📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • 1. Introduction
  • 2. Solving the puzzle

Was this helpful?

  1. CTF and Crypto Exercises

Ninja Sec Challenge

PreviousBSides London 2019 ChallengeNextThreat Intelligence

Last updated 3 years ago

Was this helpful?

This is a old, but funny puzzle that I've solved many years ago

1. Introduction

My first thought was that those number pairs could be a hint to the ASCII Table. I did a short check with the first 4 Numbers and I get http. It looks like a URL!

The dropbox link contains the following files:

  • challenge.zip - There is one txt file inside, but it’s protected with a password

  • challenge.bz2 – There is a binary file inside called challenge, but without file extension

  • admin.txt – It looks like a password list

Download files:

2. Solving the puzzle

My next idea was that one of the words inside the admin.txt file could be the password for the protected zip file! I did try a dictionary attack with the wordlist file admin.txt against the file challenge.zip, but it didn't succeed.

fcrackzip -v -D -p /pentest/passwords/wordlists/admin.txt /target/challenge.zip

I did open the file challenge with a hexeditor and in the end of the file there was a hint:

You have to look for the Disk-ID on freedb.org

First I had to check if the file extension is correct, because it was a coincidence that wav work.

Let’s check the Database of freedb.org and let’s see what we get!

Disc ID: 1603eb03

The disc ID 1603eb03 was the password for the zip archive and i could successful extract the file challenge.txt!

And now let’s see what we have:

What the heck is this? It could be encrypted Javascript Code, but I’m not sure. A quick research in google shows me that it is Javascript and this technique is often used in malicious Websites.

As we can see, our next Destination is http://www.ethical-intrusion.com/index.php

Now we have a Login Form where we have to enter a valid username/password combination. I start a dictionary attack with the passwords from the file admin.txt. Because of the filename I used for all passwords the username admin.

After a while I got a valid username / password combination

Password found: m0use456g

With the discovered username/password combination I could enter the website. I can see 2 Links and one of them shows me a youtube video. I did click on play but I couldn’t understand a word because the audio seems to be reverted!

Congratulations, you’ve discovered the website and now listen carefully you have to go to directory a98dhkjd.

Going to http://www.ethical-intrusion.com/a98dhkjd shows me a htaccess protected Directory:

Now let’s go back to the first Login page and let’s analyse the Links: News1 is linked with: http://ethical-intrusion.com/index.php?news=news1.html News2 is linked with: http://ethical-intrusion.com/index.php?news=news2.html

I have used more than one try, but it was possible to read out successful the htpasswd file with a valid username and password to solve this challenge!

http://ethical-intrusion.com/index.php?news=a98dhkjd/.htaccess

http://ethical-intrusion.com/index.php?news=a98dhkjd/.htpasswd

Username: pilou Password: there1s

I use a typical web based and I got this URL from the number pairs: http://dl.dropbox.com/u/10761700/{challenge.zip,challenge.bz2,admin.txt}

As we can read in the FAQ of , freedb is a database to look up CD information using the Internet. Because of that information I did try the file extension mp3 and wav. The file extension mp3 did not work, but with the file extension wav it was possible to play the file with an 11 Second sequence of a sound track. But who is the artist of that song and how can I find out that Disk-ID?

A friend of me told me about a program called which scans unknown binary files of their file extensions. I've tried it out and I got the file extension AIFF.

I tried out different tools to identify the soundtrack, but none them get me the song back! I also tried which is a powerful tool to identify songs and I had success with it.

Ok, this looks like typical hexcode. To fnd it out i use a typical tool.

The decoded string is BASE64! A typical Sign for that are the two == at the end of the string. For more information about BASE64 or other Crypto Codes visit the website .

Ok, and now let’s the BASE64 String.

For the further analysis and Decryption I used a Tool called Revelo. I discovered that tool on a nice and I run it in a virtual Windows XP Machine.

For the bruteforce attack I've used a Browser Plugin called . It’s important that Fireforce need the textstring: “The username/password combination you have entered is invalid” to successful identify the correct password.

I did convert the youtube video to an mp3 file and with the software I could edit the audiofile to a clear voice:

What we can see is that in both links a separate html file is loaded and displayed into the file index.php! I don’t have much experience in web vulnerabilities, but a called local file inclusion exists for Links like this to gain access to protected files and directories.

ASCII to text converter
freedb.org
TrID
shazam
hex to text converter
cryptool-online
decode
Security Blog
Fireforce
audacity
technique
😄
425B
challenge.zip
archive
2MB
challenge.bz2
704B
admin.txt
ASCII Number Pairs