sound is decoded to the following digits:<\/p>\n<pre>\r\n4*7#2*6#1*2#2*5#2*3#3*6#2*6#2*6#3*6#2*5#3*4#1*2\r\n<\/pre>\n<p>Similar to <a href=\"https:\/\/devel0pment.de\/?p=461#chlg01\">challenge 01<\/a> the numbers determine which key (second digit) on a cellphone should be pressed and how often (first digit):<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_01-300x270.png\" alt=\"\" width=\"200\" class=\"alignnone size-medium wp-image-478\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_01-300x270.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg01_01.png 386w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>This results in the following password:<\/p>\n<pre>\r\n4*7#2*6#1*2#2*5#2*3#3*6#2*6#2*6#3*6#2*5#3*4#1*2\r\nS   N   A   K   E   O   N   N   O   K   I   A\r\n<\/pre>\n<p>The password is <code><span class=\"spanFlag\">snakeonnokia<\/span><\/code>.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_02-810x1024.png\" alt=\"\" width=\"325\" class=\"alignnone size-large wp-image-498\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_02-810x1024.png 810w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_02-237x300.png 237w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_02-768x971.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg09_02.png 1022w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<h1 id=\"chlg10\">10 &#8211; Level Two<\/h1>\n<p>My solution is quite lame, because I did not actually play the game. I rather extracted the game files using <a href=\"https:\/\/github.com\/luxrck\/rgssad\" target=\"_blank\" rel=\"noopener\">rgssad<\/a>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10# git clone https:\/\/github.com\/luxrck\/rgssad\r\nCloning into 'rgssad'...\r\nremote: Counting objects: 46, done.\r\nremote: Compressing objects: 100% (19\/19), done.\r\nremote: Total 46 (delta 15), reused 46 (delta 15), pack-reused 0\r\nUnpacking objects: 100% (46\/46), done.\r\n<\/pre>\n<p><code>cargo<\/code> is required to install <code>rgssad<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10# cd rgssad\/\r\nroot@kali:~\/Documents\/he18\/egg10\/rgssad# apt-get install cargo\r\nReading package lists... Done\r\nBuilding dependency tree\r\nReading state information... Done\r\nThe following additional packages will be installed:\r\n  libgit2-26 libstd-rust-1.24 libstd-rust-dev rust-gdb rustc\r\n  ...\r\n<\/pre>\n<p>After installing <code>cargo<\/code> <code>rgssad<\/code> can be installed:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10\/rgssad# cargo install\r\n  Installing rgssad v0.1.3 (file:\/\/\/root\/Documents\/he18\/egg10\/rgssad)\r\n    Updating registry `https:\/\/github.com\/rust-lang\/crates.io-index`\r\n Downloading regex v1.0.0\r\n Downloading utf8-ranges v1.0.0\r\n Downloading aho-corasick v0.6.4\r\n ...\r\n<\/pre>\n<p>Now the game files can be extracted from the file <code>Game.rgss3a<\/code> (this file will be created when installing the game on windows):<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10# mkdir out\r\nroot@kali:~\/Documents\/he18\/egg10# rgssad unpack Game.rgss3a out\/ .\r\nExtracting: Data\/System.rvdata2\r\nExtracting: Data\/Map009.rvdata2\r\nExtracting: Data\/Tilesets.rvdata2\r\nExtracting: Data\/Animations.rvdata2\r\nExtracting: Data\/Map015.rvdata2\r\nExtracting: Data\/Armors.rvdata2\r\nExtracting: Data\/Map006.rvdata2\r\n...\r\n<\/pre>\n<p>Let&#8217;s search for relevant information within the extracted files:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10# cd out\r\nroot@kali:~\/Documents\/he18\/egg10\/out# grep -r &quot;password&quot;\r\nBinary file Data\/Map024.rvdata2 matches\r\nroot@kali:~\/Documents\/he18\/egg10\/out# strings Data\/Map024.rvdata2 | less\r\n...\r\nI&quot;9puts &quot;&#x5B;!] Delete this in production: PW is 13371337&quot;\r\n...\r\nI&quot;)7034353577307264355f3406033b5749114c\r\n...\r\n<\/pre>\n<p>The password <code>13371337<\/code> is not the right one yet. But there is a hex-encoded ASCII string equal to the password for the teaser-challenge.<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10\/out# python\r\n&gt;&gt;&gt; s = &quot;7034353577307264355f3406033b5749114c&quot;\r\n&gt;&gt;&gt; s.decode(&quot;hex&quot;)\r\n'p455w0rd5_4\\x06\\x03;WI\\x11L'\r\n<\/pre>\n<p>This also does not seem right yet. Let&#8217;s browse through all values like this (beginning with <code>I\"<\/code>):<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10\/out# cd Data\r\nroot@kali:~\/Documents\/he18\/egg10\/out\/Data# strings -f * | grep 'I&quot;' | less\r\n...\r\nItems.rvdata2: I&quot;+7034353577307264355f3472335f6330306c\r\n...\r\nMap014.rvdata2: I&quot;)7034353577307264355f052d066b15035433\r\n...\r\nMap015.rvdata2: I&quot;)70343535773072105d6c6b05032d0f546f4c\r\n...\r\nMap024.rvdata2: I&quot;)7034353577307264355f3406033b5749114c\r\n...\r\n<\/pre>\n<p>Including the last value, which we have already discovered, there are 4 hex-encoded ASCII strings:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg10\/out\/Data# python\r\n&gt;&gt;&gt; s1 = &quot;7034353577307264355f3472335f6330306c&quot;\r\n&gt;&gt;&gt; s2 = &quot;7034353577307264355f052d066b15035433&quot;\r\n&gt;&gt;&gt; s3 = &quot;70343535773072105d6c6b05032d0f546f4c&quot;\r\n&gt;&gt;&gt; s4 = &quot;7034353577307264355f3406033b5749114c&quot;\r\n&gt;&gt;&gt; s1.decode(&quot;hex&quot;)\r\n'p455w0rd5_4r3_c00l'\r\n&gt;&gt;&gt; s2.decode(&quot;hex&quot;)\r\n'p455w0rd5_\\x05-\\x06k\\x15\\x03T3'\r\n&gt;&gt;&gt; s3.decode(&quot;hex&quot;)\r\n'p455w0r\\x10]lk\\x05\\x03-\\x0fToL'\r\n&gt;&gt;&gt; s4.decode(&quot;hex&quot;)\r\n'p455w0rd5_4\\x06\\x03;WI\\x11L'\r\n<\/pre>\n<p>The first string is a valid ASCII string: <code>p455w0rd5_4r3_c00l<\/code>. The three other values contain non-ASCII-characters but begin with the same characters as the first string.<\/p>\n<p>After trying different things, I figured out, that each of the three later strings is supposed to be XORed with the first string:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n&gt;&gt;&gt; s1 = 0x7034353577307264355f3472335f6330306c\r\n&gt;&gt;&gt; s2 = 0x7034353577307264355f052d066b15035433\r\n&gt;&gt;&gt; s3 = 0x70343535773072105d6c6b05032d0f546f4c\r\n&gt;&gt;&gt; s4 = 0x7034353577307264355f3406033b5749114c\r\n&gt;&gt;&gt; hex(s1^s2)&#x5B;2:-1].decode(&quot;hex&quot;)\r\n'1_54v3d_'\r\n&gt;&gt;&gt; hex(s1^s3)&#x5B;2:-1].decode(&quot;hex&quot;)\r\n'th3_w0rld_ '\r\n&gt;&gt;&gt; hex(s1^s4)&#x5B;2:-1].decode(&quot;hex&quot;)\r\n't0d4y! '\r\n<\/pre>\n<p>That&#8217;s it. The password is <code><span class=\"spanFlag\">1_54v3d_th3_w0rld_t0d4y!<\/span><\/code>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg10_01-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-509\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg10_01-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg10_01-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg10_01-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg10_01.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg11\">11 &#8211; De Egg you must<\/h1>\n<p>Unfortunately I could not spend as much time as I would have needed to solve this challenge. Nevertheless, here is what I got so far:<\/p>\n<p>The provided zip-archive <code>basket.zip<\/code> contains 6 files (egg1 &#8211; egg6) and is password-protected:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg11# unzip -l basket.zip\r\nArchive:  basket.zip\r\n  Length      Date    Time    Name\r\n---------  ---------- -----   ----\r\n  1433600  2018-02-09 03:57   egg1\r\n  1433600  2018-02-09 03:57   egg2\r\n  1433600  2018-02-09 03:57   egg3\r\n  1433600  2018-02-09 03:57   egg4\r\n  1433600  2018-02-09 03:57   egg5\r\n   384584  2018-02-09 03:57   egg6\r\n---------                     -------\r\n  7552584                     6 files\r\n\r\nroot@kali:~\/Documents\/he18\/egg11# unzip basket.zip\r\nArchive:  basket.zip\r\n&#x5B;basket.zip] egg1 password:\r\n<\/pre>\n<p>The password can be cracked using <code>fcrackzip<\/code> and a wordlist like the <code>rockyou.txt<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg11# fcrackzip -u -D -p \/usr\/share\/wordlists\/rockyou.txt basket.zip\r\n\r\n\r\nPASSWORD FOUND!!!!: pw == thumper\r\n<\/pre>\n<p>Now the files can be extracted:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg11\/a# unzip basket.zip\r\nArchive:  basket.zip\r\n&#x5B;basket.zip] egg1 password: (thumper)\r\n  inflating: egg1\r\n  inflating: egg2\r\n  inflating: egg3\r\n  inflating: egg4\r\n  inflating: egg5\r\n  inflating: egg6\r\n<\/pre>\n<p>The first file <code>egg1<\/code> seems to be an m4v-file:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [2]; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg11\/a# file *\r\nbasket.zip: Zip archive data, at least v2.0 to extract\r\negg1:       ISO Media, Apple iTunes Video (.M4V) Video\r\negg2:       data\r\negg3:       data\r\negg4:       data\r\negg5:       data\r\negg6:       data\r\n<\/pre>\n<p>After searching through the other files, I recognized that all files seem to be part of the m4v-file:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg11\/a# cat egg* &gt; total.m4v\r\n<\/pre>\n<p>This file is a valid movie which can be played. The movie has also been posted on <a href=\"https:\/\/twitter.com\/HackyEaster\/status\/981605532556546051\" target=\"_blank\" rel=\"noopener\">twitter<\/a>.<\/p>\n<p>I recognized that there are 14926 bytes at the end of the file (in this case part of the original file <code>egg6<\/code>), which do not belong to the actual movie:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg11# tail -c 14926 total.m4v | hexdump -C | head -n30\r\n00000000  26 29 28 24 23 5e 40 2a  23 5e 28 00 76 af b1 b8  |&amp;)($#^@*#^(.v...|\r\n00000010  f2 f5 e5 f5 ff ff ff f2  b6 b7 bb ad ff ff fe 1f  |................|\r\n00000020  ff ff fe 1f f7 fc ff ff  ff b5 f5 b1 58 ff ff fd  |............X...|\r\n00000030  02 af b3 ab ba ff ff ff  cc c6 c9 cc c6 c9 d0 d0  |................|\r\n00000040  d0 cc c7 c9 cb c8 c9 cc  c8 c9 ca c8 c8 cc c7 c9  |................|\r\n00000050  cb c9 c8 ca c9 c8 cb c9  c9 ca c8 c8 cc c7 ca c6  |................|\r\n00000060  c6 c6 cb c8 c8 ca c9 c9  cb c9 c9 c8 c7 c5 c8 c8  |................|\r\n00000070  c4 cb c8 c8 cc c8 c9 cc  c7 ca cc c8 c9 cb c8 c9  |................|\r\n00000080  cb c8 c8 cb c9 c9 cb ca  c9 cb c8 c8 cb c8 c9 cb  |................|\r\n00000090  c8 c8 ca c8 c7 ca c8 c7  cb c8 c8 ca c9 c8 cb ca  |................|\r\n000000a0  ca cb c8 c8 ca c9 c7 c9  c9 c9 00 05 04 06 1b 17  |................|\r\n000000b0  00 00 00 cc c5 c9 cc c9  c5 63 50 ab ca ca ca 39  |.........cP....9|\r\n000000c0  48 84 ce cb c7 d1 ce c9  0e 0e 0d a2 a0 9d 38 37  |H.............87|\r\n000000d0  36 10 10 0f 2c 2b 2a 21  21 20 b4 b1 ae ad aa a7  |6...,+*!! ......|\r\n...\r\n<\/pre>\n<p>My assumption is that this is an encrypted image, but I did not figure out in time.<\/p>\n<h1 id=\"chlg12\">12 &#8211; Patience (mobile)<\/h1>\n<p>I used the <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.gmail.heagoo.apkeditor&#038;hl=de\" target=\"_blank\" rel=\"noopener\">APK Editor<\/a> app to edit the challenge html-file <code>challenge12.html<\/code> &#8230;<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_01.png\" alt=\"\" width=\"280\" class=\"alignnone size-full wp-image-510\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_01.png 1080w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_01-191x300.png 191w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_01-768x1203.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_01-654x1024.png 654w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>&#8230; and added an output for the hash, which is being calculated 100000 times before being used as the image-name of the egg:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_02.png\" alt=\"\" width=\"280\" class=\"alignnone size-full wp-image-511\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_02.png 1080w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_02-175x300.png 175w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_02-768x1314.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_02-598x1024.png 598w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The first hash, which is calculated with the start value <code>genesis<\/code> and the count <code>100000<\/code> is <code>deff00cf98ca4019d94ccfe99a5c35c81b39c917<\/code>:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_03.png\" alt=\"\" width=\"280\" class=\"alignnone size-full wp-image-512\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_03.png 1080w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_03-187x300.png 187w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_03-768x1230.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_03-639x1024.png 639w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>Since the hash is 160 bit (=20 byte) long, it is probably <i>sha1<\/i>. Thus I tried a few inputs for the hash calculation:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [6]; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg12# echo -n &quot;genesis&quot; | sha1sum\r\nfe10566e2adeece8faf585a8fbd5db896e4a60f7  -\r\nroot@kali:~\/Documents\/he18\/egg12# echo -n &quot;genesis,100000&quot; | sha1sum\r\n45b76c441161c736e3d81154ede7addfa2a91dd5  -\r\nroot@kali:~\/Documents\/he18\/egg12# echo -n &quot;genesis100000&quot; | sha1sum\r\ndeff00cf98ca4019d94ccfe99a5c35c81b39c917  -\r\n<\/pre>\n<p>The last one is a hit. The hash-input is the previous hash and the count-value.<\/p>\n<p>I wrote the following python-script to calculate the final hash, which is the image-name of the egg:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg12# cat egg12.py\r\n#!\/usr\/bin\/env python\r\n\r\nimport hashlib\r\n\r\nc = 100000\r\nh = &quot;genesis&quot;\r\n\r\nwhile c &gt; 0:\r\n  m = hashlib.sha1()\r\n  m.update(h+str(c))\r\n  h = m.hexdigest()\r\n  c -= 1\r\n\r\nprint(&quot;https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/&quot; + h + &quot;.png&quot;)\r\n<\/pre>\n<p>Running the script &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg12# .\/egg12.py\r\nhttps:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/dd6f1596ab39b463ebecc2158e3a0a2ceed76ec8.png\r\n<\/pre>\n<p>&#8230; yields the egg:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_04-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-513\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_04-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_04-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_04-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg12_04.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg13\">13 &#8211; Sagittarius&#8230;<\/h1>\n<p>The provided file <code>pila.kmz<\/code> is a <i>Keyhole Markup Language Zipped<\/i> file, which contains some coordinates and five images:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg13# file pila.kmz\r\npila.kmz: Zip archive data, at least v2.0 to extract\r\nroot@kali:~\/Documents\/he18\/egg13# unzip pila.kmz\r\nArchive:  pila.kmz\r\n  inflating: pila.kml\r\n  inflating: star_b_20.png\r\n  inflating: star_w_20.png\r\n  inflating: star_ya_20.png\r\n  inflating: star_yb_20.png\r\n  inflating: star_yc_20.png\r\nroot@kali:~\/Documents\/he18\/egg13# cat pila.kml\r\n&lt;kml xmlns=&quot;http:\/\/www.opengis.net\/kml\/2.2&quot; hint=&quot;target=sky&quot;&gt;&lt;Document&gt;\r\n&lt;Style id=&quot;b20&quot;&gt;&lt;IconStyle&gt;&lt;scale&gt;1&lt;\/scale&gt;&lt;Icon&gt;&lt;href&gt;star_b_20.png&lt;\/href&gt;&lt;\/Icon&gt;&lt;\/IconStyle&gt;&lt;\/Style&gt;\r\n&lt;Style id=&quot;b15&quot;&gt;&lt;IconStyle&gt;&lt;scale&gt;0.75&lt;\/scale&gt;&lt;Icon&gt;&lt;href&gt;star_b_20.png&lt;\/href&gt;&lt;\/Icon&gt;&lt;\/IconStyle&gt;&lt;\/Style&gt;\r\n&lt;Style id=&quot;b10&quot;&gt;&lt;IconStyle&gt;&lt;scale&gt;0.5&lt;\/scale&gt;&lt;Icon&gt;&lt;href&gt;star_b_20.png&lt;\/href&gt;&lt;\/Icon&gt;&lt;\/IconStyle&gt;&lt;\/Style&gt;\r\n&lt;Style id=&quot;w20&quot;&gt;&lt;IconStyle&gt;&lt;scale&gt;1&lt;\/scale&gt;&lt;Icon&gt;&lt;href&gt;star_w_20.png&lt;\/href&gt;&lt;\/Icon&gt;&lt;\/IconStyle&gt;&lt;\/Style&gt;\r\n...\r\n&lt;Placemark&gt;\r\n&lt;styleUrl&gt;#yc10&lt;\/styleUrl&gt;&lt;Point&gt;&lt;coordinates&gt;120.70710678118655,-44.792893218813454,0&lt;\/coordinates&gt;&lt;\/Point&gt;\r\n&lt;\/Placemark&gt;\r\n\r\n&lt;Placemark&gt;\r\n&lt;styleUrl&gt;#b10&lt;\/styleUrl&gt;&lt;Point&gt;&lt;coordinates&gt;120.67572462851734,-44.762845859799256,0&lt;\/coordinates&gt;&lt;\/Point&gt;\r\n&lt;\/Placemark&gt;\r\n                        \r\n&lt;Placemark&gt;\r\n&lt;styleUrl&gt;#yc20&lt;\/styleUrl&gt;&lt;Point&gt;&lt;coordinates&gt;120.64018439966448,-44.73177872040262,0&lt;\/coordinates&gt;&lt;\/Point&gt;\r\n&lt;\/Placemark&gt;\r\n...\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_01-300x65.png\" alt=\"\" width=\"300\" height=\"65\" class=\"alignnone size-medium wp-image-514\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_01-300x65.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_01.png 473w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>The kmz-file represent coordinates in the sky and can be viewed using <i>Google Earth<\/i>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_02-1024x633.png\" alt=\"\" width=\"525\" height=\"325\" class=\"alignnone size-large wp-image-515\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_02-1024x633.png 1024w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_02-300x186.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_02-768x475.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_02.png 1101w\" sizes=\"(max-width: 525px) 100vw, 525px\" \/><\/p>\n<p>After changing the icon for the coordinates, we can see that the coordinates look similar to a qrcode:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_03.png\" alt=\"\" width=\"665\" class=\"alignnone size-full wp-image-516\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_03.png 765w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_03-300x198.png 300w\" sizes=\"(max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><\/p>\n<p>The coordinates are actually located on a round circle but are contorted when viewed in <i>Google Earth<\/i>. The coordinates seem to be located on 13 different circles. This means that we are looking for a 25&#215;25 qrcode:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_04-1024x442.png\" alt=\"\" width=\"525\" height=\"227\" class=\"alignnone size-large wp-image-517\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_04-1024x442.png 1024w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_04-300x129.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_04-768x331.png 768w\" sizes=\"(max-width: 525px) 100vw, 525px\" \/><\/p>\n<p>The coordinates located on the circles must be transformed to the appropriate squares in order to form a valid qrcode:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_05-1024x433.png\" alt=\"\" width=\"525\" height=\"222\" class=\"alignnone size-large wp-image-518\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_05-1024x433.png 1024w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_05-300x127.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_05-768x324.png 768w\" sizes=\"(max-width: 525px) 100vw, 525px\" \/><\/p>\n<p>I started by determining which radius each of the 13 circles has using the following python-script:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg13# cat radius.py\r\n#!\/usr\/bin\/python\r\n\r\nimport math\r\nfrom PIL import Image\r\n\r\nf = open(&quot;pila.kml&quot;, &quot;r&quot;)\r\n\r\ntagOpen = &quot;&lt;coordinates&gt;&quot;\r\ntagClose = &quot;&lt;\/coordinates&gt;&quot;\r\ncoords = &#x5B;]\r\nmax_x = 0.0\r\nmin_x = 10000.0\r\nmax_y = -1000.0\r\nmin_y = 0.0\r\ncenter_x = 0.0\r\ncenter_y = 0.0\r\n\r\n# parse coordinates and determine min\/max coordinate\r\nfor l in f:\r\n  if (tagOpen in l):\r\n    coord = &#x5B;float(x) for x in l&#x5B;l.index(tagOpen)+len(tagOpen):l.index(tagClose)].split(&quot;,&quot;)]\r\n    coords.append(coord)\r\n    if (coord&#x5B;0] &gt; max_x): max_x = coord&#x5B;0]\r\n    if (coord&#x5B;0] &lt; min_x): min_x = coord&#x5B;0]\r\n    if (coord&#x5B;1] &gt; max_y): max_y = coord&#x5B;1]\r\n    if (coord&#x5B;1] &lt; min_y): min_y = coord&#x5B;1]\r\n\r\ncenter_x = min_x + (max_x - min_x) \/ 2\r\ncenter_y = min_y + (max_y - min_y) \/ 2\r\n\r\nprint(max_x)\r\nprint(min_x)\r\nprint(max_y)\r\nprint(min_y)\r\nprint(&quot;&quot;)\r\nprint(center_x)\r\nprint(center_y)\r\n\r\nme = &#x5B;]\r\n\r\nfor coord in coords:\r\n  u = coord&#x5B;0] - center_x\r\n  v = coord&#x5B;1] - center_y\r\n  d = math.degrees(math.atan2(u,v))\r\n  r = float(round(math.sqrt(u**2+v**2),2))\r\n  if (r not in me): me.append(r)\r\n\r\nprint(me)\r\nprint(len(me))\r\n<\/pre>\n<p>I rounded off the radius to two decimals:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg13# .\/radius.py\r\n121.0\r\n119.0\r\n-44.5034542418\r\n-46.5\r\n\r\n120.0\r\n-45.5017271209\r\n&#x5B;1.0, 0.92, 0.83, 0.84, 0.75, 0.67, 0.58, 0.59, 0.5, 0.42, 0.33, 0.34, 0.25, 0.17, 0.08, 0.66, 0.91]\r\n17\r\n<\/pre>\n<p>17 different radius-values have been found, but there are only 13 circles. There are four pairs which only differ in the last decimal number. These can be perceived to be on the same circle:<\/p>\n<ul>\n<li>0.84 \/ 0.83<\/li>\n<li>0.59 \/ 0.58<\/li>\n<li>0.67 \/ 0.66<\/li>\n<li>0.34 \/ 0.33<\/li>\n<\/ul>\n<p>Based on this I wrote a python-script which transforms the coordinates on the circles to a valid qrcode. The script does:<\/p>\n<ol>\n<li>calculate the radius and degree of a coordinate<\/li>\n<li>determine on which of the 13 circles\/squares the coordinate is located based on the radius<\/li>\n<li>determine the concrete x\/y-square-value of the coordinate based on the degree<\/li>\n<\/ol>\n<p>The following image shows an example:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_06.png\" alt=\"\" width=\"884\" class=\"alignnone size-full wp-image-519\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_06.png 2084w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_06-300x96.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_06-768x245.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_06-1024x326.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The python-script:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg13# cat transform.py\r\n#!\/usr\/bin\/env python\r\n\r\nfrom __future__ import division, print_function\r\nimport math\r\nfrom PIL import Image\r\n\r\ndef getRdIdx(r):\r\n  r = float(round(r,2))\r\n  if (r == 1.0): return 0\r\n  elif (r &lt;= 0.92 and r &gt;= 0.91): return 1\r\n  elif (r &lt;= 0.84 and r &gt;= 0.83): return 2\r\n  elif (r == 0.75): return 3\r\n  elif (r &lt;= 0.67 and r &gt;= 0.66): return 4\r\n  elif (r &lt;= 0.59 and r &gt;= 0.58): return 5\r\n  elif (r == 0.5): return 6\r\n  elif (r == 0.42): return 7\r\n  elif (r &lt;= 0.34 and r &gt;= 0.33): return 8\r\n  elif (r == 0.25): return 9\r\n  elif (r == 0.17): return 10\r\n  elif (r == 0.08): return 11\r\n  else: return 12\r\n\r\n\r\n# y,x = 0..24\r\n# center = (12,12)\r\ndef degreeBlocks(y, x):\r\n  y_tmp = 12 - y\r\n  x_tmp = x - 12\r\n  return math.degrees(math.atan2(x_tmp, y_tmp))\r\n\r\n\r\n\r\ndef getDiff(a1, a2):\r\n  r = (a2-a1) % 360.0\r\n  if r &gt;= 180.0: r -= 360.0\r\n  return abs(r)\r\n\r\n\r\n\r\nf = open(&quot;pila.kml&quot;, &quot;r&quot;)\r\n\r\ntagOpen = &quot;&lt;coordinates&gt;&quot;\r\ntagClose = &quot;&lt;\/coordinates&gt;&quot;\r\ncoords = &#x5B;]\r\nmax_x = 0.0\r\nmin_x = 10000.0\r\nmax_y = -1000.0\r\nmin_y = 0.0\r\ncenter_x = 0.0\r\ncenter_y = 0.0\r\n\r\nfor l in f:\r\n  if (tagOpen in l):\r\n    coord = &#x5B;float(x) for x in l&#x5B;l.index(tagOpen)+len(tagOpen):l.index(tagClose)].split(&quot;,&quot;)]\r\n    coords.append(coord)\r\n    if (coord&#x5B;0] &gt; max_x): max_x = coord&#x5B;0]\r\n    if (coord&#x5B;0] &lt; min_x): min_x = coord&#x5B;0]\r\n    if (coord&#x5B;1] &gt; max_y): max_y = coord&#x5B;1]\r\n    if (coord&#x5B;1] &lt; min_y): min_y = coord&#x5B;1]\r\n\r\ncenter_x = min_x + (max_x - min_x) \/ 2\r\ncenter_y = min_y + (max_y - min_y) \/ 2\r\n\r\nme = {}\r\nfor i in range(13):\r\n  me&#x5B;i] = 0\r\n\r\nbestAll = &#x5B;]\r\n\r\nfor coord in coords:\r\n  u = center_x - coord&#x5B;0]\r\n  v = -1*(center_y - coord&#x5B;1])\r\n  d = math.degrees(math.atan2(u,v))\r\n  r = math.sqrt(u**2+v**2)\r\n  rd_idx = getRdIdx(r)\r\n  me&#x5B;rd_idx] += 1\r\n\r\n  best_degree_diff = 360\r\n  best = None\r\n\r\n  for y in range(25):\r\n    for x in range(25):\r\n      if ((y&gt;=rd_idx and y&lt;=24-rd_idx and x&gt;=rd_idx and x&lt;=24-rd_idx) and (y == rd_idx or y == (24-rd_idx) or x == rd_idx or x == (24-rd_idx))):\r\n        degree_blocks = degreeBlocks(y,x)\r\n        diff = getDiff(d, degree_blocks)\r\n        if (diff &lt; best_degree_diff):\r\n          best_degree_diff = diff\r\n          best = (y,x)\r\n\r\n  bestAll.append(best)\r\n\r\n\r\nim = Image.new(&quot;RGB&quot;, (25,25), &quot;white&quot;)\r\npix = im.load()\r\n\r\nfor y in range(25):\r\n  for x in range(25):\r\n    if ((y,x) in bestAll):\r\n      pix&#x5B;x,y] = (0,0,0)\r\n\r\nim.save(&quot;out.png&quot;)\r\n<\/pre>\n<p>Running the script &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg13# .\/transform.py\r\n<\/pre>\n<p>&#8230; generates the qrcode:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg13_07.png\" alt=\"\" width=\"200\" height=\"200\" class=\"alignnone size-full wp-image-520\" \/><\/p>\n<h1 id=\"chlg14\">14 &#8211; Same same&#8230;<\/h1>\n<p>The provided file <code>upload.php.txt<\/code> contains the source-code of the challenge-website (<code>http:\/\/whale.hacking-lab.com:4444<\/code>):<\/p>\n<pre class=\"brush: php; highlight: [18]; title: ; notranslate\" title=\"\">\r\n&lt;?php\r\nrequire __DIR__ . &quot;\/vendor\/autoload.php&quot;; \/\/ QR decoder library from https:\/\/github.com\/khanamiryan\/php-qrcode-detector-decoder\r\n\r\ntry {\r\n    $qrcode1 = new QrReader($_FILES&#x5B;&quot;file1&quot;]&#x5B;&quot;tmp_name&quot;]);\r\n    $answer1 = $qrcode1-&gt;text();\r\n} catch(Exception $e) {\r\n    exit(&quot;Error while reading the first QR.&quot;);\r\n}\r\n\r\ntry {\r\n    $qrcode2 = new QrReader($_FILES&#x5B;&quot;file2&quot;]&#x5B;&quot;tmp_name&quot;]);\r\n    $answer2 = $qrcode2-&gt;text(); \r\n} catch(Exception $e) {\r\n    exit(&quot;Error while reading the second QR.&quot;);\r\n}\r\n\r\nif(($answer1 == &quot;Hackvent&quot; &amp;&amp; $answer2 == &quot;Hacky Easter&quot; or $answer1 == &quot;Hacky Easter&quot; &amp;&amp; $answer2 == &quot;Hackvent&quot;) &amp;&amp; sha1_file($_FILES&#x5B;&quot;file1&quot;]&#x5B;&quot;tmp_name&quot;]) == sha1_file($_FILES&#x5B;&quot;file2&quot;]&#x5B;&quot;tmp_name&quot;])) {\r\n    &#x5B;SURPRISE]\r\n}\r\nelse {\r\n    echo &quot;:-(&quot;;\r\n}\r\n?&gt;\r\n<\/pre>\n<p>The website expects two files to be uploaded:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_01.png\" alt=\"\" width=\"597\" class=\"alignnone size-full wp-image-521\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_01.png 797w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_01-300x293.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_01-768x751.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The uploaded files are treated as images containing a qrcode. The parsed strings of the qrcodes are stored in <code>$answer1<\/code> and <code>$answer2<\/code>. In order to fulfill the crucial comparison on line 18 to get the egg, the qrcodes must contain both strings <code>Hackvent<\/code> and <code>Hacky Easter<\/code>. Also, the sha1 hash of both files must be the same.<\/p>\n<p>The qrcode images can be generated using <code>qrencode<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/pdf$ qrencode &quot;Hackvent&quot; -o qr1.png\r\nusr@host:~\/pdf$ qrencode &quot;Hacky Easter&quot; -o qr2.png\r\n<\/pre>\n<p>Of course the sha1 hash of these images are not the same:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/pdf$ sha1sum qr1.png \r\n1b7a5b35b69d924a7203e740e4b364e3fcbf6fb9  qr1.png\r\nusr@host:~\/pdf$ sha1sum qr2.png \r\na95574beb9b4ffd4f67c2d4aeb53f0b8c95f55c8  qr2.png\r\n<\/pre>\n<p>On git there is a python-script (<a href=\"https:\/\/github.com\/nneonneo\/sha1collider\" target=\"_blank\" rel=\"noopener\">sha1collider<\/a>) which uses the SHAttered pdf prologue from <a href=\"https:\/\/shattered.io\/\" target=\"_blank\" rel=\"noopener\">https:\/\/shattered.io\/<\/a> to generate two pdf files with the same sha1 hash.<\/p>\n<p>We start by converting the png files to pdf:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/pdf$ convert qr1.png qr1.pdf\r\nusr@host:~\/pdf$ convert qr2.png qr2.pdf\r\n<\/pre>\n<p>Git clone <i>sha1collider<\/i>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/pdf$ git clone https:\/\/github.com\/nneonneo\/sha1collider\r\nKlone nach 'sha1collider' ...\r\nremote: Counting objects: 18, done.\r\nremote: Total 18 (delta 0), reused 0 (delta 0), pack-reused 18\r\nEntpacke Objekte: 100% (18\/18), Fertig.\r\n<\/pre>\n<p>And run the script on both pdf files:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/pdf$ .\/sha1collider\/collide.py --progressive qr1.pdf qr2.pdf \r\n&#x5B;12:39:08] INFO: rendering file 1...\r\nGPL Ghostscript 9.21 (2017-03-16)\r\nCopyright (C) 2017 Artifex Software, Inc.  All rights reserved.\r\nThis software comes with NO WARRANTY: see the file PUBLIC for details.\r\nProcessing pages 1 through 1.\r\nPage 1\r\n&#x5B;12:39:08] INFO: rendering file 2...\r\n...\r\n363x363 RGB Targa image\r\nIndependent JPEG Group's CJPEG, version 9b  17-Jan-2016\r\nCopyright (C) 2016, Thomas G. Lane, Guido Vollbeding\r\n363x363 RGB Targa image\r\n&#x5B;12:39:08] INFO: producing final PDFs\r\n<\/pre>\n<p>Notice: As stated on git, the script should be called with the option <code>--progressive<\/code>.<\/p>\n<p>The sha1 hash of both files is the same now:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/pdf$ sha1sum out-*\r\nbdece875ca36c6505b0728cbeca7495db1a30246  out-qr1.pdf\r\nbdece875ca36c6505b0728cbeca7495db1a30246  out-qr2.pdf\r\n<\/pre>\n<p>After uploading the files we get the egg:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_02.png\" alt=\"\" width=\"597\" class=\"alignnone size-full wp-image-522\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_02.png 797w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_02-300x298.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_02-768x763.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg14_02-100x100.png 100w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<h1 id=\"chlg15\">15 &#8211; Manila greetings<\/h1>\n<p>The provided file <code>deck<\/code> contains a list of playing-cards:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg15# cat deck\r\nd8\r\ns3\r\nd7\r\nd3\r\nc2\r\ns5\r\nda\r\nc6\r\ns7\r\nd6\r\njr\r\n...\r\n<\/pre>\n<p>The secret message <code>GTIFL RVLEJ TAVEY ULDJO KCCOK P<\/code> seems to be somehow encrypted using the deck of cards.<\/p>\n<p>When googling for encryption methods based on playing cards, I stumbled upon the following: <a href=\"https:\/\/www.schneier.com\/academic\/solitaire\/\" target=\"_blank\" rel=\"noopener\">The Solitaire Encryption Algorithm<\/a>.<\/p>\n<p>The article describes in detail how the cryptosystem code-named <i>Pontifex<\/i> from Neal Stephenson&#8217;s novel <i>Cryptonomicon<\/i> works. Within the novel the characters <i>Enoch Root<\/i> and <i>Randy Waterhouse<\/i> (mentioned in the challenge) communicate using this cryptosystem.<\/p>\n<p>I followed the description in the article and wrote a python-script to decode the message (see comments in code):<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg15# cat solitaire.py\r\n#!\/usr\/bin\/env python\r\n\r\ndeck = &#x5B;]\r\n\r\ndef cardToNum(card):\r\n  # ordering:\r\n  #    1..13 : clubs A,2,3,...,9,10,J,Q,K\r\n  #   14..26 : diamonds A,2,3,...,9,10,J,Q,K\r\n  #   27..39 : hearts A,2,3,...,9,10,J,Q,K\r\n  #   40..52 : spades A,2,3,...,9,10,J,Q,K\r\n  #   53..54 : joker A, joker B\r\n  if (card == &quot;jr&quot;): return 53\r\n  if (card == &quot;jb&quot;): return 54\r\n  arr_clr = {&quot;c&quot;:0,&quot;d&quot;:1,&quot;h&quot;:2,&quot;s&quot;:3}\r\n  arr_val = {&quot;a&quot;:1,&quot;2&quot;:2,&quot;3&quot;:3,&quot;4&quot;:4,&quot;5&quot;:5,&quot;6&quot;:6,&quot;7&quot;:7,&quot;8&quot;:8,&quot;9&quot;:9,&quot;10&quot;:10,&quot;j&quot;:11,&quot;q&quot;:12,&quot;k&quot;:13}\r\n  clr = card&#x5B;0]\r\n  val = card&#x5B;1:]\r\n  return arr_clr&#x5B;clr]*13 + arr_val&#x5B;val]\r\n\r\n\r\ndef streamChar():\r\n  global deck\r\n  # step 1: Find the A joker\r\n  for i in range(len(deck)):\r\n    if (deck&#x5B;i] == 53):\r\n      if (i == len(deck)-1):\r\n        deck = deck&#x5B;0:1] + &#x5B;53] + deck&#x5B;1:len(deck)-1]\r\n        break\r\n      else:\r\n        tmp = deck&#x5B;i]\r\n        deck&#x5B;i] = deck&#x5B;i+1]\r\n        deck&#x5B;i+1] = tmp\r\n        break\r\n\r\n  # step 2: Find the B joker\r\n  for i in range(len(deck)):\r\n    if (deck&#x5B;i] == 54):\r\n      if (i == len(deck)-1):\r\n        deck = deck&#x5B;0:2] + &#x5B;54] + deck&#x5B;2:len(deck)-1]\r\n        break\r\n      elif (i == len(deck)-2):\r\n        deck = deck&#x5B;0:1] + &#x5B;54] + deck&#x5B;1:len(deck)-2] + &#x5B;deck&#x5B;len(deck)-1]]\r\n        break\r\n      else:\r\n        deck = deck&#x5B;:i] + deck&#x5B;i+1:i+3] + &#x5B;54] + deck&#x5B;i+3:]\r\n        break\r\n\r\n  # step 3: Perform a triple cut\r\n  a = -1\r\n  b = -1\r\n  for i in range(len(deck)):\r\n    if (deck&#x5B;i] == 53 or deck&#x5B;i]== 54):\r\n      if (a &lt; 0): a = i\r\n      else:\r\n        b = i\r\n        break\r\n  deck = deck&#x5B;b+1:] + deck&#x5B;a:b+1] + deck&#x5B;:a]\r\n\r\n  # step 4: Perform a count cut\r\n  bottom = deck&#x5B;len(deck)-1]\r\n  if (bottom &lt;= 52): deck = deck&#x5B;bottom:-1] + deck&#x5B;:bottom] + &#x5B;bottom]\r\n\r\n\r\n  # step 5: Find the output card\r\n  top = deck&#x5B;0]\r\n  if (top == 54): top = 53\r\n  top = deck&#x5B;top]\r\n\r\n  if (top &lt;= 52): return top%26\r\n  return streamChar()\r\n\r\n\r\n# key = secret deck\r\nf = open(&quot;deck&quot;)\r\nfor card in f: deck.append(cardToNum(card.strip()))\r\n\r\nencrypted = &quot;GTIFLRVLEJTAVEYULDJOKCCOKP&quot;\r\ndecrypted = &quot;&quot;\r\n\r\nfor c in encrypted:\r\n  decr = ord(c)-65\r\n  decr -= streamChar()\r\n  decr = decr % 26\r\n  decr = chr(decr+65)\r\n  decrypted += decr\r\n\r\nprint(decrypted)\r\n<\/pre>\n<p>Running the script yields the password:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg15# .\/solitaire.py\r\nTHEPASSWORDISCRYPTONOMICON\r\n<\/pre>\n<p>The password is <code><span class=\"spanFlag\">CRYPTONOMICON<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg15_01-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-523\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg15_01-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg15_01-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg15_01-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg15_01.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg16\">16 &#8211; git cloak &#8211;hard<\/h1>\n<p>The provided zip-archive <code>repo.zip<\/code> contains a few images and a <code>.git<\/code> folder:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg16# unzip repo.zip\r\nArchive:  repo.zip\r\n   creating: .git\/\r\n   creating: .git\/branches\/\r\n extracting: .git\/COMMIT_EDITMSG\r\n  inflating: .git\/config\r\n  inflating: .git\/description\r\n extracting: .git\/HEAD\r\n   creating: .git\/hooks\/\r\n  inflating: .git\/hooks\/applypatch-msg.sample\r\n  inflating: .git\/hooks\/commit-msg.sample\r\n...\r\nroot@kali:~\/Documents\/he18\/egg16# ls -al\r\ntotal 3432\r\ndrwxr-xr-x 3 root root    4096 May  7 08:58 .\r\ndrwxr-xr-x 4 root root    4096 May  7 08:58 ..\r\n-rwxrwx--- 1 root root  131816 Jan 23 05:43 01.jpg\r\n-rwxrwx--- 1 root root   14089 Jan 23 05:43 02.png\r\n-rwxrwx--- 1 root root   46846 Jan 23 05:43 03.jpg\r\n-rwxrwx--- 1 root root   44226 Jan 23 05:43 05.jpg\r\n-rwxrwx--- 1 root root   40417 Jan 23 05:43 06.jpg\r\n-rwxrwx--- 1 root root  348680 Jan 23 05:43 07.png\r\n-rwxrwx--- 1 root root    9260 Jan 23 05:43 08.png\r\n-rwxrwx--- 1 root root   35368 Jan 23 05:43 09.jpg\r\n-rwxrwx--- 1 root root   30336 Jan 23 05:43 10.jpg\r\n-rwxrwx--- 1 root root  282284 Jan 23 05:43 11.png\r\ndrwxrwx--- 8 root root    4096 Jan 23 05:43 .git\r\n-rw-r--r-- 1 root root 2497086 May  7 08:58 repo.zip\r\n<\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_01.png\" alt=\"\" width=\"545\" class=\"alignnone size-full wp-image-524\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_01.png 645w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_01-300x93.png 300w\" sizes=\"(max-width: 645px) 100vw, 645px\" \/><\/p>\n<p>The egg in <code>02.png<\/code> is not yet what we are looking for. When browsing through the different versions using git another egg can be found:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-525\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>This is also not yet what we are looking for. When I did not find any other files browsing the different versions, I thought that if there is another egg, it must be stored in <code>.\/git\/objects<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg16# find .git\/objects -type f\r\n.git\/objects\/b9\/e860f47fe6990cbda4ac5bb3d2829d2191f1eb\r\n.git\/objects\/b9\/820d55ce59799992648672a5a43fff4effd56b\r\n.git\/objects\/22\/8b603ed45ddaf1b1d3fe502e168fa2508ee5ed\r\n.git\/objects\/38\/39c14d2863fd850794661677352305ea798eb6\r\n.git\/objects\/bc\/83275bcea7da814743f1c478cb3a8771e0f1ac\r\n.git\/objects\/9a\/29769663d029f1b3ad83fec7e7f19ca1cf8e78\r\n.git\/objects\/04\/93a710296b7a684a46eed377029f7077622768\r\n.git\/objects\/d0\/c6562ce74c54358445fc3b6cc0584e32057ad5\r\n.git\/objects\/c5\/9568e4b945199366ad7ea486efbda76a07887c\r\n.git\/objects\/e7\/237971df563c82e85eb74a50ca41a218dc85ed\r\n.git\/objects\/17\/9ec0d76ecdc903ac12c4f3971efefbfb02aacb\r\n.git\/objects\/9d\/69bfb2dc3b3fd28389c7f709c3656e5c78c8c4\r\n.git\/objects\/9d\/7c9b5a1c8773ea48caac90d05401679b0a8897\r\n.git\/objects\/be\/98f627fa5d3251be77bbb7a64f5a34b6baf709\r\n.git\/objects\/24\/5735e32ed8174bdabe9655f00f1deb4ebaa3ad\r\n.git\/objects\/d7\/995a259ff0dfa28da06618d06e78b346738a6b\r\n.git\/objects\/db\/ab6618f6dc00a18b4195fb1bec5353c51b256f\r\n.git\/objects\/da\/cecafa877bd2346bd3a2c0a8a4026418491ccd\r\n.git\/objects\/34\/41837df545268c05da59d6d280a62a21343680\r\n.git\/objects\/8d\/9faa7ebaac3b61cc29cc309d11b923e9bcd5ab\r\n.git\/objects\/f7\/d946ebee06ee65e422530355c08ff2f06d456b\r\n.git\/objects\/57\/a17c1a44414c5973a7d967f2ca07eccf530ff4\r\n.git\/objects\/5e\/5e98caaa4ed1f6edee5aced3ff0b92457d6549\r\n.git\/objects\/03\/ed59cca1ea7ea0922d6fcbdb98c52931a8d3b0\r\n.git\/objects\/0e\/45662a541fee91d4652c5ba57300276eb7fa29\r\n.git\/objects\/69\/ee0b67f2701bc83cd64eec1e01c045c8a53bd3\r\n.git\/objects\/74\/1583e168e0723aef4ca0253f875a1f50144567\r\n.git\/objects\/6f\/5568ed00eb893db28616497f18749efd4bfd89\r\n<\/pre>\n<p>So I started using <code>git cat-file<\/code> to extract each of these files and see what is in there:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg16# git cat-file -p 3839c14d2863fd850794661677352305ea798eb6 &gt; ..\/tmp\r\nroot@kali:~\/Documents\/he18\/egg16# file ..\/tmp\r\n..\/tmp: ASCII text\r\nroot@kali:~\/Documents\/he18\/egg16# cat ..\/tmp\r\ntree bc83275bcea7da814743f1c478cb3a8771e0f1ac\r\nparent 228b603ed45ddaf1b1d3fe502e168fa2508ee5ed\r\nauthor PS &lt;ps@hacking-lab.com&gt; 1516704195 -0500\r\ncommitter PS &lt;ps@hacking-lab.com&gt; 1516704195 -0500\r\n\r\nmore funny images added\r\n\r\nroot@kali:~\/Documents\/he18\/egg16# git cat-file -p 9a29769663d029f1b3ad83fec7e7f19ca1cf8e78 &gt; ..\/tmp\r\nroot@kali:~\/Documents\/he18\/egg16# file ..\/tmp\r\n..\/tmp: ASCII text\r\nroot@kali:~\/Documents\/he18\/egg16# cat ..\/tmp\r\ntree 5e5e98caaa4ed1f6edee5aced3ff0b92457d6549\r\nparent 3839c14d2863fd850794661677352305ea798eb6\r\nauthor PS &lt;ps@hacking-lab.com&gt; 1516704195 -0500\r\ncommitter PS &lt;ps@hacking-lab.com&gt; 1516704195 -0500\r\n\r\nbranch created\r\n\r\n...\r\n<\/pre>\n<p>Only text so far &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg16# git cat-file -p 0493a710296b7a684a46eed377029f7077622768 &gt; ..\/tmp\r\nroot@kali:~\/Documents\/he18\/egg16# file ..\/tmp\r\n..\/tmp: PNG image data, 480 x 480, 8-bit\/color RGBA, non-interlaced\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_03-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-526\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_03-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_03-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_03-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_03.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Not yet what we are looking for.<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg16# git cat-file -p d0c6562ce74c54358445fc3b6cc0584e32057ad5 &gt; ..\/tmp\r\nroot@kali:~\/Documents\/he18\/egg16# file ..\/tmp\r\n..\/tmp: PNG image data, 480 x 480, 8-bit\/color RGBA, non-interlaced\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_04-300x218.jpg\" alt=\"\" width=\"300\" height=\"218\" class=\"alignnone size-medium wp-image-527\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_04-300x218.jpg 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_04.jpg 454w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>Keep on going &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg16# git cat-file -p dbab6618f6dc00a18b4195fb1bec5353c51b256f &gt; ..\/tmp\r\nroot@kali:~\/Documents\/he18\/egg16# file ..\/tmp\r\n..\/tmp: PNG image data, 480 x 480, 8-bit colormap, non-interlaced\r\n<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_05-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-528\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_05-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_05-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_05-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg16_05.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>There it is! \ud83d\ude42<\/p>\n<h1 id=\"chlg17\">17 &#8211; Space Invaders<\/h1>\n<p>The challenge provides a text-file <code>invaders_msg.txt<\/code> containing unicode-encoded smileys:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_01.png\" alt=\"\" width=\"618\" class=\"alignnone size-full wp-image-529\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_01.png 918w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_01-300x58.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_01-768x148.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>Also, there is a hint that the message encoded in the text-file has been created using <a href=\"https:\/\/codemoji.org\" target=\"_blank\" rel=\"noopener\">codemoji.org<\/a>.<\/p>\n<p>On the website a message can be entered, which is encrypted by selecting one of a few hundred smileys. The ciphertext is a series of smileys just like the provided <code>invaders_msg.txt<\/code>.<\/p>\n<p>I was a little bit lucky solving this challenge, because before actually starting to understand the encryption-mechanism I decided to test a few smileys with the text <code>abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789<\/code> looking for smileys of the provided ciphertext.<\/p>\n<p>As there are a few pixel-invaders on the image of the challenge, I also tried the following smiley and noticed the smileys from the encrypted message on the right side:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_02.png\" alt=\"\" width=\"675\" class=\"alignnone size-full wp-image-530\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_02.png 1375w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_02-300x195.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_02-768x498.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_02-1024x664.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>Since the mapping from characters to smileys is one-to-one, the only thing left doing was to see which smiley equals which character:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_03.png\" alt=\"\" width=\"344\" height=\"66\" class=\"alignnone size-full wp-image-531\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_03.png 344w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_03-300x58.png 300w\" sizes=\"(max-width: 344px) 100vw, 344px\" \/><\/p>\n<p>The password is <code><span class=\"spanFlag\">invad3rsmustd13<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_04-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-532\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_04-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_04-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_04-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg17_04.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg18\">18 &#8211; Egg Factory<\/h1>\n<p>The provided file <code>A.8xp<\/code> is a program for the TI-83+ Graphing Calculator:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg18# file A.8xp\r\nA.8xp: TI-83+ Graphing Calculator (program)\r\n<\/pre>\n<p>I used a <a href=\"https:\/\/www.cemetech.net\/programs\/index.php?mode=file&#038;id=291\" target=\"_blank\" rel=\"noopener\">TI-83+ program (.8xp) Interpreter<\/a> to disassemble the file:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_01.png\" alt=\"\" width=\"427\" class=\"alignnone size-full wp-image-533\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_01.png 827w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_01-300x240.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_01-768x614.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The program seems to ask for a username and a password. But the interesting part is at the end of the output:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nClrDraw:AxesOff:expr(Str5)*0.01-&gt;A:Line(-1.7067137809187278*A,1.1201413427561837*A,-1.6042402826855124*A,0.7667844522968198*A):Line(-4.54,2.17,-4.08,2.57):Line(-1.441696113074205*A,0.9081272084805653*A,-1.2720848056537102*A,0.7526501766784451*A):Line(-3.6,2.13,-3.36,3.35):Circle(-1.96,2.67,0.5):Line(-0.56,3.41,-0.48,1.77):Line(-0.16961130742049468*A,0.6254416961130742*A,0.13427561837455831*A,0.8586572438162544*A):Line(0.38,2.43,1,2):Line(0.35335689045936397*A,0.7067137809187279*A,0.3886925795053004*A,1.1413427561837455*A):Line(0.5653710247349824*A,0.7455830388692579*A,1.1307420494699647*A,0.724381625441696*A):Line(1.2932862190812722*A,0.7526501766784451*A,1.2650176678445229*A,1.0848056537102473*A):Line(3.58,3.07,4.66,2.21)...\r\n<\/pre>\n<p>Obviously some lines and a circle are drawn here. Some of the coordinates are multiplied with the variable <code>A<\/code>, which has been initialized with <code>Str5*0.01<\/code> (<code>expr(Str5)*0.01->A<\/code>). <code>Str5<\/code> seems to be the entered password:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n...\r\nDisp &quot;ENTER PASSWORD&quot;\r\nInput &quot;&quot;,Str5\r\n...\r\n<\/pre>\n<p>I decided to adapt the program for javascript in order to draw the lines and try different values for the value <code>A<\/code>:<\/p>\n<pre class=\"brush: xml; gutter: false; title: ; notranslate\" title=\"\">\r\n&lt;html&gt;\r\n\r\n&lt;body&gt;\r\n\r\n&lt;canvas id=&quot;myCanvas&quot; width=&quot;300&quot; height=&quot;150&quot; style=&quot;border:1px solid #d3d3d3;&quot;&gt;&lt;\/canvas&gt;\r\n\r\n&lt;script&gt;\r\n\r\nfunction toPixel(x, min) {\r\n  var r = x;\r\n  if (min) r = -r;\r\n  r = (r + 14)*8;\r\n  return r;\r\n}\r\n\r\nvar A = 280 * 0.01;\r\n\r\nvar arr = &#x5B;\r\n&#x5B;-1.7067137809187278*A,1.1201413427561837*A,-1.6042402826855124*A,0.7667844522968198*A],\r\n&#x5B;-4.54,2.17,-4.08,2.57],\r\n&#x5B;-1.441696113074205*A,0.9081272084805653*A,-1.2720848056537102*A,0.7526501766784451*A],\r\n&#x5B;-3.6,2.13,-3.36,3.35],\r\n&#x5B;-0.56,3.41,-0.48,1.77],\r\n&#x5B;-0.16961130742049468*A,0.6254416961130742*A,0.13427561837455831*A,0.8586572438162544*A],\r\n&#x5B;0.38,2.43,1,2],\r\n&#x5B;0.35335689045936397*A,0.7067137809187279*A,0.3886925795053004*A,1.1413427561837455*A],\r\n&#x5B;0.5653710247349824*A,0.7455830388692579*A,1.1307420494699647*A,0.724381625441696*A],\r\n&#x5B;1.2932862190812722*A,0.7526501766784451*A,1.2650176678445229*A,1.0848056537102473*A],\r\n&#x5B;3.58,3.07,4.66,2.21],\r\n&#x5B;1.646643109540636*A,0.7420494699646644*A,1.7102473498233215*A,1.049469964664311*A],\r\n&#x5B;5.28,2.75,5.82,3.13],\r\n&#x5B;2.056537102473498*A,1.106007067137809*A,2.035335689045936*A,0.7879858657243816*A],\r\n&#x5B;7.12,3.17,6.28,2.85],\r\n&#x5B;2.219081272084806*A,1.0070671378091873*A,2.204946996466431*A,0.8091872791519434*A],\r\n&#x5B;6.24,2.29,7.18,2.15],\r\n&#x5B;9.5,3.69,8.3,3.61],\r\n&#x5B;2.932862190812721*A,1.2756183745583038*A,2.904593639575972*A,1.0353356890459364*A],\r\n&#x5B;8.22,2.93,9,3],\r\n&#x5B;8.22,2.93,8.12,2.15],\r\n&#x5B;2.869257950530035*A,0.7597173144876325*A,3.095406360424028*A,0.773851590106007*A],\r\n&#x5B;9.74,2.11,11.34,2.13],\r\n&#x5B;11.98,3.81,12,3],\r\n&#x5B;4.240282685512367*A,1.0600706713780919*A,4.240282685512367*A,0.7067137809187279*A],\r\n&#x5B;4.240282685512367*A,1.0600706713780919*A,4.515901060070671*A,1.0636042402826855*A],\r\n&#x5B;12.76,3.75,12.78,3.01],\r\n&#x5B;12.78,3.01,12.78,2.07],\r\n&#x5B;13.36,2.13,13.68,3.79],\r\n&#x5B;13.68,3.79,14.6,2.19],\r\n&#x5B;4.7773851590106*A,1.0141342756183747*A,4.946996466431095*A,1.0600706713780919*A],\r\n&#x5B;5.300353356890459*A,0.7067137809187279*A,5.795053003533568*A,1.226148409893993*A],\r\n&#x5B;15,3.81,16.4,2.07],\r\n];\r\n\r\nvar c=document.getElementById(&quot;myCanvas&quot;);\r\nvar ctx=c.getContext(&quot;2d&quot;);\r\nctx.beginPath();\r\nfor (var i = 0; i &lt; arr.length; i++) {\r\n  console.log(toPixel(arr&#x5B;i]&#x5B;0]));\r\n  ctx.moveTo(toPixel(arr&#x5B;i]&#x5B;0]),toPixel(arr&#x5B;i]&#x5B;1], true));\r\n  ctx.lineTo(toPixel(arr&#x5B;i]&#x5B;2]),toPixel(arr&#x5B;i]&#x5B;3], true));\r\n}\r\nctx.stroke();\r\n\r\nctx.beginPath();\r\nctx.arc(toPixel(-1.96), toPixel(2.67, true), 6, 0, 2 * Math.PI);\r\nctx.stroke();\r\n&lt;\/script&gt;\r\n&lt;\/body&gt;\r\n&lt;\/html&gt;\r\n<\/pre>\n<p>It turned out to be quite easy, because the value for <code>A<\/code> can be adjusted gradually until a clear text is visible:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_02.png\" alt=\"\" width=\"393\" class=\"alignnone size-full wp-image-534\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_02.png 793w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_02-300x232.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_02-768x593.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>The password is <code><span class=\"spanFlag\">WOW_N1CE_HAX<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_03-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-535\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_03-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_03-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_03-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg18_03.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg19\">19 &#8211; Virtual Hen<\/h1>\n<p>The provided file is a ELF 64-bit binary:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# file create_egg\r\ncreate_egg: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter \/lib64\/ld-linux-x86-64.so.2, for GNU\/Linux 3.2.0, BuildID&#x5B;sha1]=ffe41b0a0fccc1f712e981f592ad454e929a681a, not stripped\r\n<\/pre>\n<p>When running the program a password is supposed to be entered:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# .\/create_egg\r\nEnter password: test\r\n<\/pre>\n<p>After the password is entered, the program terminates without any further output. Within the program&#8217;s directory a new file called <code>egg<\/code> is created:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [6]; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# ls -al\r\ntotal 52\r\ndrwxr-xr-x 2 root root  4096 May  7 06:45 .\r\ndrwxr-xr-x 5 root root  4096 May  7 06:45 ..\r\n-rwxr-xr-x 1 root root 25032 May  7 06:45 create_egg\r\n-rw-r--r-- 1 root root 15624 May  7 06:45 egg\r\n<\/pre>\n<p>The file does not seem to be in a valid format:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# file egg\r\negg: data\r\nroot@kali:~\/Documents\/he18\/egg19# hexdump -C egg | head\r\n00000000  2c 4a 6e fb 0d 98 6e ee  00 d3 28 0f 32 23 7c 63  |,Jn...n...(.2#|c|\r\n00000010  01 1e 69 ef 67 5a de 6c  a3 b8 ca 71 6f b2 bd 29  |..i.gZ.l...qo..)|\r\n00000020  51 d3 84 2f d4 e8 01 24  4f fd 89 9b 24 bc 3a 3b  |Q..\/...$O...$.:;|\r\n00000030  ee 14 65 a1 22 ba b9 a7  8d 70 6d a7 91 b4 9e 04  |..e.&quot;....pm.....|\r\n00000040  cf ca 39 39 0f 03 d0 f5  4a 80 36 7a 9b c8 40 b4  |..99....J.6z..@.|\r\n00000050  8a 3c 00 ff 3a 5a c5 08  76 60 9a a6 55 0b 91 73  |.&lt;..:Z..v`..U..s|\r\n00000060  77 79 f3 e7 50 3f b9 59  33 ee 28 a5 80 27 50 62  |wy..P?.Y3.(..'Pb|\r\n00000070  bd 3e a4 52 fd e9 54 cf  3a 4d 0c 81 f9 da 10 20  |.&gt;.R..T.:M..... |\r\n00000080  5d 25 15 51 be 34 bb 9f  45 cd e2 ce b8 68 47 cf  |]%.Q.4..E....hG.|\r\n00000090  cd d5 44 e8 5e 15 d2 9c  a6 0b fa de 97 0a 2b 01  |..D.^.........+.|\r\n<\/pre>\n<p>Let&#8217;s start reversing the binary using <code>r2<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19\/bla# r2 -A create_egg\r\n&#x5B;x] Analyze all flags starting with sym. and entry0 (aa)\r\n&#x5B;x] Analyze len bytes of instructions for references (aar)\r\n&#x5B;x] Analyze function calls (aac)\r\n&#x5B;x] Use -AA or aaaa to perform additional experimental analysis.\r\n&#x5B;x] Constructing a function name for fcn.* and sym.func.* functions (aan)\r\n&#x5B;0x00400820]&gt;\r\n<\/pre>\n<p>List all functions:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n&#x5B;0x00400820]&gt; afl\r\n0x00400000    3 73   -&gt; 75   sym.imp.__libc_start_main\r\n0x004005f8    3 23           sym._init\r\n0x00400620    2 16   -&gt; 32   sym.imp.fclose\r\n0x00400630    2 16   -&gt; 48   sym.imp.__stack_chk_fail\r\n0x00400640    2 16   -&gt; 48   sym.imp.memcpy\r\n0x00400650    2 16   -&gt; 48   sym.imp.malloc\r\n0x00400660    2 16   -&gt; 48   sym.imp.__printf_chk\r\n0x00400670    2 16   -&gt; 48   sym.imp.fopen\r\n0x00400680    2 16   -&gt; 48   sym.imp.getline\r\n0x00400690    2 16   -&gt; 48   sym.imp.fwrite\r\n0x004006a0   13 381          main\r\n0x00400820    1 43           entry0\r\n0x00400850    3 35           sym.deregister_tm_clones\r\n0x00400880    3 53           sym.register_tm_clones\r\n0x004008c0    3 34   -&gt; 29   sym.__do_global_dtors_aux\r\n0x004008f0    1 7            entry1.init\r\n0x00400900    3 97           sym.d\r\n0x00400970    4 101          sym.__libc_csu_init\r\n0x004009e0    1 2            sym.__libc_csu_fini\r\n0x004009e4    1 9            sym._fini\r\n<\/pre>\n<p>Disassemble the <code>main<\/code> function:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n&#x5B;0x00400820]&gt; pdf @ main\r\n            ;-- section_end..plt:\r\n            ;-- section..text:\r\n            ;-- main:\r\n\/ (fcn) main 381\r\n|   main ();\r\n|           ; var int local_8h @ rsp+0x8\r\n|           ; var int local_10h @ rsp+0x10\r\n|           ; var int local_14h @ rsp+0x14\r\n|           ; var int local_18h @ rsp+0x18\r\n|           ; var int local_1ch @ rsp+0x1c\r\n|           ; var int local_28h @ rsp+0x28\r\n|              ; DATA XREF from 0x0040083d (entry0)\r\n|           0x004006a0      4154           push r12                    ; section 13 va=0x004006a0 pa=0x000006a0 sz=834 vsz=834 rwx=--r-x .text\r\n|           0x004006a2      55             push rbp\r\n|           0x004006a3      bf083d0000     mov edi, 0x3d08\r\n|           0x004006a8      53             push rbx\r\n|           0x004006a9      4883ec30       sub rsp, 0x30               ; '0'\r\n...\r\n<\/pre>\n<p>Before the password is read, the content which is later written in the file <code>egg<\/code> is copied using <code>memcpy<\/code>. This content is stored in <code>obj.c<\/code>: <\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n...\r\n|           0x004006c2      ba083d0000     mov edx, 0x3d08\r\n|           0x004006c7      be200a4000     mov esi, obj.c              ; 0x400a20\r\n|           0x004006cc      4889c7         mov rdi, rax\r\n|           0x004006cf      4989c4         mov r12, rax\r\n|           0x004006d2      e869ffffff     call sym.imp.memcpy         ; void *memcpy(void *s1, const void *s2, size_t n)\r\n...\r\n&#x5B;0x00400820]&gt; px @ obj.c\r\n- offset -   0 1  2 3  4 5  6 7  8 9  A B  C D  E F  0123456789ABCDEF\r\n0x00400a20  50cb b5d5 6483 4ffe e791 fc42 3fb9 118e  P...d.O....B?...\r\n0x00400a30  6c0a 5c98 12c8 f4b9 0acd b1eb ea80 2757  l.\\...........'W\r\n0x00400a40  5092 c5b5 af6c fea2 565b 428e 7b22 a1f5  P....l..V&#x5B;B.{&quot;..\r\n0x00400a50  b8c6 9077 03e3 0d65 6655 8c94 5254 2f8e  ...w...efU..RT\/.\r\n0x00400a60  0031 284a b249 1257 122e 70b3 1b0a 233a  .1(J.I.W..p...#:\r\n0x00400a70  113d 6cd0 e389 b3aa 37ed f67c e7d2 070a  .=l.....7..|....\r\n0x00400a80  1f7a 2108 e19b 1448 2fac ffa4 998b a1c1  .z!....H\/.......\r\n...\r\n<\/pre>\n<p>The password is read using the function <code>getline<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n...\r\n|           0x00400708      e873ffffff     call sym.imp.getline\r\n...\r\n<\/pre>\n<p>Only the first 8 characters of the password are processed. Each of these characters is ANDed with <code>0xffffffdf<\/code> and ORed with <code>0x40<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n|       |   0x0040071c      48c744240808.  mov qword &#x5B;local_8h], 8\r\n|       |      ; JMP XREF from 0x0040080d (main)\r\n|      .--&gt; 0x00400725      31d2           xor edx, edx\r\n|      :|   0x00400727      660f1f840000.  nop word &#x5B;rax + rax]\r\n|      :|      ; JMP XREF from 0x0040074e (main)\r\n|     .---&gt; 0x00400730      488b0c24       mov rcx, qword &#x5B;rsp]\r\n|     ::|   0x00400734      4801d1         add rcx, rdx                ; '('\r\n|     ::|   0x00400737      4883c201       add rdx, 1\r\n|     ::|   0x0040073b      0fb601         movzx eax, byte &#x5B;rcx]\r\n|     ::|   0x0040073e      83e0df         and eax, 0xffffffdf\r\n|     ::|   0x00400741      83c840         or eax, 0x40                ; '@'\r\n|     ::|   0x00400744      8801           mov byte &#x5B;rcx], al\r\n|     ::|   0x00400746      488b4c2408     mov rcx, qword &#x5B;local_8h]   ; &#x5B;0x8:8]=-1 ; 8\r\n|     ::|   0x0040074b      4839d1         cmp rcx, rdx\r\n|     `===&lt; 0x0040074e      77e0           ja 0x400730\r\n<\/pre>\n<p>This means that the third MSB is always 0 and the second MSB is always 1:<\/p>\n<pre>\r\n            01234567\r\ncharacter = ????????\r\n        AND 11<span style=\"color:#ff0000;\">0<\/span>11111 (0xdf)\r\n        OR  0<span style=\"color:#ff0000;\">1<\/span>000000 (0x40)\r\n        -------------------\r\n            ?<span style=\"color:#ff0000;\">10<\/span>?????\r\n<\/pre>\n<p>Since the password is probably ASCII, which means that the MSB is 0, there are 5 unknown bits in each character.<\/p>\n<p>By single-stepping through the <code>main<\/code> function using <code>gdb<\/code> we can see that 8 characters of the password are processed, even if the actual password entered is smaller:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [11]; title: ; notranslate\" title=\"\">\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x400741 &lt;main+161&gt;: or     eax,0x40\r\n   0x400744 &lt;main+164&gt;: mov    BYTE PTR &#x5B;rcx],al\r\n   0x400746 &lt;main+166&gt;: mov    rcx,QWORD PTR &#x5B;rsp+0x8]\r\n=&gt; 0x40074b &lt;main+171&gt;: cmp    rcx,rdx\r\n   0x40074e &lt;main+174&gt;: ja     0x400730 &lt;main+144&gt;\r\n   0x400750 &lt;main+176&gt;: mov    rsi,QWORD PTR &#x5B;rsp]\r\n   0x400754 &lt;main+180&gt;: xor    edx,edx\r\n   0x400756 &lt;main+182&gt;: lea    rbp,&#x5B;r12+0x3d08]\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0x7fffffffe470 --&gt; 0x60a380 (&quot;TESTJ@@@&quot;)\r\n0008| 0x7fffffffe478 --&gt; 0x8\r\n0016| 0x7fffffffe480 --&gt; 0x7ffff7de70e0 (&lt;_dl_fini&gt;:    push   rbp)\r\n0024| 0x7fffffffe488 --&gt; 0x0\r\n0032| 0x7fffffffe490 --&gt; 0x400970 (&lt;__libc_csu_init&gt;:   push   r15)\r\n0040| 0x7fffffffe498 --&gt; 0xca0b6a3337f88000\r\n0048| 0x7fffffffe4a0 --&gt; 0x0\r\n0056| 0x7fffffffe4a8 --&gt; 0x400970 (&lt;__libc_csu_init&gt;:   push   r15)\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n0x000000000040074b in main ()\r\ngdb-peda$\r\n<\/pre>\n<p>I entered <code>test<\/code> as the password, which is converted to <code>TESTJ@@@<\/code> because of the newline at the end of the input (<code>0x0a & 0xdf | 0x40 = 0x4a ('J')<\/code>) and the following three zero-bytes (<code>0x00 & 0xdf | 0x40 = 0x40 ('@')<\/code>).<\/p>\n<p>The 8 converted characters are copied at the end of the password, resulting in a total amount of 16 bytes:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [4,13]; title: ; notranslate\" title=\"\">\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x40078e &lt;main+238&gt;: div    rcx\r\n   0x400791 &lt;main+241&gt;: mov    eax,DWORD PTR &#x5B;rsi+rdx*1]\r\n   0x400794 &lt;main+244&gt;: mov    DWORD PTR &#x5B;rsp+0x1c],eax\r\n=&gt; 0x400798 &lt;main+248&gt;: nop    DWORD PTR &#x5B;rax+rax*1+0x0]\r\n   0x4007a0 &lt;main+256&gt;: lea    rsi,&#x5B;rsp+0x10]\r\n   0x4007a5 &lt;main+261&gt;: mov    rdi,rbx\r\n   0x4007a8 &lt;main+264&gt;: add    rbx,0x8\r\n   0x4007ac &lt;main+268&gt;: call   0x400900 &lt;d&gt;\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0x7fffffffe470 --&gt; 0x60a380 (&quot;TESTJ@@@&quot;)\r\n0008| 0x7fffffffe478 --&gt; 0x8\r\n0016| 0x7fffffffe480 (&quot;TESTJ@@@TESTJ@@@p\\t@&quot;)\r\n0024| 0x7fffffffe488 (&quot;TESTJ@@@p\\t@&quot;)\r\n0032| 0x7fffffffe490 --&gt; 0x400970 (&lt;__libc_csu_init&gt;:   push   r15)\r\n0040| 0x7fffffffe498 --&gt; 0x828407aaaa32e100\r\n0048| 0x7fffffffe4a0 --&gt; 0x0\r\n0056| 0x7fffffffe4a8 --&gt; 0x400970 (&lt;__libc_csu_init&gt;:   push   r15)\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n0x0000000000400798 in main ()\r\ngdb-peda$\r\n<\/pre>\n<p>In this case the converted password is <code>TESTJ@@@TESTJ@@@<\/code>.<\/p>\n<p>At next the function <code>d<\/code> is called passing the converted password as well as the first block of the encoded content from <code>obj.c<\/code> as arguments:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [5,11,12]; title: ; notranslate\" title=\"\">\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x4007a0 &lt;main+256&gt;: lea    rsi,&#x5B;rsp+0x10]\r\n   0x4007a5 &lt;main+261&gt;: mov    rdi,rbx\r\n   0x4007a8 &lt;main+264&gt;: add    rbx,0x8\r\n=&gt; 0x4007ac &lt;main+268&gt;: call   0x400900 &lt;d&gt;\r\n   0x4007b1 &lt;main+273&gt;: cmp    rbx,rbp\r\n   0x4007b4 &lt;main+276&gt;: jne    0x4007a0 &lt;main+256&gt;\r\n   0x4007b6 &lt;main+278&gt;: mov    esi,0x400a15\r\n   0x4007bb &lt;main+283&gt;: mov    edi,0x400a17\r\nGuessed arguments:\r\narg&#x5B;0]: 0x606260 --&gt; 0xfe4f8364d5b5cb50\r\narg&#x5B;1]: 0x7fffffffe480 (&quot;TESTJ@@@TESTJ@@@p\\t@&quot;)\r\narg&#x5B;2]: 0x4\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0x7fffffffe470 --&gt; 0x60a380 (&quot;TESTJ@@@&quot;)\r\n0008| 0x7fffffffe478 --&gt; 0x8\r\n0016| 0x7fffffffe480 (&quot;TESTJ@@@TESTJ@@@p\\t@&quot;)\r\n0024| 0x7fffffffe488 (&quot;TESTJ@@@p\\t@&quot;)\r\n0032| 0x7fffffffe490 --&gt; 0x400970 (&lt;__libc_csu_init&gt;:   push   r15)\r\n0040| 0x7fffffffe498 --&gt; 0x828407aaaa32e100\r\n0048| 0x7fffffffe4a0 --&gt; 0x0\r\n0056| 0x7fffffffe4a8 --&gt; 0x400970 (&lt;__libc_csu_init&gt;:   push   r15)\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n0x00000000004007ac in main ()\r\ngdb-peda$\r\n<\/pre>\n<p>I started by reversing the function in python-like pseudocode:<\/p>\n<pre class=\"brush: python; title: ; notranslate\" title=\"\">\r\nfunction d(data, copied_pwd_new) {\r\n\r\n  ecx = &#x5B;data];\r\n  edx = &#x5B;data+4];\r\n  r11d = copied_pwd_new;\r\n  r10d = &amp;copied_pwd_new&#x5B;4];\r\n  r9d = &amp;copied_pwd_new&#x5B;8];\r\n  r8d = &amp;copied_pwd_new&#x5B;0xc];\r\n  \r\n  esi = 0xc6ef3720;\r\n _400920:\r\n  eax = ((ecx&lt;&lt;4)+r9d) ^ ((ecx&gt;&gt;5)+r8d);\r\n  ebx = ecx+esi;\r\n  eax ^= ebx;\r\n  edx -= eax;\r\n  \r\n  eax = ((edx&lt;&lt;4)+r11d) ^ ((ecx&gt;&gt;5)+r10d);\r\n  ebx = edx+esi;\r\n  eax ^= ebx;\r\n  ecx -= eax;\r\n  \r\n  esi += 0x61c88647\r\n  \r\n  if(esi != 0) jmp 400920;\r\n  &#x5B;data] = ecx;\r\n  &#x5B;data+4] = edx;\r\n}\r\n<\/pre>\n<p>Googling for the constant <code>0xc6ef3720<\/code> I figured out, that the algorithm is a modified version of the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Tiny_Encryption_Algorithm\" target=\"_blank\" rel=\"noopener\">Tiny Encryption Algorithm (TEA)<\/a>.<\/p>\n<p>The algorithm uses a 128-bit (=16 byte) key (4*4 bytes in <code>r8d-r11d<\/code>). Bruteforcing a 128-bit key would not be an option. But we know that the key is the converted password we found. This password is limited to 8 characters with 5 unknown bits each. This results in the total amount of <code>2^(5*8) = 2^40 = 1.099.511.627.776<\/code> possible passwords. Still a lot of passwords, but bruteforcing this is definitely an option.<\/p>\n<p>Before we can start to bruteforce the password, we need to know what we are actually looking for. Since the <code>egg<\/code> file, which is created by the program, is probably an image, I decided to look for a valid PNG-header &#8230;<\/p>\n<pre>\r\nPNG-header\r\n89 50 4e 47 0d 0a 1a 0a\r\n<\/pre>\n<p>&#8230; and wrote a bruteforce-program in C:<\/p>\n<pre class=\"brush: cpp; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# cat bruteforce.c\r\n#include &lt;stdio.h&gt;\r\n#include &lt;stdint.h&gt;\r\n\r\nvoid decrypt (uint32_t* v, uint32_t* k) {\r\n  uint32_t v0=v&#x5B;0], v1=v&#x5B;1], sum=0xC6EF3720, i;\r\n  uint32_t delta=0x61c88647;\r\n  for (i=0; i&lt;32; i++) {\r\n      v1 -= ((v0&lt;&lt;4) + k&#x5B;0]) ^ (v0 + sum) ^ ((v0&gt;&gt;5) + k&#x5B;1]);\r\n      v0 -= ((v1&lt;&lt;4) + k&#x5B;0]) ^ (v1 + sum) ^ ((v1&gt;&gt;5) + k&#x5B;1]);\r\n      sum += delta;\r\n  }\r\n  v&#x5B;0]=v0; v&#x5B;1]=v1;\r\n}\r\n\r\n\r\nint main() {\r\n  uint32_t data&#x5B;] = {0xd5b5cb50, 0xfe4f8364};\r\n  uint32_t key&#x5B;]  = {0x41414141, 0x41414141};\r\n  uint64_t x = 0;\r\n  for (x = 0; x &lt; 1099511627776; x++) {\r\n\r\n    key&#x5B;0] = 0x40404040; key&#x5B;1] = 0x40404040;\r\n    data&#x5B;0] = 0xd5b5cb50; data&#x5B;1] = 0xfe4f8364;\r\n\r\n    int i;\r\n    uint32_t lastLetter = 0;\r\n    char bSet = 0x00;\r\n    for (i = 7; i &gt;= 0; i--) {\r\n      uint32_t tmp = ((x&gt;&gt;(i*5)) &amp; 0x1f) &lt;&lt; ((i%4)*8);\r\n      if (tmp &gt; 0 &amp;&amp; !bSet) {\r\n        bSet = 0x01;\r\n        lastLetter = i+1;\r\n      }\r\n      key&#x5B;(i&gt;=4)] += tmp;\r\n    }\r\n    key&#x5B;(lastLetter&gt;=4)] += (0x0a &lt;&lt; (lastLetter*8));\r\n\r\n    decrypt(data,key);\r\n    \/\/ PNG --&gt; 89 50 4e 47 0d 0a 1a 0a\r\n    if (data&#x5B;0] == 0x474e5089 &amp;&amp; data&#x5B;1] == 0x0a1a0a0d) {\r\n      printf(&quot;got png!\\n&quot;);\r\n      printf(&quot;%.8x %.8x\\n&quot;, key&#x5B;1], key&#x5B;0]);\r\n      printf(&quot;%.8x %.8x\\n&quot;, data&#x5B;1], data&#x5B;0]);\r\n      printf(&quot;x=%lld\\n&quot;, x);\r\n      return 1;\r\n    }\r\n    if (x%5000000 == 0) printf(&quot;%.8x %.8x (%lld)\\n&quot;, key&#x5B;1], key&#x5B;0], x);\r\n  }\r\n\r\n  printf(&quot;%.8x %.8x\\n&quot;, data&#x5B;0], data&#x5B;1]);\r\n  return 0;\r\n}\r\n<\/pre>\n<p>The program takes the first 16 bytes of data from <code>obj.c<\/code>, generates the next possible password based on the loop-counter <code>x<\/code>, decrypts the data and tests if the decrypted data is a valid PNG-header.<\/p>\n<p>Running the program:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# gcc bruteforce.c\r\nroot@kali:~\/Documents\/he18\/egg19# .\/a.out\r\n40404040 4040404a (0)\r\n40404a44 58525a40 (5000000)\r\n40404a49 51455440 (10000000)\r\n40404a4e 49584e40 (15000000)\r\n40404a53 424b4840 (20000000)\r\n40404a57 5a5e4240 (25000000)\r\n40404a5c 53505c40 (30000000)\r\n404a4141 4c435640 (35000000)\r\n404a4146 44565040 (40000000)\r\n404a414a 5d494a40 (45000000)\r\n404a414f 555c4440 (50000000)\r\n404a4154 4e4e5e40 (55000000)\r\n404a4159 47415840 (60000000)\r\n404a415d 5f545240 (65000000)\r\n404a4242 58474c40 (70000000)\r\n404a4247 505a4640 (75000000)\r\n404a424c 494d4040 (80000000)\r\n404a4251 415f5a40 (85000000)\r\n404a4255 5a525440 (90000000)\r\n...\r\n<\/pre>\n<p>After running for about two days, the program finally stopped:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n...\r\n47474467 5e5c5040 (248200000000)\r\n4747454c 574f4a40 (248205000000)\r\n47474551 50424440 (248210000000)\r\n47474556 48545e40 (248215000000)\r\ngot png!\r\n47474559 4b434048\r\n0a1a0a0d 474e5089\r\nx=248218225672\r\n<\/pre>\n<p>Converting the hex-values to ASCII:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# python\r\n&gt;&gt;&gt; x = &quot;474745594b434048&quot;\r\n&gt;&gt;&gt; x.decode(&quot;hex&quot;)&#x5B;::-1]\r\n'H@CKYEGG'\r\n<\/pre>\n<p>Using this password, the egg is a valid PNG-file:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg19# .\/create_egg\r\nEnter password: H@CKYEGG\r\nroot@kali:~\/Documents\/he18\/egg19# file egg\r\negg: PNG image data, 480 x 480, 8-bit colormap, non-interlaced\r\n<\/pre>\n<p>Done:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg19_01-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-536\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg19_01-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg19_01-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg19_01-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg19_01.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg20\">20 &#8211; Artist: No Name Yet<\/h1>\n<p>Unfortunately I could not spend as much time as I would have needed to solve this challenge. Nevertheless, here is what I got so far:<\/p>\n<p>The provided zip-archive <code>artist.zip<\/code> contains a pdf- and midi-file:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg20# unzip artist.zip\r\nArchive:  artist.zip\r\n  inflating: nonameyet.mid\r\n  inflating: sheet.pdf\r\n<\/pre>\n<p>The pdf-file <code>sheet.pdf<\/code> contains some notes, which are actually a hidden text, which can be revealed using <code>pdftotext<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg20# pdftotext sheet.pdf\r\nroot@kali:~\/Documents\/he18\/egg20# cat sheet.txt\r\nComposition\r\n\r\nNo Name Yet\r\n\r\n\ufffdOkay, let\u2019s do the information exchange as we coordinated. First let me\r\ntell you: hiding informations in a MIDI file will be popular soon! We should\r\nonly do it this way to stay covered. MIDI hiding is just next level \u2013 wow! So,\r\nhere are all informations you need to find the secret: Trackline: Can\u2019t remember now,\r\nbut you\u2019ll find it. It\u2019s kinda quiet this time, because of the doubled protection\r\nalgorithm! Characters: 0 - 127 (by the way: we won\u2018t need the higher ones\r\never\u2026)Let\u2019s go!\ufffd\r\nI\u2018m very exited for the lyrics that you will create\r\nfor this masterpiece.\r\nBest wishes, your friend\r\n\r\nLuckyTail\r\n<\/pre>\n<p>Thus the secret message is hidden in the midi-file <code>nonameyet.mid<\/code>.<\/p>\n<p>I started by parsing the midi-messages using the <code>mido<\/code> python module:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg20# cat midi.py\r\n#!\/usr\/bin\/env python\r\n\r\nimport sys\r\nfrom mido import MidiFile\r\n\r\nmid = MidiFile(sys.argv&#x5B;1])\r\n\r\nfor i, track in enumerate(mid.tracks):\r\n    print('Track {}: {}'.format(i, track.name))\r\n    cc = &quot;&quot;\r\n    for msg in track:\r\n        print(msg)\r\n<\/pre>\n<p>Running the script displays all midi-messages within the given file:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg20# .\/midi.py nonameyet.mid | head -n200\r\nTrack 0: test\r\n&lt;meta message track_name name=u'test' time=0&gt;\r\n&lt;meta message set_tempo tempo=666666 time=0&gt;\r\n&lt;meta message time_signature numerator=4 denominator=4 clocks_per_click=24 notated_32nd_notes_per_beat=8 time=0&gt;\r\n&lt;meta message end_of_track time=0&gt;\r\nTrack 1: MIDI 01\r\n&lt;meta message track_name name=u'MIDI 01' time=0&gt;\r\n&lt;meta message end_of_track time=0&gt;\r\nTrack 2: MIDI 02\r\n&lt;meta message track_name name=u'MIDI 02' time=0&gt;\r\n&lt;meta message end_of_track time=0&gt;\r\nTrack 3: Synth Brass 1\r\n&lt;meta message track_name name=u'Synth Brass 1' time=0&gt;\r\nprogram_change channel=1 program=62 time=1016\r\ncontrol_change channel=1 control=7 value=111 time=8\r\ncontrol_change channel=1 control=120 value=0 time=0\r\ncontrol_change channel=1 control=121 value=0 time=0\r\ncontrol_change channel=1 control=7 value=111 time=0\r\nnote_on channel=1 note=66 velocity=81 time=72992\r\ncontrol_change channel=1 control=0 value=22 time=48\r\ncontrol_change channel=1 control=0 value=3 time=8\r\ncontrol_change channel=1 control=0 value=0 time=16\r\nnote_off channel=1 note=66 velocity=64 time=1680\r\nnote_on channel=1 note=59 velocity=81 time=40\r\ncontrol_change channel=1 control=0 value=14 time=16\r\ncontrol_change channel=1 control=0 value=0 time=8\r\nnote_off channel=1 note=59 velocity=64 time=408\r\n...\r\n<\/pre>\n<p>The secret message must be hidden in some of the message-values (<code>velocity<\/code>, <code>control_change<\/code>, &#8230;?).<\/p>\n<h1 id=\"chlg21\">21 &#8211; Hot Dog<\/h1>\n<p>The provided zip-archive contains a TIFF-image called <code>hotdog.jpg<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# unzip hotdog.zip\r\nArchive:  hotdog.zip\r\n  inflating: hotdog.jpg\r\n  \r\nroot@kali:~\/Documents\/he18\/egg21# file hotdog.jpg\r\nhotdog.jpg: TIFF image data, little-endian, direntries=27, height=2067, bps=338, compression=none, PhotometricIntepretation=RGB, description=*Don't forget to delete this*, manufacturer=Panasonic, model=DMC-FZ18, orientation=upper-left, width=2700\r\n<\/pre>\n<p>Using <code>exiftool<\/code> we can see that there is a RSA public key with the comment <code>*Don't forget to delete this*<\/code> in the image description, as well as in a layer&#8217;s description and caption-abstract:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [20]; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# exiftool hotdog.jpg\r\nExifTool Version Number         : 10.80\r\nFile Name                       : hotdog.jpg\r\nDirectory                       : .\r\nFile Size                       : 33 MB\r\nFile Modification Date\/Time     : 2018:02:28 08:26:44-05:00\r\nFile Access Date\/Time           : 2018:05:06 13:09:39-04:00\r\nFile Inode Change Date\/Time     : 2018:05:06 13:09:38-04:00\r\nFile Permissions                : rw-r--r--\r\nFile Type                       : TIFF\r\nFile Type Extension             : tif\r\nMIME Type                       : image\/tiff\r\nExif Byte Order                 : Little-endian (Intel, II)\r\nSubfile Type                    : Full-resolution Image\r\nImage Width                     : 2700\r\nImage Height                    : 2067\r\nBits Per Sample                 : 8 8 8\r\nCompression                     : Uncompressed\r\nPhotometric Interpretation      : RGB\r\nImage Description               : *Don't forget to delete this*..-----BEGIN PUBLIC KEY-----.MIIBIDANBgkqhkiG9w0BAQEFAAOCAQ0AMIIBCAKBgQTMleqB9nvRKhTnR4\/2BDDU.g5hkjbRQygvrZWDATbC9rXxCAqaegim2XUlD8yVxYkyzJZxmAYba7qLTe3bctocM.L7GXdMf3kQiVLPigN2auEiPFreWZvZ\/b4FzcvOhh+SprypAkYn9SapTyGzLdpYdD.TyoWFRT7QgEhIsDGcncsXQKBgQCVbdUZa5uQ7O9bgu2WPvUwwvuI+ZK5gOZCF299.1QRa\/rdDHKyYiUxxZXjemxGICxvoC698wVvmVqzG\/sCT+iLArIh4OmSHgyd1yjcA.CWmsffHYLvsl3tnN9Jiu5qzN6aGthHjK\/424NK0RkfjUdmnQydYN\/MqfS7c+AkfJ.QWV\/9w==.-----END PUBLIC KEY-----.\r\nMake                            : Panasonic\r\nCamera Model Name               : DMC-FZ18\r\nStrip Offsets                   : 28836\r\n...\r\n<\/pre>\n<p>Opening the file in <code>gimp<\/code> raises multiple errors and shows an image displaying some sausages:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_01.png\" alt=\"\" width=\"660\" class=\"alignnone size-full wp-image-537\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_01.png 1160w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_01-300x211.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_01-768x541.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_01-1024x721.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>When inspecting the file with <code>tiffinfo<\/code>, we can see that there is an unknown field with tag <code>0x935c<\/code> and that there seem to be a photoshop text-layer containing the text <code>That\u2018s the flag :) For real! Wasn\u2018t that simple?<\/code>. The end of the file is not correctly parsed and the raw bytes are printed as hex-values.<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [2,24,25]; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# tiffinfo hotdog.jpg | head -c 8000\r\nTIFFReadDirectory: Warning, Unknown field with tag 37724 (0x935c) encountered.\r\nTIFFFetchNormalTag: Warning, Incompatible type for &quot;RichTIFFIPTC&quot;; tag ignored.\r\nTIFF Directory at offset 0x8 (8)\r\n  Subfile Type: (0 = 0x0)\r\n  Image Width: 2700 Image Length: 2067\r\n  Resolution: 72, 72 pixels\/inch\r\n  ...\r\n  Make: Panasonic\r\n  Model: DMC-FZ18\r\n  Software: Adobe Photoshop CS6 (Macintosh)\r\n  DateTime: 2018:02:27 19:19:33\r\n  Artist: xorkiwi\r\n  XMLPacket (XMP Metadata):\r\n  ...\r\n      &lt;rdf:Description rdf:about=&quot;&quot;\r\n            xmlns:photoshop=&quot;http:\/\/ns.adobe.com\/photoshop\/1.0\/&quot;&gt;\r\n         &lt;photoshop:LegacyIPTCDigest&gt;00000000000000000000000000000001&lt;\/photoshop:LegacyIPTCDigest&gt;\r\n         &lt;photoshop:DateCreated&gt;2009-12-16T15:58:44&lt;\/photoshop:DateCreated&gt;\r\n         &lt;photoshop:ColorMode&gt;3&lt;\/photoshop:ColorMode&gt;\r\n         &lt;photoshop:TextLayers&gt;\r\n            &lt;rdf:Bag&gt;\r\n               &lt;rdf:li rdf:parseType=&quot;Resource&quot;&gt;\r\n                  &lt;photoshop:LayerName&gt;That\u2018s the flag :) For real! Wasn\u2018t that simple?&lt;\/photoshop:LayerName&gt;\r\n                  &lt;photoshop:LayerText&gt;That\u2018s the flag :) For real! Wasn\u2018t that simple?&lt;\/photoshop:LayerText&gt;\r\n               &lt;\/rdf:li&gt;\r\n            &lt;\/rdf:Bag&gt;\r\n         &lt;\/photoshop:TextLayers&gt;\r\n         ...\r\n<\/pre>\n<p>Googling for the unknown field tag <code>0x935c<\/code> revealed that this tag is created by photoshop. Thus I decided to try converting the file to a <code>psd<\/code> file:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# convert hotdog.jpg hotdog.psd\r\nconvert-im6.q16: Incompatible type for &quot;RichTIFFIPTC&quot;; tag ignored. `TIFFFetchNormalTag' @ warning\/tiff.c\/TIFFWarnings\/912.\r\nconvert-im6.q16: Incompatible type for &quot;FileSource&quot;; tag ignored. `TIFFFetchNormalTag' @ warning\/tiff.c\/TIFFWarnings\/912.\r\nconvert-im6.q16: Incompatible type for &quot;SceneType&quot;; tag ignored. `TIFFFetchNormalTag' @ warning\/tiff.c\/TIFFWarnings\/912.\r\nconvert-im6.q16: Wrong data type 3 for &quot;GainControl&quot;; tag ignored. `TIFFReadCustomDirectory' @ warning\/tiff.c\/TIFFWarnings\/912.\r\nconvert-im6.q16: Incompatible type for &quot;RichTIFFIPTC&quot;; tag ignored. `TIFFFetchNormalTag' @ warning\/tiff.c\/TIFFWarnings\/912.\r\n<\/pre>\n<p>Yet again some errors are raised, but the file can be opened in <code>gimp<\/code>:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_02.png\" alt=\"\" width=\"661\" class=\"alignnone size-full wp-image-538\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_02.png 1161w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_02-300x211.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_02-768x540.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_02-1024x721.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>Now we can see that there are three layers:<\/p>\n<ol>\n<li>the sausages (<i>Wow<\/i>)<\/li>\n<li>a text layer: <i>That\u2018s the flag \ud83d\ude42 For real! Wasn\u2018t that simple?<\/i><\/li>\n<li>a red egg with a qrcode<\/li>\n<\/ol>\n<p>Using the online decoder <a href=\"https:\/\/zxing.org\/w\/decode.jspx\" target=\"_blank\" rel=\"noopener\">zxing.org<\/a> we can see that the qrcode contains the following string:<\/p>\n<pre>\r\nArf3ThIY8VQg2GUd249wzDYi7CXqTST+9g4Q7bbT2eF+mD2KB+6oi3rVSY\/eZ6\/onNBNYPo2BPqIVEbL35G62pIHvabGcrYosGCpYhiz6EYnamnNPrHdzmEOs8lCRw1c2Pe8kl41FH0ud7tBn6qD\/stnZfGkcbeIrjaSiIYSveHS\r\n<\/pre>\n<p>base64 \ud83d\ude42<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# echo &quot;Arf3ThIY8VQg2GUd249wzDYi7CXqTST+9g4Q7bbT2eF+mD2KB+6oi3rVSY\/eZ6\/onNBNYPo2BPqIVEbL35G62pIHvabGcrYosGCpYhiz6EYnamnNPrHdzmEOs8lCRw1c2Pe8kl41FH0ud7tBn6qD\/stnZfGkcbeIrjaSiIYSveHS&quot; | base64 -d\r\n\\\u2592\u2592^5}.w\u2592A\u2592\u2592\u2592\u2592\u2592ge\u2592q\u2592\u2592\u25926\u2592\u2592\u2592\u2592\u2592\u2592\r\n<\/pre>\n<p>Does not seem to be ASCII. The text layer states that this should be the egg. So it can maybe be decrypted with the RSA public key, we already found. Let&#8217;s store the key in a file <code>rsa.pub<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# echo &quot;-----BEGIN PUBLIC KEY-----.MIIBIDANBgkqhkiG9...qfS7c+AkfJ.QWV\/9w==.-----END PUBLIC KEY-----&quot; | tr '.' '\\n' &gt; rsa.pub\r\n<\/pre>\n<p>The RSA public key parameters (<code>N<\/code> and <code>e<\/code>) can be parsed using <code>openssl<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# openssl asn1parse -i -in rsa.pub\r\n    0:d=0  hl=4 l= 288 cons: SEQUENCE\r\n    4:d=1  hl=2 l=  13 cons:  SEQUENCE\r\n    6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption\r\n   17:d=2  hl=2 l=   0 prim:   NULL\r\n   19:d=1  hl=4 l= 269 prim:  BIT STRING\r\n   \r\nroot@kali:~\/Documents\/he18\/egg21# openssl asn1parse -i -in rsa.pub -strparse 19\r\n    0:d=0  hl=4 l= 264 cons: SEQUENCE\r\n    4:d=1  hl=3 l= 129 prim:  INTEGER           :04CC95EA81F67BD12A14E7478FF60430D48398648DB450CA0BEB6560C04DB0BDAD7C4202A69E8229B65D4943F32571624CB3259C660186DAEEA2D37B76DCB6870C2FB19774C7F79108952CF8A03766AE1223C5ADE599BD9FDBE05CDCBCE861F92A6BCA9024627F526A94F21B32DDA587434F2A161514FB42012122C0C672772C5D\r\n  136:d=1  hl=3 l= 129 prim:  INTEGER           :956DD5196B9B90ECEF5B82ED963EF530C2FB88F992B980E642176F7DD5045AFEB7431CAC98894C716578DE9B11880B1BE80BAF7CC15BE656ACC6FEC093FA22C0AC88783A6487832775CA37000969AC7DF1D82EFB25DED9CDF498AEE6ACCDE9A1AD8478CAFF8DB834AD1191F8D47669D0C9D60DFCCA9F4BB73E0247C941657FF7\r\n<\/pre>\n<p>The first integer (<code>04CC95...<\/code>) is <code>N<\/code> and the second one (<code>956DD5..<\/code>) is <code>e<\/code>.<\/p>\n<p>At next we convert <code>N<\/code> to a decimal number &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# python -c 'print(0x04CC95EA81F67...2C5D)'\r\n8627421546422318392454906523054...995677\r\n<\/pre>\n<p>&#8230; and see if there is a factorization on <a href=\"http:\/\/factordb.com\/\" target=\"_blank\" rel=\"noopener\">factordb.com<\/a>:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_03.png\" alt=\"\" width=\"676\" class=\"alignnone size-full wp-image-539\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_03.png 1376w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_03-300x118.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_03-768x302.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_03-1024x403.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>Great! We have got the two primes <code>p<\/code> and <code>q<\/code> (<code>N = p * q<\/code>). With those two values we can calculate <code>phi(N) = (p-1) * (q-1)<\/code>, the multiple inverse <code>d<\/code> and try to decrypt the data from the qrcode:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# cat decrypt.py\r\n#!\/usr\/bin\/env python\r\n\r\nfrom Crypto.PublicKey import RSA\r\nfrom fractions import gcd\r\nimport gmpy2\r\nimport base64\r\n\r\n# N and e from openssl output\r\nN = 0x04CC95EA81F67BD12A14E7478FF60430D48398648DB450CA0BEB6560C04DB0BDAD7C4202A69E8229B65D4943F32571624CB3259C660186DAEEA2D37B76DCB6870C2FB19774C7F79108952CF8A03766AE1223C5ADE599BD9FDBE05CDCBCE861F92A6BCA9024627F526A94F21B32DDA587434F2A161514FB42012122C0C672772C5D\r\ne = 0x956DD5196B9B90ECEF5B82ED963EF530C2FB88F992B980E642176F7DD5045AFEB7431CAC98894C716578DE9B11880B1BE80BAF7CC15BE656ACC6FEC093FA22C0AC88783A6487832775CA37000969AC7DF1D82EFB25DED9CDF498AEE6ACCDE9A1AD8478CAFF8DB834AD1191F8D47669D0C9D60DFCCA9F4BB73E0247C941657FF7\r\n\r\n# p and q factors for N from factordb.com\r\np = 21787995226958172829467888206490681114003213044856067031128998135742112625134255635772352085743308949466567934785458002652816217408595135233580400606278413\r\nq = 39597133451487334277950950530003861952885112404500618298702299905566831117666470098035890477572068210683971280104304184580469417440656443567196733216950929\r\n\r\n# phi(N)\r\nphi=(p-1)*(q-1)\r\n\r\n# ciphertext from qrcode\r\nct = 'Arf3ThIY8VQg2GUd249wzDYi7CXqTST+9g4Q7bbT2eF+mD2KB+6oi3rVSY\/eZ6\/onNBNYPo2BPqIVEbL35G62pIHvabGcrYosGCpYhiz6EYnamnNPrHdzmEOs8lCRw1c2Pe8kl41FH0ud7tBn6qD\/stnZfGkcbeIrjaSiIYSveHS'\r\nct = base64.b64decode(ct)\r\n\r\n# multiple invers\r\nd   = long(gmpy2.divm(1, e, phi))\r\n\r\nrsa = RSA.construct((N,e,d,p,q))\r\npt  = rsa.decrypt(ct)\r\nprint pt\r\n<\/pre>\n<p>Running the script yields the password:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg21# .\/decrypt.py\r\nx\u2592e1\u2592CA\u2592\u2592sZJ\u2592\u2592\u2592\u2592ff\u2592\u2592\u2592\u2592F\u2592:&quot;0\u25929;\r\n\u2592\u2592\u2592\u032c\u25925\u2592\u2592g~Great job haxxor, here's your flag: {b3w4r3_0f_c0n71nu3d_fr4c710n5}\r\n<\/pre>\n<p>The password is <code><span class=\"spanFlag\">b3w4r3_0f_c0n71nu3d_fr4c710n5<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_04-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-540\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_04-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_04-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_04-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg21_04.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg22\">22 &#8211; Block Jane<\/h1>\n<p>The challenge provides an encrypted message &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg22# hexdump -C secret.enc\r\n00000000  e3 43 f4 26 04 ca 58 a7  31 ad bf 10 b3 76 ee 33  |.C.&amp;..X.1....v.3|\r\n00000010  aa 94 49 26 cd f9 54 40  0d 86 ee 4f 6e 35 77 4e  |..I&amp;..T@...On5wN|\r\n00000020  c5 10 fe 57 67 ba ba 99  a3 ed 28 fa 26 dc 99 b6  |...Wg.....(.&amp;...|\r\n00000030  c1 da dd 08 7e 4c ee 27  e4 55 07 00 52 76 c1 0f  |....~L.'.U..Rv..|\r\n00000040  d9 c1 5f 27 d3 48 1a 92  f3 4d d4 64 77 f7 be 3c  |.._'.H...M.dw..&lt;|\r\n00000050\r\n<\/pre>\n<p>&#8230; and a server which accepts these messages:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg22# cat secret.enc | nc whale.hacking-lab.com 5555\r\nok\r\n<\/pre>\n<p>Other messages are not accepted:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg22# head \/dev\/urandom -c 80 | nc whale.hacking-lab.com 5555\r\nerror\r\n<\/pre>\n<p>The challenge description states that AES was used to encrypt the message. Also the title of the challenge <i>Block Jane<\/i> suggests that AES was used in <a href=\"https:\/\/en.wikipedia.org\/wiki\/Block_cipher_mode_of_operation#Cipher_Block_Chaining_(CBC)\" target=\"_blank\" rel=\"noopener\">Cipher Block Chaining (CBC) mode<\/a>. After a little bit of googling I stumbled upon the <a href=\"https:\/\/en.wikipedia.org\/wiki\/Padding_oracle_attack\" target=\"_blank\" rel=\"noopener\">Padding oracle attack<\/a>:<\/p>\n<blockquote cite=\"https:\/\/en.wikipedia.org\/wiki\/Padding_oracle_attack\"><p>\n<i><br \/>\nIn cryptography, a padding oracle attack is an attack which uses the padding validation of a cryptographic message to decrypt the ciphertext. In cryptography, variable-length plaintext messages often have to be padded (expanded) to be compatible with the underlying cryptographic primitive. The attack relies on having a &#8220;padding oracle&#8221; who freely responds to queries about whether a message is correctly padded or not. Padding oracle attacks are mostly associated with CBC mode decryption used within block ciphers.<br \/>\n<\/i>\n<\/p><\/blockquote>\n<p>AES CBC encrypts a message in blocks of 16 bytes. If the length of the message is not aligned to 16 (<code>len(msg) % 16 != 0<\/code>) it must be padded with fill-bytes. The attack leverages the fact that the server raises an error, if the padding of the message sent is not correct. The default padding PKCS7 described in <a href=\"https:\/\/tools.ietf.org\/html\/rfc2315\" target=\"_blank\" rel=\"noopener\">RFC 2315<\/a> is quite simple. The bytes which are added for padding are set to the count of total bytes added:<\/p>\n<pre>\r\nPadding 1 byte:\r\nXX XX XX XX   XX XX XX XX   XX XX XX XX   XX XX XX 01\r\n\r\nPadding 3 bytes:\r\nXX XX XX XX   XX XX XX XX   XX XX XX XX   XX 03 03 03\r\n\r\nPadding 10 bytes:\r\nXX XX XX XX   XX XX 0a 0a   0a 0a 0a 0a   0a 0a 0a 0a\r\n<\/pre>\n<p>In CBC mode a decrypted ciphertext block is XOR-ed with the previous ciphertext-block in order to restore the plaintext of the block:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_01.png\" alt=\"\" width=\"457\" class=\"alignnone size-full wp-image-541\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_01.png 757w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_01-300x117.png 300w\" sizes=\"(max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><\/p>\n<p>To carry out the padding oracle attack we take the first two 16 byte-blocks (<code>c1<\/code> and <code>c2<\/code>) of the encrypted message and change the last byte of the first block. If the server accepts the message, we know that the last byte was decrypted to <code>01<\/code>, because it was padded correctly:<\/p>\n<pre>\r\nroot@kali:~\/Documents\/he18\/egg22# head secret.enc -c32 | hexdump -C\r\n00000000  e3 43 f4 26 04 ca 58 a7  31 ad bf 10 b3 76 ee 33  |.C.&..X.1....v.3|  <span style=\"color:#0000ff;\">&lt;-- c1<\/span>\r\n00000010  aa 94 49 26 cd f9 54 40  0d 86 ee 4f 6e 35 77 4e  |..I&..T@...On5wN|  <span style=\"color:#0000ff;\">&lt;-- c2<\/span>\r\n\r\nroot@kali:~\/Documents\/he18\/egg22# echo -en $(head secret.enc -c15)\"\\x00\"$(head secret.enc -c32 | tail -c16) | hexdump -C\r\n00000000  e3 43 f4 26 04 ca 58 a7  31 ad bf 10 b3 76 ee <span style=\"color:#ff0000;\">00<\/span>  |.C.&..X.1....v..|\r\n00000010  aa 94 49 26 cd f9 54 40  0d 86 ee 4f 6e 35 77 4e  |..I&..T@...On5wN|\r\n00000020\r\n\r\nroot@kali:~\/Documents\/he18\/egg22# echo -en $(head secret.enc -c15)\"\\x00\"$(head secret.enc -c32 | tail -c16) | nc whale.hacking-lab.com 5555\r\n<span style=\"color:#ff0000;\">error<\/span>\r\n\r\n...\r\n\r\nroot@kali:~\/Documents\/he18\/egg22# echo -en $(head secret.enc -c15)\"\\x51\"$(head secret.enc -c32 | tail -c16) | hexdump -C\r\n00000000  e3 43 f4 26 04 ca 58 a7  31 ad bf 10 b3 76 ee <span style=\"color:#00ff00;\">51<\/span>  |.C.&..X.1....v.Q|\r\n00000010  aa 94 49 26 cd f9 54 40  0d 86 ee 4f 6e 35 77 4e  |..I&..T@...On5wN|\r\n00000020\r\n\r\nroot@kali:~\/Documents\/he18\/egg22# echo -en $(head secret.enc -c15)\"\\x51\"$(head secret.enc -c32 | tail -c16) | nc whale.hacking-lab.com 5555\r\n<span style=\"color:#00ff00;\">ok<\/span>\r\n<\/pre>\n<p>When the last byte of <code>c1<\/code> is <code>0x51<\/code>, the server accepts the message. If you review the picture of the CBC mode above, the plaintext of <code>c2<\/code> (<code>p2<\/code>) is <code>p2 = decrypt(c2) ^ c1<\/code>. Since the server accepted our message, the padding must be correct and thus the last byte of <code>p2<\/code> must be <code>0x01<\/code> (1 byte padding): <code>p2[15] = decrypt(c2)[15] ^ c1[15] = decrypt(c2)[15] ^ 0x51 = 0x01<\/code>. This means that the last byte of plaintext is <code>p2[15] = 0x51 ^ 0x33 ^ 0x01 = 0x63 ('c')<\/code> (<code>0x33<\/code> is the last byte of the original <code>c1<\/code>).<\/p>\n<p>Since we now know the last byte of <code>p2<\/code>, we can set it to <code>0x02<\/code> and continue the attack for the second-to-last byte (padding: 2 byte). If the server accepts our message, we know that <code>p2[14] = 0x02<\/code>.<\/p>\n<p>We proceed until we have decrypted all bytes of the message. Notice that we cannot decrypt the first 16 byte-block since it is XORed with an initialization vector (iv), which we do not know.<\/p>\n<p>The following python script iterates over all 16-byte blocks in <code>secrect.enc<\/code> and carries out the attack to decrypt the message:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg22# cat oracle.py\r\n#!\/usr\/bin\/env python\r\n\r\nimport socket\r\nimport pwn\r\n\r\nHOST = 'whale.hacking-lab.com'\r\nPORT = 5555\r\n\r\ndef decrypt(c1, c2):\r\n  c1_orig = c1\r\n  c1_new = &#x5B;]\r\n  for i in reversed(range(16)):\r\n    print(&quot;i = &quot; + str(i))\r\n    for j in range(15,i,-1):\r\n      c1 = c1&#x5B;:j] + chr(c1_new&#x5B;15-j]^(16-j)^(16-i)) + c1&#x5B;j+1:]\r\n    for char in range(256):\r\n      c1_tmp = c1&#x5B;:i] + chr(char) + c1&#x5B;i+1:]\r\n      s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n      s.connect((HOST, PORT))\r\n      s.send(c1_tmp+c2)\r\n      data = s.recv(1024)\r\n      s.close()\r\n      if (data&#x5B;:2] == &quot;ok&quot;):\r\n        print(&quot;--&gt; &quot; + hex(char))\r\n        c1_new.append(char)\r\n        break\r\n\r\n  print(c1_new)\r\n\r\n  p2 = &quot;&quot;\r\n  for i in range(16):\r\n    p2 += chr(c1_new&#x5B;15-i]^ord(c1_orig&#x5B;i])^(16-i))\r\n  print(&quot;=&gt; &quot; + p2)\r\n\r\n\r\nf = open(&quot;secret.enc&quot;, &quot;rb&quot;)\r\na = f.read()\r\nf.close()\r\n\r\nfor b in range(0,4):\r\n  print(&quot;b = &quot; + str(b))\r\n  c1 = a&#x5B;0x10*b:0x10*b+0x10]\r\n  c2 = a&#x5B;0x10*b+0x10:0x10*b+0x20]\r\n  print(pwn.hexdump(c1+c2))\r\n  decrypt(c1,c2)\r\n<\/pre>\n<p>Luckily the password is not stored in the first 16 bytes \ud83d\ude09 The decrypted message:<\/p>\n<pre>\r\nassword is: oracl3in3delphi\r\n\r\nSee you soon!\r\n\r\nJane\r\n<\/pre>\n<p>The password is <code><span class=\"spanFlag\">oracl3in3delphi<\/span><\/code>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-542\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg22_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg23\">23 &#8211; Rapbid Learning<\/h1>\n<p>The provided website (http:\/\/whale.hacking-lab.com:2222) offers four functions:<\/p>\n<ol>\n<li>Train<\/li>\n<li>Assignment<\/li>\n<li>Submit<\/li>\n<li>Reward<\/li>\n<\/ol>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_01.png\" alt=\"\" width=\"636\" class=\"alignnone size-full wp-image-543\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_01.png 936w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_01-300x284.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_01-768x728.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p><u>1. Train<\/u><br \/>\nThe train-endpoint returns a single rabbit in json-format:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/he18\/egg23$ curl 'http:\/\/whale.hacking-lab.com:2222\/train'\r\n{&quot;sp00n&quot;: 10, &quot;n4m3&quot;: &quot;Carmen&quot;, &quot;t41l&quot;: 10, &quot;w31ght&quot;: 2, &quot;c0l0r&quot;: &quot;red&quot;, &quot;ag3&quot;: 5, &quot;l3ngth&quot;: 53, &quot;g00d&quot;: false, &quot;g3nd3r&quot;: &quot;female&quot;}\r\n<\/pre>\n<p>This data should be used to determine which rabbit is good (<code>\"good\": true<\/code>) and which is not (<code>\"good\": false<\/code>) based on the value of the other attributes.<\/p>\n<p><u>2. Assignment<\/u><br \/>\nThe assignment-endpoint returns a list of rabbits, which should be classified in <code>\"g00d\": true<\/code> and <code>\"good\": false<\/code> (this property is missing): <\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~\/he18\/egg23$ curl http:\/\/whale.hacking-lab.com:2222\/gate 2&gt;\/dev\/null | head -c 400\r\n{&quot;attributes&quot;: &#x5B;&quot;bjRtMw==&quot;, &quot;ZzNuZDNy&quot;, &quot;NGcz&quot;, &quot;YzBsMHI=&quot;, &quot;dzMxZ2h0&quot;, &quot;bDNuZ3Ro&quot;, &quot;c3AwMG4=&quot;, &quot;dDQxbA==&quot;], &quot;data&quot;: &#x5B;&#x5B;&quot;Willie&quot;, &quot;male&quot;, 4, &quot;brown&quot;, 2, 40, 12, 10], &#x5B;&quot;Ruthie&quot;, &quot;female&quot;, 1, &quot;red&quot;, 2, 42, 14, 11], &#x5B;&quot;Nellie&quot;, &quot;female&quot;, 0, &quot;brown&quot;, 4, 49, 8, 8], &#x5B;&quot;Randy&quot;, &quot;male&quot;, 2, &quot;red&quot;, 2, 47, 14, 10], &#x5B;&quot;Marcella&quot;, &quot;female&quot;, 6, &quot;red&quot;, 5, 50, 8, 10], &#x5B;&quot;Melissa&quot;, &quot;female&quot;, 2, &quot;white&quot;, 5, 45, 7, 10], \r\n<\/pre>\n<p>The attributes are base64-encoded but they are the same as within the train-data expect the missing <code>g00d<\/code> attribute:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/he18\/egg23$ echo &quot;bjRtMw==&quot; | base64 -d\r\nn4m3\r\nroot@kali:~\/he18\/egg23$ echo &quot;ZzNuZDNy&quot; | base64 -d\r\ng3nd3r\r\nroot@kali:~\/he18\/egg23$ echo &quot;NGcz&quot; | base64 -d\r\n4g3\r\n...\r\n<\/pre>\n<p><u>3. Submit<\/u><\/p>\n<p>The submit-endpoint should be used to send the categorization of the rabbits retrieved from the assignment-endpoint to the webserver.<\/p>\n<p>The solution is supposed to be submitted as a simple <i>json integer array<\/i> (these words are displayed in phonetic spelling).<\/p>\n<p>This means that we have to iterate over the data-array containing all rabbits retrieved from the assignment-endpoint, determine if the rabbit is good or not and append a <code>1<\/code> (good) or <code>0<\/code> (not good) in an array, which we will send to the submit-endpoint.<\/p>\n<p><u>4. Reward<\/u><\/p>\n<p>The reward-endpoint can be used after a successful solution submission to retrieve the egg. The current session is identified by a session-id.<\/p>\n<p><u>Solution<\/u><\/p>\n<p>I started by writing a python-script which retrieves a few training-rabbits and saves them in a local file:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/he18\/egg23$ cat train.py\r\n#!\/usr\/bin\/env python\r\n# train.py\r\n\r\nimport urllib2\r\nimport json\r\nimport time\r\nimport os\r\n\r\ndef train():\r\n\r\n  j = &#x5B;]\r\n  if (os.path.isfile(&quot;train.txt&quot;)):\r\n    f = open(&quot;train.txt&quot;, &quot;r&quot;)\r\n    tc = f.read()\r\n    f.close()\r\n    if (len(tc) &gt; 0): j = json.loads(tc)\r\n\r\n  url = &quot;http:\/\/whale.hacking-lab.com:2222\/train&quot;\r\n  resp = urllib2.urlopen(url)\r\n  content = resp.read()\r\n\r\n  j.append(json.loads(content))\r\n\r\n  f = open(&quot;train.txt&quot;, &quot;w&quot;)\r\n  f.write(json.JSONEncoder().encode(j))\r\n  f.close()\r\n\r\n\r\nfor i in range(1000):\r\n  train()\r\n  time.sleep(0.1)\r\n<\/pre>\n<p>At next I wrote a script which can be used to evaluate the collected training-data:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg23# cat eval.py\r\n#!\/usr\/bin\/env python\r\n# eval.py\r\n\r\nimport json\r\nfrom sets import Set\r\n\r\nj = None\r\n\r\ndef printSet(attr):\r\n  global j\r\n  s = Set()\r\n  for obj in j:\r\n    s.add(obj&#x5B;attr])\r\n  print(attr),\r\n  print(s)\r\n\r\ndef countGood(attr, val):\r\n  global j\r\n  g = 0\r\n  b = 0\r\n  for obj in j:\r\n    if (str(obj&#x5B;attr]) == val and obj&#x5B;&quot;g00d&quot;] == True): g +=1\r\n    elif (str(obj&#x5B;attr]) == val and obj&#x5B;&quot;g00d&quot;] == False): b += 1\r\n\r\n  print(&quot;g00d: &quot; + str(g) + &quot;\\t{:.1%}&quot;.format(float(g)\/float(g+b)))\r\n  print(&quot;b4d : &quot; + str(b) + &quot;\\t{:.1%}&quot;.format(float(b)\/float(g+b)))\r\n\r\n\r\nf = open(&quot;train.txt&quot;, &quot;r&quot;)\r\ntc = f.read()\r\nf.close()\r\nj = json.loads(tc)\r\n\r\nprintSet(&quot;sp00n&quot;)\r\nprintSet(&quot;t41l&quot;)\r\nprintSet(&quot;w31ght&quot;)\r\nprintSet(&quot;c0l0r&quot;)\r\nprintSet(&quot;ag3&quot;)\r\nprintSet(&quot;l3ngth&quot;)\r\nprintSet(&quot;g3nd3r&quot;)\r\n\r\n\r\nwhile True:\r\n  a = raw_input(&quot;Enter attribute: &quot;)\r\n  v = raw_input(&quot;Enter value: &quot;)\r\n  countGood(a,v)\r\n<\/pre>\n<p>The script prints all possible values found for each attribute &#8230; <\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg23# .\/eval.py\r\nsp00n Set(&#x5B;7, 8, 9, 10, 11, 12, 13, 14])\r\nt41l Set(&#x5B;8, 9, 10, 11])\r\nw31ght Set(&#x5B;2, 3, 4, 5])\r\nc0l0r Set(&#x5B;u'blue', u'brown', u'purple', u'grey', u'green', u'black', u'white', u'red'])\r\nag3 Set(&#x5B;0, 1, 2, 3, 4, 5, 6, 7])\r\nl3ngth Set(&#x5B;40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54])\r\ng3nd3r Set(&#x5B;u'male', u'female'])\r\n<\/pre>\n<p>&#8230; and can be used to print the count of good rabbits depending on a specific value for an attribute:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nEnter attribute: t41l\r\nEnter value: 8\r\ng00d: 407       100.0%\r\nb4d : 0 0.0%\r\nEnter attribute: t41l\r\nEnter value: 9\r\ng00d: 390       100.0%\r\nb4d : 0 0.0%\r\nEnter attribute: t41l\r\nEnter value: 10\r\ng00d: 366       33.1%\r\nb4d : 740       66.9%\r\nEnter attribute: t41l\r\nEnter value: 11\r\ng00d: 371       33.8%\r\nb4d : 726       66.2%\r\n<\/pre>\n<p>Relating the attribute <code>t41l<\/code> it seems likely that each rabbit with a value of <code>8<\/code> or <code>9<\/code> is always good. But we cannot predict for sure if a rabbit is good or not having a <code>t41l<\/code> value of <code>10<\/code> or <code>11<\/code>.<\/p>\n<p>When evaluating the other attributes I noticed the following:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nEnter attribute: w31ght\r\nEnter value: 2\r\ng00d: 0 0.0%\r\nb4d : 1466      100.0%\r\nEnter attribute: w31ght\r\nEnter value: 3\r\ng00d: 508       100.0%\r\nb4d : 0 0.0%\r\nEnter attribute: w31ght\r\nEnter value: 4\r\ng00d: 516       100.0%\r\nb4d : 0 0.0%\r\nEnter attribute: w31ght\r\nEnter value: 5\r\ng00d: 510       100.0%\r\nb4d : 0 0.0%\r\n<\/pre>\n<p>For the value <code>w31ght<\/code> with values ranging from <code>2<\/code> to <code>5<\/code> there is always a 100% match! A rabbit with a <code>w31ght<\/code> value of <code>2<\/code> is never good. If the value is above <code>2<\/code> the rabbit is always good.<\/p>\n<p>Finally I wrote a python-script which uses the assignment-endpoint to retrieve a collection of rabbits to categorize. These rabbits are categorized based on their <code>w31ght<\/code> value and then send to the submit-endpoint. After this the egg from the reward-endpoint is retrieved:<\/p>\n<pre class=\"brush: python; first-line: 0; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg23# cat run.py\r\n#!\/usr\/bin\/env python\r\n# run.py\r\n\r\nimport urllib2\r\nimport json\r\nimport base64\r\nimport subprocess\r\n\r\nj = None\r\n\r\ndef decide(r):\r\n  global j\r\n  w = r&#x5B;j&#x5B;'attributes'].index('w31ght')]\r\n  if (w&gt;2): return 1\r\n  else: return 0\r\n\r\n\r\ndef run():\r\n  global j\r\n  arr = &#x5B;]\r\n  url = &quot;http:\/\/whale.hacking-lab.com:2222\/&quot;\r\n  resp = urllib2.urlopen(url+&quot;gate&quot;)\r\n  content = resp.read()\r\n\r\n  j = json.loads(content)\r\n\r\n  for i in range(len(j&#x5B;'attributes'])):\r\n    txt = j&#x5B;'attributes']&#x5B;i]\r\n    j&#x5B;'attributes']&#x5B;i] = base64.b64decode(txt)\r\n\r\n  for i in range(len(j&#x5B;'data'])):\r\n    rabbit = j&#x5B;'data']&#x5B;i]\r\n    arr.append(decide(rabbit))\r\n\r\n  hdr = str(resp.headers)\r\n  session = hdr&#x5B;hdr.index(&quot;Set-Cookie: &quot;)+12:]\r\n  session = session&#x5B;:session.index(&quot;;&quot;)]\r\n\r\n  ret = subprocess.check_output(&#x5B;&quot;curl&quot;, &quot;-v&quot;, url+&quot;predict&quot;, &quot;-H&quot;, &quot;Content-Type: application\/json&quot;, &quot;--cookie&quot;, session, &quot;--data&quot;, str(arr)], stderr=subprocess.STDOUT)\r\n  print(ret)\r\n\r\n  ret = subprocess.check_output(&#x5B;&quot;curl&quot;, &quot;-v&quot;, url+&quot;reward&quot;, &quot;--cookie&quot;, session])\r\n  print(ret)\r\n\r\n\r\nrun()\r\n<\/pre>\n<p>Running the script retrieves the egg from the reward-endpoint:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg23# .\/run.py\r\n...\r\n* Connection #0 to host whale.hacking-lab.com left intact\r\nSCORE: MTAwLjAl - lolnice! - I'll tell my guys to set up your reward for this shift at \/reward, don't forget to bring your cookie!\r\n...\r\n&gt; GET \/reward HTTP\/1.1\r\n&gt; Host: whale.hacking-lab.com:2222\r\n&gt; User-Agent: curl\/7.57.0\r\n&gt; Accept: *\/*\r\n&gt; Cookie: session_id=2c3cdd994d5998457e3f16c7b326247fbf500e97\r\n...\r\n&lt;h2&gt;Reward&lt;\/h2&gt;\r\n&lt;hr&gt;\r\n&lt;div&gt;\r\n  &lt;img src=&quot;data:image\/png;base64,iVBORw0KGgoAAAAN...AAASUVORK5CYII=&quot;&gt;\r\n&lt;\/div&gt;\r\n...\r\n<\/pre>\n<p>Viewing the base64-encoded images in a browser displays the egg:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-544\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg23_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg24\">24 &#8211; ELF<\/h1>\n<p>The provided file is a 32-bit ELF binary: <\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg24# file lock\r\nlock: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, interpreter \/lib\/ld-linux.so.2, for GNU\/Linux 3.2.0, BuildID&#x5B;sha1]=8272392507ce63b716cc2e9c0feb001a5467ae53, not stripped\r\n<\/pre>\n<p>Running the program requireds a pin to be passed as argument:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg24# .\/lock\r\n.\/lock &lt;pin to unlock&gt;\r\n<\/pre>\n<p>An obvious invalid pin prints a qrcode &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg24# .\/lock 123456\r\nlock state:\r\n\r\n\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588      \u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588          \u2588\u2588  \u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588          \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588          \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588      \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588          \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588      \u2588\u2588          \u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n                    \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\r\n  \u2588\u2588    \u2588\u2588  \u2588\u2588        \u2588\u2588  \u2588\u2588  \u2588\u2588    \u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588\r\n    \u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588\r\n  \u2588\u2588    \u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588      \u2588\u2588\u2588\u2588    \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588                \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\r\n  \u2588\u2588  \u2588\u2588    \u2588\u2588      \u2588\u2588\u2588\u2588\u2588\u2588      \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588      \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\r\n                  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588        \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588          \u2588\u2588    \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588      \u2588\u2588  \u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588          \u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588      \u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588          \u2588\u2588  \u2588\u2588    \u2588\u2588    \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588        \u2588\u2588    \u2588\u2588\r\n\r\n<\/pre>\n<p>&#8230; which contains the string <code>------- locked -------<\/code>.<\/p>\n<p>When single-stepping through the binary using <code>gdb<\/code> &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nroot@kali:~\/Documents\/he18\/egg24# gdb lock\r\n...\r\ngdb-peda$ b *main\r\nBreakpoint 1 at 0x650\r\ngdb-peda$ r 1234\r\nStarting program: \/root\/Documents\/he18\/egg24\/lock 1234\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0xf7f9add8 --&gt; 0xffffd6d0 --&gt; 0xffffd818 (&quot;LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc&quot;...)\r\nEBX: 0x0\r\nECX: 0x3af6c63c\r\nEDX: 0xffffd654 --&gt; 0x0\r\nESI: 0xf7f99000 --&gt; 0x1d4d6c\r\nEDI: 0x0\r\nEBP: 0x0\r\nESP: 0xffffd62c --&gt; 0xf7ddce81 (&lt;__libc_start_main+241&gt;:        add    esp,0x10)\r\nEIP: 0x56555650 (&lt;main&gt;:        push   ebp)\r\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x5655564c &lt;__x86.get_pc_thunk.dx+3&gt;:        ret\r\n   0x5655564d &lt;__x86.get_pc_thunk.dx+4&gt;:        xchg   ax,ax\r\n   0x5655564f &lt;__x86.get_pc_thunk.dx+6&gt;:        nop\r\n=&gt; 0x56555650 &lt;main&gt;:   push   ebp\r\n   0x56555651 &lt;main+1&gt;: mov    ebp,esp\r\n   0x56555653 &lt;main+3&gt;: cmp    DWORD PTR &#x5B;ebp+0x8],0x2\r\n   0x56555657 &lt;main+7&gt;: jne    0x56555678 &lt;helpmsg&gt;\r\n   0x56555659 &lt;main+9&gt;: mov    ebx,DWORD PTR &#x5B;ebp+0xc]\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xffffd62c --&gt; 0xf7ddce81 (&lt;__libc_start_main+241&gt;:       add    esp,0x10)\r\n0004| 0xffffd630 --&gt; 0x2\r\n0008| 0xffffd634 --&gt; 0xffffd6c4 --&gt; 0xffffd7f3 (&quot;\/root\/Documents\/he18\/egg24\/lock&quot;)\r\n0012| 0xffffd638 --&gt; 0xffffd6d0 --&gt; 0xffffd818 (&quot;LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc&quot;...)\r\n0016| 0xffffd63c --&gt; 0xffffd654 --&gt; 0x0\r\n0020| 0xffffd640 --&gt; 0x2\r\n0024| 0xffffd644 --&gt; 0xffffd6c4 --&gt; 0xffffd7f3 (&quot;\/root\/Documents\/he18\/egg24\/lock&quot;)\r\n0028| 0xffffd648 --&gt; 0xf7f99000 --&gt; 0x1d4d6c\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n\r\nBreakpoint 1, 0x56555650 in main ()\r\ngdb-peda$ ni\r\n...\r\n<\/pre>\n<p>&#8230; we can see, that the <code>main<\/code> function calls another function called <code>mainPrg<\/code>.<\/p>\n<p>The control flow within this function is quite unusual. The return address of the function at <code>ebp+0x4<\/code> (referencing <code>exitProg<\/code>) is moved to <code>eax<\/code>, <code>0xe5<\/code> is added and <code>eax<\/code> is pushed onto the stack. The <code>je<\/code> at <code>0x565556a8<\/code> is not taken, meaning that the pushed <code>eax<\/code> value is perceived as the return address for the <code>ret<\/code> instruction at <code>0x565556aa<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [15,16,17,18,19]; title: ; notranslate\" title=\"\">\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0x56555676 (&lt;main+38&gt;:     jmp    0x56555685 &lt;exitPrg&gt;)\r\nEBX: 0xffffd6c8 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nECX: 0xe\r\nEDX: 0xf7f9a890 --&gt; 0x0\r\nESI: 0xf7f99000 --&gt; 0x1d4d6c\r\nEDI: 0x0\r\nEBP: 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nESP: 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nEIP: 0x565556a2 (&lt;mainPrg+19&gt;:  add    eax,0xe5)\r\nEFLAGS: 0x286 (carry PARITY adjust zero SIGN trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x56555697 &lt;mainPrg+8&gt;:      call   0xf7e14ab0 &lt;printf&gt;\r\n   0x5655569c &lt;mainPrg+13&gt;:     add    esp,0x4\r\n   0x5655569f &lt;mainPrg+16&gt;:     mov    eax,DWORD PTR &#x5B;ebp+0x4]\r\n=&gt; 0x565556a2 &lt;mainPrg+19&gt;:     add    eax,0xe5\r\n   0x565556a7 &lt;mainPrg+24&gt;:     push   eax\r\n   0x565556a8 &lt;mainPrg+25&gt;:     je     0x565556ab &lt;doit&gt;\r\n   0x565556aa &lt;mainPrg+27&gt;:     ret\r\n   0x565556ab &lt;doit&gt;:   call   0x565556b4 &lt;checkpin&gt;\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\n0004| 0xffffd61c (&quot;vVUVgVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0008| 0xffffd620 (&quot;gVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0012| 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\n0016| 0xffffd628 --&gt; 0x0\r\n0020| 0xffffd62c --&gt; 0xf7ddce81 (&lt;__libc_start_main+241&gt;:       add    esp,0x10)\r\n0024| 0xffffd630 --&gt; 0x2\r\n0028| 0xffffd634 --&gt; 0xffffd6c4 --&gt; 0xffffd7f3 (&quot;\/root\/Documents\/he18\/egg24\/lock&quot;)\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n0x565556a2 in mainPrg ()\r\ngdb-peda$\r\n<\/pre>\n<p>Let&#8217;s see where we are going when the <code>ret<\/code> instruction is executed:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [2,16,33,34]; title: ; notranslate\" title=\"\">\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0x5655575b (&lt;qr_next_line+39&gt;:     mov    esi,0x5655703f)\r\nEBX: 0xffffd6c8 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nECX: 0xe\r\nEDX: 0xf7f9a890 --&gt; 0x0\r\nESI: 0xf7f99000 --&gt; 0x1d4d6c\r\nEDI: 0x0\r\nEBP: 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nESP: 0xffffd614 (&quot;&#x5B;WUV$\\326\\377\\377vVUVgVUV&#92;&#48;23\\330\\377\\377&quot;)\r\nEIP: 0x565556aa (&lt;mainPrg+27&gt;:  ret)\r\nEFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x565556a2 &lt;mainPrg+19&gt;:     add    eax,0xe5\r\n   0x565556a7 &lt;mainPrg+24&gt;:     push   eax\r\n   0x565556a8 &lt;mainPrg+25&gt;:     je     0x565556ab &lt;doit&gt;\r\n=&gt; 0x565556aa &lt;mainPrg+27&gt;:     ret\r\n   0x565556ab &lt;doit&gt;:   call   0x565556b4 &lt;checkpin&gt;\r\n   0x565556b0 &lt;doit+5&gt;: mov    esp,ebp\r\n   0x565556b2 &lt;doit+7&gt;: pop    ebp\r\n   0x565556b3 &lt;doit+8&gt;: ret\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xffffd614 (&quot;&#x5B;WUV$\\326\\377\\377vVUVgVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0004| 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\n0008| 0xffffd61c (&quot;vVUVgVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0012| 0xffffd620 (&quot;gVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0016| 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\n0020| 0xffffd628 --&gt; 0x0\r\n0024| 0xffffd62c --&gt; 0xf7ddce81 (&lt;__libc_start_main+241&gt;:       add    esp,0x10)\r\n0028| 0xffffd630 --&gt; 0x2\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\n0x565556aa in mainPrg ()\r\ngdb-peda$ x\/xw $esp\r\n0xffffd614:     0x5655575b\r\n<\/pre>\n<p>The top value on the stack is <code>0x5655575b<\/code>, which will be interpreted as the return address. On the second line above displaying the value of <code>eax<\/code> we can see that this is the address of <code>qr_next_line+39<\/code>.<\/p>\n<p>Let&#8217;s have a look at this function:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ disassemble qr_next_line\r\nDump of assembler code for function qr_next_line:\r\n   0x56555734 &lt;+0&gt;:     push   0x56557039\r\n   0x56555739 &lt;+5&gt;:     call   0xf7e14ab0 &lt;printf&gt;\r\n   0x5655573e &lt;+10&gt;:    add    esp,0x4\r\n   0x56555741 &lt;+13&gt;:    inc    DWORD PTR &#x5B;ebp-0x8]\r\n   0x56555744 &lt;+16&gt;:    cmp    DWORD PTR &#x5B;ebp-0x8],0x19\r\n   0x56555748 &lt;+20&gt;:    jne    0x565556f2 &lt;qr_for_each_line&gt;\r\n   0x5655574a &lt;+22&gt;:    push   0x56557039\r\n   0x5655574f &lt;+27&gt;:    call   0xf7e14ab0 &lt;printf&gt;\r\n   0x56555754 &lt;+32&gt;:    add    esp,0x4\r\n   0x56555757 &lt;+35&gt;:    mov    esp,ebp\r\n   0x56555759 &lt;+37&gt;:    pop    ebp\r\n   0x5655575a &lt;+38&gt;:    ret\r\n   0x5655575b &lt;+39&gt;:    mov    esi,0x5655703f\r\n   0x56555760 &lt;+44&gt;:    xor    ebx,ebx\r\n   0x56555762 &lt;+46&gt;:    xor    ecx,ecx\r\n   0x56555764 &lt;+48&gt;:    add    ebx,DWORD PTR &#x5B;esi+ecx*4]\r\n   0x56555767 &lt;+51&gt;:    inc    ecx\r\n   0x56555768 &lt;+52&gt;:    cmp    ecx,0x19\r\n   0x5655576b &lt;+55&gt;:    jne    0x56555764 &lt;qr_next_line+48&gt;\r\n   0x5655576d &lt;+57&gt;:    mov    eax,0x5655703f\r\n   0x56555772 &lt;+62&gt;:    mov    eax,DWORD PTR &#x5B;eax-0x4]\r\n   0x56555775 &lt;+65&gt;:    cmp    eax,ebx\r\n   0x56555777 &lt;+67&gt;:    jne    0x56555793 &lt;qr_next_line+95&gt;\r\n   0x56555779 &lt;+69&gt;:    mov    esi,0x5655703f\r\n   0x5655577e &lt;+74&gt;:    add    esi,0x64\r\n   0x56555781 &lt;+77&gt;:    xor    ebx,ebx\r\n   0x56555783 &lt;+79&gt;:    xor    ecx,ecx\r\n   0x56555785 &lt;+81&gt;:    mov    ebx,DWORD PTR &#x5B;esi+ecx*4]\r\n   0x56555788 &lt;+84&gt;:    sub    ebx,eax\r\n   0x5655578a &lt;+86&gt;:    mov    DWORD PTR &#x5B;esi+ecx*4],ebx\r\n   0x5655578d &lt;+89&gt;:    inc    ecx\r\n   0x5655578e &lt;+90&gt;:    cmp    ecx,0x19\r\n   0x56555791 &lt;+93&gt;:    jne    0x56555785 &lt;qr_next_line+81&gt;\r\n   0x56555793 &lt;+95&gt;:    mov    eax,DWORD PTR &#x5B;ebp+0x4]\r\n   0x56555796 &lt;+98&gt;:    add    eax,0x3e\r\n   0x56555799 &lt;+101&gt;:   push   eax\r\n   0x5655579a &lt;+102&gt;:   ret\r\n   0x5655579b &lt;+103&gt;:   xchg   ax,ax\r\n   0x5655579d &lt;+105&gt;:   xchg   ax,ax\r\n   0x5655579f &lt;+107&gt;:   nop\r\nEnd of assembler dump.\r\n<\/pre>\n<p>The <code>ret<\/code> instruction takes us right here:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x5655575b &lt;+39&gt;:    mov    esi,0x5655703f\r\n<\/pre>\n<p><code>esi<\/code> is set to <code>0x5655703f<\/code>, which is the address of a symbol called <code>qr1<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ x\/xw 0x5655703f\r\n0x5655703f &lt;qr1&gt;:       0x03f8b2fe\r\n<\/pre>\n<p>At next the registers <code>ebx<\/code> and <code>ecx<\/code> are set to zero &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x56555760 &lt;+44&gt;:    xor    ebx,ebx\r\n   0x56555762 &lt;+46&gt;:    xor    ecx,ecx\r\n<\/pre>\n<p>&#8230; and each subsequent 4 bytes beginning at <code>0x5655703f<\/code> are added to <code>ebx<\/code> (<code>0x19 = 25<\/code> times):<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x56555764 &lt;+48&gt;:    add    ebx,DWORD PTR &#x5B;esi+ecx*4]\r\n   0x56555767 &lt;+51&gt;:    inc    ecx\r\n   0x56555768 &lt;+52&gt;:    cmp    ecx,0x19\r\n   0x5655576b &lt;+55&gt;:    jne    0x56555764 &lt;qr_next_line+48&gt;\r\n<\/pre>\n<p>After this the address <code>0x5655703f-0x4<\/code> is loaded to <code>eax<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x5655576d &lt;+57&gt;:    mov    eax,0x5655703f\r\n   0x56555772 &lt;+62&gt;:    mov    eax,DWORD PTR &#x5B;eax-0x4]\r\n<\/pre>\n<p>What is stored at this address?<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ x\/xw 0x5655703f-4\r\n0x5655703b &lt;pin&gt;:       0x000004d2\r\n<\/pre>\n<p>The pin we entered!<\/p>\n<p>By not directly referencing the address of the pin (<code>0x5655703b<\/code>), it is more difficult to spot where the pin is used.<\/p>\n<p>On the next line the pin we entered is compared to the value of <code>ebx<\/code>, which contains the added values of <code>qr1<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x56555775 &lt;+65&gt;:    cmp    eax,ebx\r\n<\/pre>\n<p>If the comparison suceeds, the following <code>jne<\/code> is not taken &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x56555777 &lt;qr_next_line+67&gt;:        jne    0x56555793 &lt;qr_next_line+95&gt;\r\n<\/pre>\n<p>&#8230; and esi is set to <code>0x5655703f + 0x64<\/code> &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\n   0x56555779 &lt;qr_next_line+69&gt;:        mov    esi,0x5655703f\r\n   0x5655577e &lt;qr_next_line+74&gt;:        add    esi,0x64\r\n<\/pre>\n<p>&#8230; which is the address of a symbol called <code>qr2<\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ x\/xw 0x5655703f+0x64\r\n0x565570a3 &lt;qr2&gt;:       0x4572ebe0\r\n<\/pre>\n<p>What do we need to do? The <code>eip<\/code> is still at <code>0x56555775 <qr_next_line+65><\/code>:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [1,11,17]; title: ; notranslate\" title=\"\">\r\ngdb-peda$ context\r\n&#x5B;----------------------------------registers-----------------------------------]\r\nEAX: 0x4d2\r\nEBX: 0x4179dce2\r\nECX: 0x19\r\nEDX: 0xf7f9a890 --&gt; 0x0\r\nESI: 0x5655703f --&gt; 0x3f8b2fe\r\nEDI: 0x0\r\nEBP: 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nESP: 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\nEIP: 0x56555775 (&lt;qr_next_line+65&gt;:     cmp    eax,ebx)\r\nEFLAGS: 0x246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)\r\n&#x5B;-------------------------------------code-------------------------------------]\r\n   0x5655576b &lt;qr_next_line+55&gt;:        jne    0x56555764 &lt;qr_next_line+48&gt;\r\n   0x5655576d &lt;qr_next_line+57&gt;:        mov    eax,0x5655703f\r\n   0x56555772 &lt;qr_next_line+62&gt;:        mov    eax,DWORD PTR &#x5B;eax-0x4]\r\n=&gt; 0x56555775 &lt;qr_next_line+65&gt;:        cmp    eax,ebx\r\n   0x56555777 &lt;qr_next_line+67&gt;:        jne    0x56555793 &lt;qr_next_line+95&gt;\r\n   0x56555779 &lt;qr_next_line+69&gt;:        mov    esi,0x5655703f\r\n   0x5655577e &lt;qr_next_line+74&gt;:        add    esi,0x64\r\n   0x56555781 &lt;qr_next_line+77&gt;:        xor    ebx,ebx\r\n&#x5B;------------------------------------stack-------------------------------------]\r\n0000| 0xffffd618 --&gt; 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\n0004| 0xffffd61c (&quot;vVUVgVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0008| 0xffffd620 (&quot;gVUV&#92;&#48;23\\330\\377\\377&quot;)\r\n0012| 0xffffd624 --&gt; 0xffffd813 (&quot;1234&quot;)\r\n0016| 0xffffd628 --&gt; 0x0\r\n0020| 0xffffd62c --&gt; 0xf7ddce81 (&lt;__libc_start_main+241&gt;:       add    esp,0x10)\r\n0024| 0xffffd630 --&gt; 0x2\r\n0028| 0xffffd634 --&gt; 0xffffd6c4 --&gt; 0xffffd7f3 (&quot;\/root\/Documents\/he18\/egg24\/lock&quot;)\r\n&#x5B;------------------------------------------------------------------------------]\r\nLegend: code, data, rodata, value\r\ngdb-peda$\r\n<\/pre>\n<p>In order to bypass the comparison we just set <code>eax<\/code> (our pin) to the value of <code>ebx<\/code> &#8230;<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ set $eax=$ebx\r\n<\/pre>\n<p>&#8230; and continue the execution:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\ngdb-peda$ c\r\nContinuing.\r\n\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588        \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588          \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588          \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588        \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588      \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588      \u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\r\n  \u2588\u2588          \u2588\u2588  \u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588          \u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n                          \u2588\u2588    \u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\r\n        \u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588      \u2588\u2588    \u2588\u2588        \u2588\u2588  \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588      \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588      \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\r\n    \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588      \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588          \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588\r\n  \u2588\u2588      \u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n                  \u2588\u2588\u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588  \u2588\u2588      \u2588\u2588  \u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588    \u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588    \u2588\u2588\u2588\u2588\r\n  \u2588\u2588          \u2588\u2588      \u2588\u2588\u2588\u2588        \u2588\u2588      \u2588\u2588      \u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588  \u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\r\n  \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588  \u2588\u2588      \u2588\u2588\u2588\u2588      \u2588\u2588\u2588\u2588    \u2588\u2588    \u2588\u2588\r\n  \u2588\u2588          \u2588\u2588  \u2588\u2588\u2588\u2588    \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588        \u2588\u2588    \u2588\u2588\r\n  \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  \u2588\u2588        \u2588\u2588\u2588\u2588          \u2588\u2588  \u2588\u2588\u2588\u2588\u2588\u2588\r\n\r\n&#x5B;Inferior 1 (process 15031) exited normally]\r\nWarning: not running or target is remote\r\n<\/pre>\n<p>Done \ud83d\ude42 The correct pin is <code>0x4179dce2 = 1098505442<\/code>. That&#8217;s our egg:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg24_01-300x297.png\" alt=\"\" width=\"300\" height=\"297\" class=\"alignnone size-medium wp-image-545\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg24_01-300x297.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg24_01-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg24_01-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg24_01.png 539w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg25\">25 &#8211; Hidden Egg #1<\/h1>\n<p>Within the challenge description the word <i>Head<\/i> is highlighted. This suggests that we should have a look at the HTTP headers:<\/p>\n<pre class=\"brush: bash; gutter: false; highlight: [22]; title: ; notranslate\" title=\"\">\r\nusr@host:~$ curl -v 'https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/challenge.html?id=25'\r\n*   Trying 80.74.140.117...\r\n* TCP_NODELAY set\r\n* Connected to hackyeaster.hacking-lab.com (80.74.140.117) port 443 (#0)\r\n...\r\n&gt; GET \/hackyeaster\/challenge.html?id=25 HTTP\/1.1\r\n&gt; Host: hackyeaster.hacking-lab.com\r\n&gt; User-Agent: curl\/7.55.1\r\n&gt; Accept: *\/*\r\n&gt; \r\n&lt; HTTP\/1.1 200 OK\r\n&lt; Date: Thu, 03 May 2018 10:02:08 GMT\r\n&lt; Server: Apache\/2.4.6 (CentOS) OpenSSL\/1.0.2k-fips PHP\/5.4.16\r\n&lt; Access-Control-Allow-Origin: *\r\n&lt; Access-Control-Allow-Methods: POST, GET, OPTIONS\r\n&lt; Access-Control-Allow-Credentials: true\r\n&lt; Access-Control-Allow-Headers: ACCEPT, ORIGIN, X-REQUESTED-WITH, CONTENT-TYPE, AUTHORIZATION\r\n&lt; Strict-Transport-Security: max-age=31536000\r\n&lt; Expires: Thu, 3 May 2018 13:02:08 CEST\r\n&lt; Cache-Control: max-age=3600\r\n&lt; Pragma: cache\r\n&lt; Content-Eggcoding: aHR0cHM6Ly9oYWNreWVhc3Rlci5oYWNraW5nLWxhYi5jb20vaGFja3llYXN0ZXIvaW1hZ2VzL2VnZ3MvYmEwYzc0ZWQ0MzlhYjQ3OTVmYzM2OTk5ZjU0MmJhNTBiMzI2ZTEwOS5wbmc=\r\n&lt; Accept-Ranges: bytes\r\n&lt; ETag: W\/&quot;2287-1517388588000&quot;\r\n&lt; Last-Modified: Wed, 31 Jan 2018 08:49:48 GMT\r\n&lt; Content-Type: text\/html; charset=UTF-8\r\n&lt; Content-Length: 2287\r\n&lt; \r\n&lt;!DOCTYPE HTML&gt;\r\n&lt;html&gt;\r\n&lt;head&gt;\r\n    &lt;title&gt;Hacky Easter 2018&lt;\/title&gt;\r\n    &lt;meta http-equiv=&quot;content-type&quot; content=&quot;text\/html; charset=utf-8&quot;\/&gt;\r\n...\r\n<\/pre>\n<p>There is a custom headerfield called <i>Content-Eggcoding<\/i> which seems to be base64-encoded:<\/p>\n<pre class=\"brush: bash; gutter: false; title: ; notranslate\" title=\"\">\r\nusr@host:~$ echo &quot;aHR0cHM6Ly9oYWNreWVhc3Rlci5oYWNraW5nLWxhYi5jb20vaGFja3llYXN0ZXIvaW1hZ2VzL2VnZ3MvYmEwYzc0ZWQ0MzlhYjQ3OTVmYzM2OTk5ZjU0MmJhNTBiMzI2ZTEwOS5wbmc=&quot; | base64 -d\r\nhttps:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/ba0c74ed439ab4795fc36999f542ba50b326e109.png\r\n<\/pre>\n<p>That&#8217;s it. The egg can be retrieved at <code>https:\/\/hackyeaster.hacking-lab.com\/hackyeaster\/images\/eggs\/ba0c74ed439ab4795fc36999f542ba50b326e109.png<\/code>:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg25_01-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-546\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg25_01-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg25_01-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg25_01-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg25_01.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n<h1 id=\"chlg26\">26 &#8211; Hidden Egg #2<\/h1>\n<p>I think this was the hardest hidden egg, but it was circumscribed very well. Within the challenge description the word <i>tile<\/i> is highlighted and it is suggested that you perhaps need to browse on the <i>egde<\/i>.<\/p>\n<p>The word <i>edge<\/i> is related to the browser <i>Edge<\/i> and a <i>tile<\/i> can be found on the windows start menu. We just have to visit the challenge&#8217;s website using <i>Edge<\/i> and <i>pin the page to start<\/i>:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_01.png\" alt=\"\" width=\"657\" class=\"alignnone size-full wp-image-547\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_01.png 1257w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_01-300x137.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_01-768x351.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_01-1024x468.png 1024w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>After this the hacky easter logo is placed on the start menu:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_02.png\" alt=\"\" width=\"490\" class=\"alignnone size-full wp-image-548\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_02.png 790w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_02-300x204.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_02-768x521.png 768w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>Now we need to change the size to big &#8230;<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_03.png\" alt=\"\" width=\"424\" class=\"alignnone size-full wp-image-549\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_03.png 724w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_03-300x119.png 300w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/p>\n<p>&#8230; in order to display the egg:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_04.png\" alt=\"\" width=\"269\" height=\"268\" class=\"alignnone size-full wp-image-550\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_04.png 269w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_04-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg26_04-100x100.png 100w\" sizes=\"(max-width: 269px) 100vw, 269px\" \/><\/p>\n<h1 id=\"chlg27\">27 &#8211; Hidden Egg #3<\/h1>\n<p>Within the challenge description the word <i>app<\/i> is highlighted. This suggests that the egg is hidden in the app.<\/p>\n<p>I actually stumbled upon the egg when extracting all app-files for the mobile challenges using the <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=com.gmail.heagoo.apkeditor&#038;hl=de\" target=\"_blank\" rel=\"noopener\">APK Editor<\/a> app. There is a file called <code>res\/drawable\/jc_launcher.png<\/code>:<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_01.png\" alt=\"\" width=\"280\" class=\"alignnone size-full wp-image-551\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_01.png 1080w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_01-193x300.png 193w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_01-768x1195.png 768w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_01-658x1024.png 658w\" sizes=\"(max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><\/p>\n<p>This is the egg:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_02-300x300.png\" alt=\"\" width=\"300\" height=\"300\" class=\"alignnone size-medium wp-image-552\" srcset=\"https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_02-300x300.png 300w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_02-150x150.png 150w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_02-100x100.png 100w, https:\/\/devel0pment.de\/wp-content\/uploads\/2018\/05\/he18_egg27_02.png 480w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>As every year hacking-lab.com carried out the annual Hacky Easter event with 27 challenges. I could not spend as much time as I would have liked to on solving the challenges, but after all I managed to collect 25 of the 27 eggs and focused on this writeup. Easy 01 Prison Break 02 Babylon 03 &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/devel0pment.de\/?p=461\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Hacky Easter 2018 writeup&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[25,7],"tags":[8,9,13,18,16,21,17,10,11,12,19,14],"class_list":["post-461","post","type-post","status-publish","format-standard","hentry","category-hacking-lab-com","category-writeup","tag-assembly","tag-binary","tag-elf","tag-gdb","tag-hacking-lab","tag-hackyeaster","tag-misc","tag-pwn","tag-r2","tag-reversing","tag-x64","tag-x86"],"_links":{"self":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/461"}],"collection":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=461"}],"version-history":[{"count":31,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/461\/revisions"}],"predecessor-version":[{"id":559,"href":"https:\/\/devel0pment.de\/index.php?rest_route=\/wp\/v2\/posts\/461\/revisions\/559"}],"wp:attachment":[{"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devel0pment.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}