├── README.md ├── crypto ├── brainys-cipher │ ├── README.md │ ├── brainy.txt │ └── rsa-solver.py ├── class-yet-complicated │ ├── README.md │ └── ciphertext.txt ├── deceitful-batman │ ├── README.md │ └── finale.txt ├── keys │ ├── README.md │ ├── fernet-solver.py │ └── keys.txt ├── sick-teacher │ ├── README.md │ └── SickTeacher.txt ├── weak-rsa │ ├── README.md │ ├── flag.enc │ └── key.pub └── you-can-do-it │ ├── README.md │ └── you_can_do_it.txt ├── invite-code ├── README.md ├── htb-invite.png └── invitecode.py ├── stego ├── beatles │ ├── BAND.JPG │ ├── BAND.zip │ ├── README.md │ └── m3ss@g#_f0r_pAuL ├── da-vinci │ ├── Plans.jpg │ ├── README.md │ ├── Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg │ ├── _monalisa.jpg.extracted │ │ ├── 6DF3B.zip │ │ ├── Mona.jpg │ │ └── famous.zip │ ├── monalisa.jpg │ └── youtube.png ├── digital-cube │ ├── README.md │ ├── digitalcube.txt │ ├── qr-ascii.png │ ├── qr-readable.png │ └── qr.jpg ├── forest │ ├── README.md │ ├── forest.jpg │ └── random-colour-map.jpg ├── hackerman │ ├── README.md │ ├── google.png │ └── hackerman.jpg ├── milkshake │ ├── Milkshake.mp3 │ ├── README.md │ └── spectogram.png ├── pusheen-loves-graphs │ ├── Pusheen │ ├── README.md │ ├── change-node.png │ ├── graph.png │ └── node-updated.png ├── raining-blood │ ├── README.md │ └── RainingBlood.mp3 ├── senseless-behaviour │ ├── README.md │ ├── audacity.png │ ├── meow.png │ ├── meow.wav │ ├── meow_flag.txt │ ├── red-plane.png │ └── wavsteg-output.png ├── unified │ ├── BOD_30079.txt │ └── README.md └── widescreen │ ├── README.md │ ├── blue-plane.png │ ├── colour-inversion-xor.png │ ├── green-plane.png │ ├── random-color-map.png │ ├── red-plane.png │ └── widescreen.png └── web ├── cartographer ├── README.md ├── cartographer-index.png ├── flag.png └── panel.png ├── hdc ├── README.md ├── do-process.png ├── hdc-directory.png ├── hdc-email.png ├── hdc-emails.png ├── hdc-flag.png ├── hdc-index.png └── hdc-website.png └── lernaean ├── README.md ├── lernaean-index.png ├── lernaean.png └── nope.png /README.md: -------------------------------------------------------------------------------- 1 | # Hack The Box 2 | [Hack The Box](https://www.hackthebox.eu) is an online platform allowing you to test and advance your skills in cyber security. 3 | 4 | **Reversing 4/10** 5 | 6 | | Title | Points | Status | WriteUp | 7 | | :---: | :---: | :---: | :---: | 8 | | Crack This! | 80 | :disappointed_relieved: | | 9 | | The Art of Reversing | 40 | :disappointed_relieved: | | 10 | | Tear Or Dear | 20 | :disappointed_relieved: | | 11 | | Bombs Landed | 80 | :disappointed_relieved: | | 12 | | Find The Easy Pass | 20 | :wink: | TBD | 13 | | Eat the Cake! | 60 | :wink: | TBD | 14 | | Pseudo | 90 | :disappointed_relieved: | | 15 | | Impossible Password | 30 | :wink: | TBD | 16 | | Find The Secret Flag | 50 | :disappointed_relieved: | | 17 | | Snake | 10 | :wink: | TBD | 18 | 19 | **Cryptography 7/11** 20 | 21 | | Title | Points | Status | WriteUp | 22 | | :---: | :---: | :---: | :---: | 23 | | Weak RSA | 20 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/weak-rsa) | 24 | | Sick Teacher | 20 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/sick-teacher) | 25 | | Classic, yet complicated! | 10 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/class-yet-complicated) 26 | | Infinite Descent | 90 | :disappointed_relieved: | | 27 | | Deceitful Batman | 10 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/deceitful-batman) | 28 | | Ebola Virus | 100 | :disappointed_relieved: | | 29 | | You Can Do It! | 10 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/you-can-do-it) | 30 | | Brainy's Cipher | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/brainys-cipher) | 31 | | Keys | 40 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/crypto/keys) | 32 | | Mission Impossible | 90 | :disappointed_relieved: | | 33 | | Please, don't share! | 80 | :disappointed_relieved: | | 34 | 35 | **Steganography 13/17** 36 | 37 | | Title | Points | Status | WriteUp | 38 | | :---: | :---: | :---: | :---: | 39 | | Raining Blood | 40 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/raining-blood) | 40 | | Monstrosity | 90 | :disappointed_relieved: | | 41 | | BitsNBytes | 70 | :disappointed_relieved: | | 42 | | Widescreen | 20 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/widescreen) | 43 | | Hackerman | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/hackerman) | 44 | | Hidden in Colors | 70 | :wink: | TBD | 45 | | Milkshake | 10 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/milkshake) | 46 | | Digital Cube | 60 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/digital-cube) | 47 | | Forest | 40 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/forest) 48 | | Da Vinci | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/da-vinci) | 49 | | Beatles | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/beatles) | 50 | | Unified | 20 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/unified) | 51 | | Pusheen Loves Graphs | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/pusheen-loves-graphs) | 52 | | Retro | 50 | :wink: | TBD | 53 | | Senseless Behaviour | 50 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/stego/senseless-behaviour) | 54 | | Not Art | 70 | :disappointed_relieved: | | 55 | | Massacre | 100 | :disappointed_relieved: | | 56 | 57 | **Pwn 0/5** 58 | 59 | | Title | Points | Status | WriteUp | 60 | | :---: | :---: | :---: | :---: | 61 | | Ropme | 80 | :disappointed_relieved: | | 62 | | Little Tommy | 40 | :disappointed_relieved: | | 63 | | Dream Diary: Chapter 1 | 90 | :disappointed_relieved: | | 64 | | Dream Diary: Chapter 2 | 90 | :disappointed_relieved: | | 65 | | Old Bridge | 80 | :disappointed_relieved: | | 66 | 67 | **Web 5/5** 68 | 69 | | Title | Points | Status | WriteUp | 70 | | :---: | :---: | :---: | :---: | 71 | | HDC | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/web/hdc) | 72 | | I know Mag1k | 50 | :wink: | TBD | 73 | | Grammar | 70 | :wink: | TBD | 74 | | Lernaean | 20 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/web/lernaean) | 75 | | Cartographer | 30 | :wink: | [link](https://github.com/ajdumanhug/hackthebox/tree/master/web/cartographer) 76 | 77 | **Misc 7/8** 78 | 79 | | Title | Points | Status | WriteUp | 80 | | :---: | :---: | :---: | :---: | 81 | | fs0ciety | 30 | :wink: | TBD | 82 | | 0ld is g0ld | 10 | :wink: | TBD | 83 | | Art | 20 | :wink: | TBD | 84 | | Inferno | 20 | :wink: | TBD | 85 | | misDIRection | 20 | :wink: | TBD | 86 | | Eternal Loop | 20 | :disappointed_relieved: | | 87 | | Longbottom's Locker | 20 | :wink: | TBD | 88 | | Blackhole | 20 | :wink: | TBD | 89 | 90 | **Forensics 0/5** 91 | 92 | | Title | Points | Status | WriteUp | 93 | | :---: | :---: | :---: | :---: | 94 | | Marshal in the Middle | 40 | :disappointed_relieved: | | 95 | | Deadly Arthropod | 40 | :disappointed_relieved: | | 96 | | Reminiscent | 40 | :disappointed_relieved: | | 97 | | Keep Tryin' | 50 | :disappointed_relieved: | | 98 | | Blue Shadow | 60 | :disappointed_relieved: | | 99 | 100 | **Mobile 0/1** 101 | 102 | | Title | Points | Status | WriteUp | 103 | | :---: | :---: | :---: | :---: | 104 | | Cryptohorrific | 40 | :disappointed_relieved: | | 105 | 106 | **Pwned Machines** 107 | 108 | | Machine Name | OS | User | Root | Status | WriteUp | 109 | | :---: | :---: | :---: | :---: | :---: | :---: | 110 | | Jerry | | :wink: | :wink: | Active | TBD | 111 | | Poison | | :wink: | :wink: | Retired | TBD | 112 | -------------------------------------------------------------------------------- /crypto/brainys-cipher/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: Brainy's Cipher (30 Points) 2 | 3 | **Brainy likes playing around with esoteric programming. He also likes math and has therefore encrypted his very secure password with a popular encryption algorithm. Claiming that his password cannot be retrieved now, he has sent the ciphertext to some of his friends. Can you prove to Brainy that his password can actually be recovered?** 4 | 5 | This challenge gave us a file named brainy.txt. 6 | 7 | ``` 8 | $ cat brainy.txt 9 | ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++++++++.-----------.<------------.---.++.---------.+.++.-.++.+.-----.++..++++.--.++++.+..-------.+.+++.---.+.+++++.-------.+.---.+++++++.+.-------..+++.-.+++++.-------.++.+++++.-----.+++++..-----.--.++++++++.-------.--.++++.+++.---.++..+++.------.+++.--.-..++++++.-.----..+++++.------.++++++.---.---.--.+++.++++.-------.+++++..-.++..-------.++++++.---.++..+++.----.++++.-------.++++++++..----.+++.+.------.--.-.++.-.+++++.--..--.++++.-.++++.---.------.+++++.++.+.---.+++.---.----.++++.--.+++.-----.+++++.+.---.--.+++++++.---.---...---.+.++++++++.----.++++.-----.++.--.-.--.++.-.-.+++++.--..+++++.-------.-.++++.++.-----.++++++.--------.+++.+++.-.+++.----.----.++++++.----.++++++.-------.-----.>+.<++++++++++++++.---------.+.++++++.--------.++.+++++++.--------.+++++++.----.+.----.+++...----.++++..++.----..+++.+++.-----.++++.--.++..-------.+++.++++.--.---.--.++++++..-----..+++++++.-------.+++++++.--------..++++++.++.--..++.----.+++.++.------.++++.+.-..+.+.-------.++++++.-.---.---.-.++++++++..-----.---.++.+.++..-.--.+++.++++.--..------.++++++++.-------.+++++++..---.+.++..---.----.+.++++++..-.-.-----.--.++++.--.+++++++.----.++++.-----.-.+.++.+..+..--.-.---.+++++.--.--.++++++.--------.++.---.+++++++..----.---.+++++++++.-...-------.++++++++.-------.++.-.+++++.----.-.+++++.---.----.+++++.++.-----.---.+++++++.++.---------...++.+++++++.------.+++++.-------.++++.-----.+++++.----.-----.>-------------.++++++++++++.<++++++++++++++.-----..-.----.++++++.-..-----.++.++++++.--.----..--.++.-.++++++++.------.+..--.+++++++.------.---.++++++.----.++++++.-.++.------.++++...--.---.+++++++.--------.++++++++.----..+.----.+..---.++++++++.+.---.-.---.--.++++++++.-----.+++++.----.+.+++.------.--..+++++++++.-.---.++.----.++++.-.------.+++++.--.++.+++.-----.++.++.--..----.-.+++++++.+.----.---.+++++.+++.---.-----.+++++.------.++++++.-.----..++.+++.--.---.++.++++++.--------..+++++.+++.---.-----.++.++++++.---.+++.-.-------.++.+++.-.---.+++.---.+.++.-----.+++++++.---.--.-..++++.++.-------.++++.+.--.++++..+.+.-.---.-.--.+.+++++.--.+++.------..--.++++++++.-.------.++++.+++.-----.+.----.-----.>------------.+++++++++++++.<++++++++++++++.-.---------.++++++..++.+.--.----.-.--.+++.---.++++++++..-----.+.--.--.++++++.+++.----.---.+.++.++++.------.++++++..--.----.++++..---.+++.----.--..++++++++.-.-----..---.+++++++++.---------.++++++.----.+++++.-.--.---.++++++.+.+.---------.++++++.----.++++.+++.-----.+++.--.+++.----.+++.------.++++++.----.++++++.---..------.+++++++.----.++.+.+.++.-..-------.++++++.-------.++++.---.++++.+++.-----.++++++..----.-.+++++..---.---.-..+.--.+++.---.++++.++.---.-.+++++.-..-------.++..+++.++++.----.---.++.+++++.--------.++++.+.------..+++++.---.++++++.-.------.+++.++.--.---.++.+++.-----.+++++.---.+.--.-.+++++++.+.-------.--.+++++.-----..+++++.++.---.+++++.-.--.-.----.-----.>--------------.<++++++++++++++.----.----.--.+++++++.+.--------.++++++++.--..+..---.---.+++++..++.--.++.--.+.------.+++++++.-----.+++++.---.++.++.----.++.----.++.-----.+++..+++++.-----.--.+++...++.----.++++++.--------.+++++++++.--------.+.++++.+.----..++++++.-------.++..++++.--------.++++++.-.-----.++.++++.++.---.-----.++.-.+.++++.++.---.--.-.++++.-..----..+++++++.-----.++++++.---.----.--.+++++.+.--.+++++.----.++++.---.--.+.++.++.--.+.------.+.-.+++.--.---.++.--.++++++++.------.--.+++++.-.-.++++++.------.++++++.------..+++.++.------..++++.-.++..-----.++++++.--------.++.+++++.--.-----.++++++++..-.-----.+++++++.------.+++.------.++.++.-.-.+++.----.+.+++++++.---.+.++..-----.++++.--------.+++++..-.+++++..---.-.-----.++.--.+++++++++.--------.+++++.+++.----.--.+++.--..++.---.++.++++.---.-.++++.--------.+++++..------.+++++++.++.-------.+++.--..++.+.---.++++++.---------.++.+++++.--.++.++.--------.+++++++.-.---.-.++.----.+++++++.--------.++++++.------.+++++++.---.+++.--.++++.---.---..-..++.++.-.-.---.++++++..--.+++.+.----.++++.---------..++.+.+++++.---.-.+.----.+++++++.--.---.--.+..-.-.++++++.--.++++.-.+.-----.+.+++.+.----.++.++..--------.++.+++++++.--------.+++++.+..-----.--.+.++++++.--.----.+.++++++.--------.++++++++.------.--.++++++...+.-------.+++++++++.-----.+.+.----.+++.-----.++++++.+.+.--------.+++.+++++.-------.+.+++++++.--.-------.++++++++.-.------.>++++++++++++++++++++++++++. 10 | ``` 11 | 12 | The content of the file is very familiar for me. Oh, that is Brainfuck Language! 13 | 14 | We can use this website https://copy.sh/brainfuck/ to translate the message. 15 | 16 | ``` 17 | { 18 | p:7901324502264899236349230781143813838831920474669364339844939631481665770635584819958931021644265960578585153616742963330195946431321644921572803658406281, 19 | q:12802918451444044622583757703752066118180068668479378778928741088302355425977192996799623998720429594346778865275391307730988819243843851683079000293815051, 20 | dp:5540655028622021934429306287937775291955623308965208384582009857376053583575510784169616065113641391169613969813652523507421157045377898542386933198269451, 21 | dq:9066897320308834206952359399737747311983309062764178906269475847173966073567988170415839954996322314157438770225952491560052871464136163421892050057498651, 22 | c:62078086677416686867183857957350338314446280912673392448065026850212685326551183962056495964579782325302082054393933682265772802750887293602432512967994805549965020916953644635965916607925335639027579187435180607475963322465417758959002385451863122106487834784688029167720175128082066670945625067803812970871 23 | } 24 | ``` 25 | 26 | The translated message is very familiar to me and I know this is some kind of RSA challenge. So using the python script uploaded here, I was able to decode it and get the flag. 27 | 28 | ``` 29 | $ python rsa-solver.py 30 | Qinv: 220704337201952911765675653562663630182944011601434480318719267734294597214029345583566925914822207084641554600189204004345080805963023444063892299263948 31 | m1: 49437413074993986257824490238275931180994249527518860068137626874351971280859988288289074 32 | m2: 49437413074993986257824490238275931180994249527518860068137626874351971280859988288289074 33 | h: 0 34 | m: 49437413074993986257824490238275931180994249527518860068137626874351971280859988288289074 35 | solved: ch1n3z_r3m4ind3r_the0rem_r0ck$$$_9792 36 | ``` 37 | 38 | -------------------------------------------------------------------------------- /crypto/brainys-cipher/brainy.txt: -------------------------------------------------------------------------------- 1 | ++++++++++[>+>+++>+++++++>++++++++++<<<<-]>>>>+++++++++++++++++++++++.-----------.<------------.---.++.---------.+.++.-.++.+.-----.++..++++.--.++++.+..-------.+.+++.---.+.+++++.-------.+.---.+++++++.+.-------..+++.-.+++++.-------.++.+++++.-----.+++++..-----.--.++++++++.-------.--.++++.+++.---.++..+++.------.+++.--.-..++++++.-.----..+++++.------.++++++.---.---.--.+++.++++.-------.+++++..-.++..-------.++++++.---.++..+++.----.++++.-------.++++++++..----.+++.+.------.--.-.++.-.+++++.--..--.++++.-.++++.---.------.+++++.++.+.---.+++.---.----.++++.--.+++.-----.+++++.+.---.--.+++++++.---.---...---.+.++++++++.----.++++.-----.++.--.-.--.++.-.-.+++++.--..+++++.-------.-.++++.++.-----.++++++.--------.+++.+++.-.+++.----.----.++++++.----.++++++.-------.-----.>+.<++++++++++++++.---------.+.++++++.--------.++.+++++++.--------.+++++++.----.+.----.+++...----.++++..++.----..+++.+++.-----.++++.--.++..-------.+++.++++.--.---.--.++++++..-----..+++++++.-------.+++++++.--------..++++++.++.--..++.----.+++.++.------.++++.+.-..+.+.-------.++++++.-.---.---.-.++++++++..-----.---.++.+.++..-.--.+++.++++.--..------.++++++++.-------.+++++++..---.+.++..---.----.+.++++++..-.-.-----.--.++++.--.+++++++.----.++++.-----.-.+.++.+..+..--.-.---.+++++.--.--.++++++.--------.++.---.+++++++..----.---.+++++++++.-...-------.++++++++.-------.++.-.+++++.----.-.+++++.---.----.+++++.++.-----.---.+++++++.++.---------...++.+++++++.------.+++++.-------.++++.-----.+++++.----.-----.>-------------.++++++++++++.<++++++++++++++.-----..-.----.++++++.-..-----.++.++++++.--.----..--.++.-.++++++++.------.+..--.+++++++.------.---.++++++.----.++++++.-.++.------.++++...--.---.+++++++.--------.++++++++.----..+.----.+..---.++++++++.+.---.-.---.--.++++++++.-----.+++++.----.+.+++.------.--..+++++++++.-.---.++.----.++++.-.------.+++++.--.++.+++.-----.++.++.--..----.-.+++++++.+.----.---.+++++.+++.---.-----.+++++.------.++++++.-.----..++.+++.--.---.++.++++++.--------..+++++.+++.---.-----.++.++++++.---.+++.-.-------.++.+++.-.---.+++.---.+.++.-----.+++++++.---.--.-..++++.++.-------.++++.+.--.++++..+.+.-.---.-.--.+.+++++.--.+++.------..--.++++++++.-.------.++++.+++.-----.+.----.-----.>------------.+++++++++++++.<++++++++++++++.-.---------.++++++..++.+.--.----.-.--.+++.---.++++++++..-----.+.--.--.++++++.+++.----.---.+.++.++++.------.++++++..--.----.++++..---.+++.----.--..++++++++.-.-----..---.+++++++++.---------.++++++.----.+++++.-.--.---.++++++.+.+.---------.++++++.----.++++.+++.-----.+++.--.+++.----.+++.------.++++++.----.++++++.---..------.+++++++.----.++.+.+.++.-..-------.++++++.-------.++++.---.++++.+++.-----.++++++..----.-.+++++..---.---.-..+.--.+++.---.++++.++.---.-.+++++.-..-------.++..+++.++++.----.---.++.+++++.--------.++++.+.------..+++++.---.++++++.-.------.+++.++.--.---.++.+++.-----.+++++.---.+.--.-.+++++++.+.-------.--.+++++.-----..+++++.++.---.+++++.-.--.-.----.-----.>--------------.<++++++++++++++.----.----.--.+++++++.+.--------.++++++++.--..+..---.---.+++++..++.--.++.--.+.------.+++++++.-----.+++++.---.++.++.----.++.----.++.-----.+++..+++++.-----.--.+++...++.----.++++++.--------.+++++++++.--------.+.++++.+.----..++++++.-------.++..++++.--------.++++++.-.-----.++.++++.++.---.-----.++.-.+.++++.++.---.--.-.++++.-..----..+++++++.-----.++++++.---.----.--.+++++.+.--.+++++.----.++++.---.--.+.++.++.--.+.------.+.-.+++.--.---.++.--.++++++++.------.--.+++++.-.-.++++++.------.++++++.------..+++.++.------..++++.-.++..-----.++++++.--------.++.+++++.--.-----.++++++++..-.-----.+++++++.------.+++.------.++.++.-.-.+++.----.+.+++++++.---.+.++..-----.++++.--------.+++++..-.+++++..---.-.-----.++.--.+++++++++.--------.+++++.+++.----.--.+++.--..++.---.++.++++.---.-.++++.--------.+++++..------.+++++++.++.-------.+++.--..++.+.---.++++++.---------.++.+++++.--.++.++.--------.+++++++.-.---.-.++.----.+++++++.--------.++++++.------.+++++++.---.+++.--.++++.---.---..-..++.++.-.-.---.++++++..--.+++.+.----.++++.---------..++.+.+++++.---.-.+.----.+++++++.--.---.--.+..-.-.++++++.--.++++.-.+.-----.+.+++.+.----.++.++..--------.++.+++++++.--------.+++++.+..-----.--.+.++++++.--.----.+.++++++.--------.++++++++.------.--.++++++...+.-------.+++++++++.-----.+.+.----.+++.-----.++++++.+.+.--------.+++.+++++.-------.+.+++++++.--.-------.++++++++.-.------.>++++++++++++++++++++++++++. 2 | -------------------------------------------------------------------------------- /crypto/brainys-cipher/rsa-solver.py: -------------------------------------------------------------------------------- 1 | import binascii 2 | import struct 3 | 4 | # return (g, x, y) a*x + b*y = gcd(x, y) 5 | def egcd(a, b): 6 | if a == 0: 7 | return (b, 0, 1) 8 | else: 9 | g, x, y = egcd(b % a, a) 10 | return (g, y - (b // a) * x, x) 11 | 12 | def decryptRSA(p,q,e,ct): 13 | # compute n 14 | n = p * q 15 | phi = (p - 1) * (q - 1) 16 | gcd, a, b = egcd(e, phi) 17 | d = a 18 | print "d: " + str(d) 19 | pt = pow(ct, d, n) 20 | return pt 21 | 22 | def encryptRSA(p,q,e,pt): 23 | # compute n 24 | n = p * q 25 | phi = (p - 1) * (q - 1) 26 | gcd, a, b = egcd(e, phi) 27 | d = a 28 | print "d: " + str(d) 29 | ct = pow(pt, e, n) 30 | return ct 31 | 32 | 33 | def convert(int_value): 34 | encoded = format(int_value, 'x') 35 | length = len(encoded) 36 | encoded = encoded.zfill(length+length%2) 37 | return encoded.decode('hex') 38 | 39 | # x = mulinv(b) mod n, (x * b) % n == 1 40 | def mulinv(b, n): 41 | g, x, _ = egcd(b, n) 42 | if g == 1: 43 | return x % n 44 | 45 | def main(): 46 | # By implementing Chinese remainder algorithm 47 | # 1) p and q are the primes 48 | # 2) dp = d mod (p - 1) 49 | # 3) dq = d mod (q - 1) 50 | # 4) Qinv = 1/q mod p *This is not integer devision but multiplicative inverse 51 | # 5) m1 = pow(c, dp, p) 52 | # 6) m2 = pow(c, dq, q) 53 | # 7-1) h = Qinv(m1 - m2) mod p ; if m1 < m2 54 | # 7-2) h = Qinv * (m1 + q/p) 55 | # 8) m = m2 + hq 56 | 57 | # m = 65 58 | # p = 61 59 | # q = 53 60 | # dp = 53 61 | # dq = 49 62 | # c = 2790 63 | 64 | p = 7901324502264899236349230781143813838831920474669364339844939631481665770635584819958931021644265960578585153616742963330195946431321644921572803658406281 65 | q = 12802918451444044622583757703752066118180068668479378778928741088302355425977192996799623998720429594346778865275391307730988819243843851683079000293815051 66 | dp = 5540655028622021934429306287937775291955623308965208384582009857376053583575510784169616065113641391169613969813652523507421157045377898542386933198269451 67 | dq = 9066897320308834206952359399737747311983309062764178906269475847173966073567988170415839954996322314157438770225952491560052871464136163421892050057498651 68 | c = 62078086677416686867183857957350338314446280912673392448065026850212685326551183962056495964579782325302082054393933682265772802750887293602432512967994805549965020916953644635965916607925335639027579187435180607475963322465417758959002385451863122106487834784688029167720175128082066670945625067803812970871 69 | 70 | Qinv = mulinv(q,p) 71 | print "Qinv: " + str(Qinv) 72 | 73 | m1 = pow(c, dp, p) 74 | print "m1: " + str(m1) 75 | 76 | m2 = pow(c, dq, q) 77 | print "m2: " + str(m2) 78 | 79 | h = (Qinv * (m1 - m2)) % p 80 | print "h: " + str(h) 81 | 82 | m = m2 + (h*q) 83 | print "m: " + str(int(m)) 84 | 85 | hexadecimals = str(hex(m))[2:-1] 86 | print "solved: " + str(binascii.unhexlify(hexadecimals)) 87 | 88 | if __name__ == "__main__": 89 | main() 90 | 91 | 92 | # http://crypto.stackexchange.com/questions/19413/what-are-dp-and-dq-in-encryption-by-rsa-in-c 93 | # https://en.wikipedia.org/wiki/RSA_(cryptosystem)#Using_the_Chinese_remainder_algorithm 94 | # https://zzundel.blogspot.com/2011/02/rsa-implementation-using-python.html -------------------------------------------------------------------------------- /crypto/class-yet-complicated/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: Classic, yet complicated! (10 Points) 2 | 3 | **Find the plaintext, the key is your flag!
4 | Flag format : HTB{key in lowercase}** 5 | 6 | This challenge gave us a file named ciphertext.txt. 7 | 8 | ``` 9 | $ cat ciphertext.txt 10 | alp gwcsepul gtavaf, nlv prgpbpsu mb h jcpbyvdlq, ipltga rv glniypfa we ekl 16xs nsjhlcb. px td o lccjdstslpahzn fptspf xstlxzi te iosj ezv sc xcns ttsoic lzlvrmhaw ez sjqijsa xsp rwhr. tq vxspf sciov, alp wsphvcv pr ess rwxpqlvp nwlvvc dyi dswbhvo ef htqtafvyw hqzfbpg, ezutewwm zcep xzmyr o scio ry tscoos rd woi pyqnmgelvr vpm . qbctnl xsp akbflowllmspwt nlwlpcg, lccjdstslpahzn fptspfo oip qvx dfgysgelipp ec bfvbxlrnj ojocjvpw, ld akfv ekhr zys hskehy my eva dclluxpih yoe mh yiacsoseehk fj l gebxwh sieesn we ekl iynfudktru. xsp yam zd woi qwoc. 11 | ``` 12 | 13 | Based on my observation, there are similar words/letters in the ciphertext such as `alp` and `ekl`. So this is definitely a Vigenère Cipher. So to decode this ciphertext, we must know the `key` used to encode the ciphertext. 14 | Luckily this website https://www.dcode.fr/vigenere-cipher can help us decode the ciphertext by knowing a plaintext word used in the ciphertext. 15 | 16 | So going back to the repeating words/letters.. I'm highly confident that `alp` is equivalent to the word `the`. And I finally decoded the ciphertext. 17 | 18 | Decoded ciphertext: 19 | ``` 20 | the vigenere cipher, was invented by a frenchman, blaise de vigenere in the 16th century. it is a polyalphabetic cipher because it uses two or more cipher alphabets to encrypt the data. in other words, the letters in the vigenere cipher are shifted by different amounts, normally done using a word or phrase as the encryption key . unlike the monoalphabetic ciphers, polyalphabetic ciphers are not susceptible to frequency analysis, as more than one letter in the plaintext can be represented by a single letter in the encryption. the key is the flag. 21 | ``` 22 | 23 | Aside from getting the decoded ciphertext, I also got the key which is `helloworld`. 24 | -------------------------------------------------------------------------------- /crypto/class-yet-complicated/ciphertext.txt: -------------------------------------------------------------------------------- 1 | alp gwcsepul gtavaf, nlv prgpbpsu mb h jcpbyvdlq, ipltga rv glniypfa we ekl 16xs nsjhlcb. px td o lccjdstslpahzn fptspf xstlxzi te iosj ezv sc xcns ttsoic lzlvrmhaw ez sjqijsa xsp rwhr. tq vxspf sciov, alp wsphvcv pr ess rwxpqlvp nwlvvc dyi dswbhvo ef htqtafvyw hqzfbpg, ezutewwm zcep xzmyr o scio ry tscoos rd woi pyqnmgelvr vpm . qbctnl xsp akbflowllmspwt nlwlpcg, lccjdstslpahzn fptspfo oip qvx dfgysgelipp ec bfvbxlrnj ojocjvpw, ld akfv ekhr zys hskehy my eva dclluxpih yoe mh yiacsoseehk fj l gebxwh sieesn we ekl iynfudktru. xsp yam zd woi qwoc. 2 | -------------------------------------------------------------------------------- /crypto/deceitful-batman/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: Deceitful Batman (10 Points) 2 | 3 | **This text appeared on a Batman show but we suspect that it is actually code. It's your job to find out what it says! (The flag is in uppercase)** 4 | 5 | ``` 6 | $ cat finale.txt 7 | NAANAAANNNAANAAAANANANANAAAAAAAANNAANAAANAAANANNAAAAAAAANNNAANAAAAANAANAAAA 8 | ``` 9 | 10 | This is a fucking Baconian Cipher. Learn more here: https://www.geeksforgeeks.org/baconian-cipher/ 11 | 12 | Change all `N` to `B`. 13 | 14 | ``` 15 | BAABAAABBBAABAAAABABABABAAAAAAAABBAABAAABAAABABBAAAAAAAABBBAABAAAAABAABAAAA 16 | ``` 17 | 18 | Using this website https://mothereff.in/bacon, decode the ciphertext. 19 | 20 | You'll get this: 21 | 22 | ``` 23 | THEFLAGISNAPIER 24 | ``` 25 | -------------------------------------------------------------------------------- /crypto/deceitful-batman/finale.txt: -------------------------------------------------------------------------------- 1 | NAANAAANNNAANAAAANANANANAAAAAAAANNAANAAANAAANANNAAAAAAAANNNAANAAAAANAANAAAA -------------------------------------------------------------------------------- /crypto/keys/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: Keys (40 Points) 2 | 3 | **Can you decrypt the message?** 4 | 5 | Let's check the given file: 6 | 7 | ``` 8 | $ cat keys.txt 9 | hBU9lesroX_veFoHz-xUcaz4_ymH-D8p28IP_4rtjq0= 10 | gAAAAABaDDCRPXCPdGDcBKFqEFz9zvnaiLUbWHqxXqScTTYWfZJcz-WhH7rf_fYHo67zGzJAdkrwATuMptY-nJmU-eYG3HKLO9WDLmO27sex1-R85CZEFCU= 11 | ``` 12 | 13 | Hmm.. I'm pretty sure that's not a Base64.. To be honest, this is where I got stuck and ask to some friends online for a hint. 14 | 15 | They gave me a hint: `symmetric encryption cryptography` 16 | 17 | So I searched on Google for `symmetric encryption cryptography` and I found this documentation: https://cryptography.io/en/latest/fernet/ 18 | 19 | Ohh, Fernet.. Okay.. 20 | 21 | Solution: 22 | ``` 23 | from cryptography.fernet import Fernet 24 | 25 | key = 'hBU9lesroX_veFoHz-xUcaz4_ymH-D8p28IP_4rtjq0=' 26 | 27 | f = Fernet(key) 28 | 29 | token = 'gAAAAABaDDCRPXCPdGDcBKFqEFz9zvnaiLUbWHqxXqScTTYWfZJcz-WhH7rf_fYHo67zGzJAdkrwATuMptY-nJmU-eYG3HKLO9WDLmO27sex1-R85CZEFCU=' 30 | 31 | print(f.decrypt(token)) 32 | ``` 33 | 34 | Running that python scripts gives us the flag: 35 | 36 | ``` 37 | $ python fernet-solver.py 38 | Flag : HTB{N0t_A_Fl1g!} 39 | ``` 40 | -------------------------------------------------------------------------------- /crypto/keys/fernet-solver.py: -------------------------------------------------------------------------------- 1 | from cryptography.fernet import Fernet 2 | 3 | key = 'hBU9lesroX_veFoHz-xUcaz4_ymH-D8p28IP_4rtjq0=' 4 | 5 | f = Fernet(key) 6 | 7 | token = 'gAAAAABaDDCRPXCPdGDcBKFqEFz9zvnaiLUbWHqxXqScTTYWfZJcz-WhH7rf_fYHo67zGzJAdkrwATuMptY-nJmU-eYG3HKLO9WDLmO27sex1-R85CZEFCU=' 8 | 9 | print(f.decrypt(token)) -------------------------------------------------------------------------------- /crypto/keys/keys.txt: -------------------------------------------------------------------------------- 1 | hBU9lesroX_veFoHz-xUcaz4_ymH-D8p28IP_4rtjq0= 2 | gAAAAABaDDCRPXCPdGDcBKFqEFz9zvnaiLUbWHqxXqScTTYWfZJcz-WhH7rf_fYHo67zGzJAdkrwATuMptY-nJmU-eYG3HKLO9WDLmO27sex1-R85CZEFCU= 3 | -------------------------------------------------------------------------------- /crypto/sick-teacher/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: Sick Teacher (20 Points) 2 | 3 | **Can you break the cipher?
4 | Please submit the flag in lowercase: HTB{lowercase}** 5 | 6 | This challenge gave us a text file named SickTeacher.txt. 7 | 8 | ``` 9 | $ cat SickTeacher.txt 10 | KBJICYP CZ KHLTIKWECD 11 | 12 | KHLTIKWECD RWMI GBQW JCNW IBNW BM NHP CZ 2017. JBMLW IKWM, BI KHJ FYCRM QWYP VOBLTGP IC IKCOJHMSJ CZ NWNEWYJ ZYCN HGG CQWY IKW FGCEW. 13 | IKW KHGG CZ ZHNW GBJIJ IKW ICA 100 OJWYJ BM CYSWY CZ ACBMIJ. HI IKW IBNW CZ RYBIBMF, IKW ICA 3 OJWYJ HYW JIWZHMC118, ZBGGBACJ HMS HKNWS. 14 | IKWYW HYW JCNW ZCYONJ, H JKCOIECD HMS H JGHLT LKHMMWG. JGHLT HMS JKCOIECD HYW HRWJCNW, EOI IKW ZCYONJ MWWS JCNW GCQW! B RBJK NCYW AWCAGW OJWS IKWN. 15 | KCAWZOGGP IKBJ BJ WMCOFK IWDI IC KWGA RBIK PCOY JOEJIBIOIBCM! FWI LYHLTBM! AJ SCM'I ZCYFWI IC JOAACYI KHLTIKWECD BZ PCO LHM JAHYW JCNW NCMWP. WQWYP AWMMP KWGAJ! 16 | 17 | DCDC - HYYWDWG 18 | ZGHF GCYWNBAJONSCGCYJBIHNWI 19 | ``` 20 | 21 | Based on my observation, there are letters and numbers in the ciphertext but the number was not changed. So, therefore, this is a Substitution Cipher. 22 | 23 | I searched for Substitution Cipher Solver and found this website: https://www.guballa.de/substitution-solver 24 | 25 | Here is the decoded ciphertext: 26 | 27 | ``` 28 | HISTORY OF HACKTHEBOX 29 | 30 | HACKTHEBOX WENT LIVE SOME TIME IN MAY OF 2017. SINCE THEN, IT HAS GROWN VERY QUICKLY TO THOUSANDS OF MEMBERS FROM ALL OVER THE GLOBE. 31 | THE HALL OF FAME LISTS THE TOP 100 USERS IN ORDER OF POINTS. AT THE TIME OF WRITING, THE TOP 3 USERS ARE STEFANO118, FILLIPOS AND AHMED. 32 | THERE ARE SOME FORUMS, A SHOUTBOX AND A SLACK CHANNEL. SLACK AND SHOUTBOX ARE AWESOME, BUT THE FORUMS NEED SOME LOVE! I WISH MORE PEOPLE USED THEM. 33 | HOPEFULLY THIS IS ENOUGH TEXT TO HELP WITH YOUR SUBSTITUTION! GET CRACKIN! PS DON'T FORGET TO SUPPORT HACKTHEBOX IF YOU CAN SPARE SOME MONEY. EVERY PENNY HELPS! 34 | 35 | XOXO - ARREXEL 36 | FLAG LOREMIPSUMDOLORSITAMET 37 | ``` 38 | -------------------------------------------------------------------------------- /crypto/sick-teacher/SickTeacher.txt: -------------------------------------------------------------------------------- 1 | KBJICYP CZ KHLTIKWECD 2 | 3 | KHLTIKWECD RWMI GBQW JCNW IBNW BM NHP CZ 2017. JBMLW IKWM, BI KHJ FYCRM QWYP VOBLTGP IC IKCOJHMSJ CZ NWNEWYJ ZYCN HGG CQWY IKW FGCEW. 4 | IKW KHGG CZ ZHNW GBJIJ IKW ICA 100 OJWYJ BM CYSWY CZ ACBMIJ. HI IKW IBNW CZ RYBIBMF, IKW ICA 3 OJWYJ HYW JIWZHMC118, ZBGGBACJ HMS HKNWS. 5 | IKWYW HYW JCNW ZCYONJ, H JKCOIECD HMS H JGHLT LKHMMWG. JGHLT HMS JKCOIECD HYW HRWJCNW, EOI IKW ZCYONJ MWWS JCNW GCQW! B RBJK NCYW AWCAGW OJWS IKWN. 6 | KCAWZOGGP IKBJ BJ WMCOFK IWDI IC KWGA RBIK PCOY JOEJIBIOIBCM! FWI LYHLTBM! AJ SCM'I ZCYFWI IC JOAACYI KHLTIKWECD BZ PCO LHM JAHYW JCNW NCMWP. WQWYP AWMMP KWGAJ! 7 | 8 | DCDC - HYYWDWG 9 | ZGHF GCYWNBAJONSCGCYJBIHNWI -------------------------------------------------------------------------------- /crypto/weak-rsa/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: Weak RSA (20 Points) 2 | 3 | **Can you decrypt the message and get the flag?** 4 | 5 | The challenge gave us two files, `key.pub` and `flag.enc`. 6 | 7 | Let's check the content of each file. 8 | 9 | ``` 10 | $ cat key.pub 11 | -----BEGIN PUBLIC KEY----- 12 | MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip 13 | 4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy 14 | 23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3 15 | RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD 16 | qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ 17 | 4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr 18 | lb/N 19 | -----END PUBLIC KEY----- 20 | ``` 21 | 22 | ``` 23 | $ cat flag.enc 24 | ?_?vc[??~?kZ?1?Ĩ?4?I?9V?ֿ?^G???(?+3Lu"?T$???F0?VP?־j@?????|j?????{¾?,?????YE?????Xx??,??c?N&Hl2?Ӎ??[o?? 25 | ``` 26 | 27 | We have the public key and the encrypted text but we need to know the private key for us to decrypt the ciphertext. So I searched on GitHub for a tool that could possible decrypt this RSA challenge and I found this repository: 28 | https://github.com/Ganapati/RsaCtfTool 29 | 30 | RsaCtfTool is a tool that uncipher data from weak public key and try to recover private key Automatic selection of best attack for the given public key. 31 | 32 | Now to decrypt the the ciphertext, I executed the command below and finally got the flag. 33 | 34 | ``` 35 | $ python RsaCtfTool.py --publickey key.pub --uncipherfile flag.enc 36 | [+] Clear text : HTB{s1mpl3_Wi3n3rs_4tt4ck} 37 | ``` 38 | -------------------------------------------------------------------------------- /crypto/weak-rsa/flag.enc: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/crypto/weak-rsa/flag.enc -------------------------------------------------------------------------------- /crypto/weak-rsa/key.pub: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip 3 | 4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy 4 | 23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3 5 | RQP/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD 6 | qlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg/gx2o0bm4EzrCEJ 7 | 4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr 8 | lb/N 9 | -----END PUBLIC KEY----- 10 | -------------------------------------------------------------------------------- /crypto/you-can-do-it/README.md: -------------------------------------------------------------------------------- 1 | # Crypto Challenge: You Can Do It! (10 Points) 2 | 3 | **The flag is in the format HTB{plaintext}** 4 | 5 | ``` 6 | $ cat you_can_do_it.txt 7 | YHAOANUTDSYOEOIEUTTC! 8 | ``` 9 | 10 | This is just an Anagram.. You can manually solve it. 11 | 12 | ``` 13 | YHAOANUTDSYOEOIEUTTC! 14 | YOUSEETHATYOUCANDOIT! 15 | ``` 16 | -------------------------------------------------------------------------------- /crypto/you-can-do-it/you_can_do_it.txt: -------------------------------------------------------------------------------- 1 | YHAOANUTDSYOEOIEUTTC! 2 | -------------------------------------------------------------------------------- /invite-code/README.md: -------------------------------------------------------------------------------- 1 | # Hack The Box Invite Code 2 | 3 | 4 | 5 | # Solution: 6 | 7 | Note: I made a simple python script to get an invite code from Hack The Box website, but if you still want to know the long process kindly read the steps below. :) 8 | 9 | 1. Go to this link: https://www.hackthebox.eu/invite 10 | 11 | 2. View the Source Code and look for `/js/inviteapi.min.js` then open the JS file in another tab. 12 | 13 | 3. You should get this code: 14 | 15 | ```javascript 16 | eval(function(p,a,c,k,e,d){e=function(c){return c.toString(36)};if(!''.replace(/^/,String)){while(c--){d[c.toString(a)]=k[c]||c.toString(a)}k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--){if(k[c]){p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c])}}return p}('1 i(4){h 8={"4":4};$.9({a:"7",5:"6",g:8,b:\'/d/e/n\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}1 j(){$.9({a:"7",5:"6",b:\'/d/e/k/l/m\',c:1(0){3.2(0)},f:1(0){3.2(0)}})}',24,24,'response|function|log|console|code|dataType|json|POST|formData|ajax|type|url|success|api|invite|error|data|var|verifyInviteCode|makeInviteCode|how|to|generate|verify'.split('|'),0,{})) 17 | ``` 18 | 19 | 4. Let's use this website (https://beautifier.io/) to beautify this javascript: 20 | 21 | ```javascript 22 | function verifyInviteCode(code) { 23 | var formData = { 24 | "code": code 25 | }; 26 | $.ajax({ 27 | type: "POST", 28 | dataType: "json", 29 | data: formData, 30 | url: '/api/invite/verify', 31 | success: function(response) { 32 | console.log(response) 33 | }, 34 | error: function(response) { 35 | console.log(response) 36 | } 37 | }) 38 | } 39 | 40 | function makeInviteCode() { 41 | $.ajax({ 42 | type: "POST", 43 | dataType: "json", 44 | url: '/api/invite/how/to/generate', 45 | success: function(response) { 46 | console.log(response) 47 | }, 48 | error: function(response) { 49 | console.log(response) 50 | } 51 | }) 52 | } 53 | ``` 54 | 55 | 5. Now look at `makeInviteCode()` function, it calls the `/api/invite/how/to/generate' endpoint. So I created a simple cURL command to get the response from that API endpoint. 56 | 57 | ```curl 58 | curl -i -s -k -X $'POST' \ 59 | -H $'Host: www.hackthebox.eu' -H $'Cookie: hackthebox_session={SESSION HERE}' \ 60 | -b $'hackthebox_session={SESSION HERE}' \ 61 | $'https://www.hackthebox.eu/api/invite/how/to/generate' 62 | ``` 63 | 64 | API Response: 65 | ```json 66 | { 67 | "0": 200, 68 | "success": 1, 69 | "data": { 70 | "data": "SW4gb3JkZXIgdG8gZ2VuZXJhdGUgdGhlIGludml0ZSBjb2RlLCBtYWtlIGEgUE9TVCByZXF1ZXN0IHRvIC9hcGkvaW52aXRlL2dlbmVyYXRl", 71 | "enctype": "BASE64" 72 | } 73 | } 74 | ``` 75 | 76 | 6. Decoding the Base64 above, gives us this hint: 77 | `In order to generate the invite code, make a POST request to /api/invite/generate` 78 | 79 | 7. I created another cURL command with POST request to `/api/invite/generate` to get the response from the API endoint. 80 | ```curl 81 | curl -i -s -k -X $'POST' \ 82 | -H $'Host: www.hackthebox.eu' -H $'Cookie: hackthebox_session={SESSION HERE}' \ 83 | -b $'hackthebox_session={SESSION HERE}' \ 84 | $'https://www.hackthebox.eu/api/invite/generate' 85 | ``` 86 | 87 | API Response: 88 | ```json 89 | { 90 | "0": 200, 91 | "success": 1, 92 | "data": { 93 | "code": "Rk5GUU4tUFdJSlQtUVNPVUgtWUNPWEgtTVRGS0M=", 94 | "format": "encoded" 95 | } 96 | } 97 | ``` 98 | 99 | 8. Decoding the value of `code` parameter to Base64 gives us this invite code: 100 | ``` 101 | FNFQN-PWIJT-QSOUH-YCOXH-MTFKC 102 | ``` 103 | -------------------------------------------------------------------------------- /invite-code/htb-invite.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/invite-code/htb-invite.png -------------------------------------------------------------------------------- /invite-code/invitecode.py: -------------------------------------------------------------------------------- 1 | import requests 2 | import base64 3 | import json 4 | 5 | HackboxURL = "https://www.hackthebox.eu/api/invite/generate" 6 | JSONDATA = requests.post( HackboxURL ) 7 | print base64.b64decode(json.loads(JSONDATA.text)["data"]["code"]) -------------------------------------------------------------------------------- /stego/beatles/BAND.JPG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/beatles/BAND.JPG -------------------------------------------------------------------------------- /stego/beatles/BAND.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/beatles/BAND.zip -------------------------------------------------------------------------------- /stego/beatles/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Beatles (30 Points) 2 | 3 | **John Lennon send a secret message to Paul McCartney about the next music tour of Beatles... Could you find the message and sumbit the flag?** 4 | 5 | The author of this challenge gave us 2 files, a zip and a txt file. 6 | 7 | Let's check the content of these files. 8 | 9 | ``` 10 | $ unzip -l BAND.zip 11 | Archive: BAND.zip 12 | Length Date Time Name 13 | --------- ---------- ----- ---- 14 | 77643 09-24-2017 19:15 BAND.JPG 15 | --------- ------- 16 | 77643 1 file 17 | ``` 18 | 19 | ``` 20 | $ cat m3ss\@g#_f0r_pAuL 21 | Url Cnhy, 22 | 23 | Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref. 24 | 25 | Pbhyq lbh spenpx vg sbe zr??? 26 | 27 | V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu... 28 | 29 | Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq... 30 | 31 | -Wbua Yraaba 32 | 33 | CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire! 34 | ``` 35 | 36 | The ```BAND.zip``` file asks for a password to extract the ```BAND.jpg``` file while the `m3ss\@g#_f0r_pAuL` text file is encoded with Substitution Cipher. 37 | 38 | Let's decode the content of `m3ss\@g#_f0r_pAuL` first. 39 | 40 | ``` 41 | Hey Paul, 42 | 43 | My Folder has passphrase with four (4) characters. 44 | 45 | Could you fcrack it for me??? 46 | 47 | I send you a message for our Tour next month... 48 | 49 | Don't Share it with other members of our band... 50 | 51 | -John Lennon 52 | 53 | PS: Peace and Love my friend... Beatles Band for ever! 54 | ``` 55 | 56 | Hmm.. It is a hint to unzip the `BAND.zip` file.. The password has 4 characters and we can use `fcrackzip` command for that. 57 | 58 | ``` 59 | $ fcrackzip -u -D -p rockyou.txt BAND.zip 60 | 61 | PASSWORD FOUND!!!!: pw == pass 62 | ``` 63 | 64 | The 4-character password is `pass`. 65 | 66 | Let's extract the zip file. 67 | ``` 68 | $ unzip BAND.zip 69 | Archive: BAND.zip 70 | [BAND.zip] BAND.JPG password: 71 | inflating: BAND.JPG 72 | ``` 73 | 74 | 75 | 76 | Let's check the strings and binwalk for any hints. 77 | 78 | ``` 79 | $ strings BAND.JPG | awk 'length($0) > 10' 80 | %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 81 | &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 82 | VkhKNUlFaGhjbVJsY2lFPQ== 83 | ``` 84 | 85 | Oh, here we go again with BASE64. Let's decode that one. 86 | 87 | ``` 88 | $ echo 'VkhKNUlFaGhjbVJsY2lFPQ==' | base64 --decode | base64 --decode 89 | Try Harder! 90 | ``` 91 | 92 | Oh Fudge! Okay :/ 93 | 94 | ``` 95 | $ binwalk BAND.JPG 96 | 97 | DECIMAL HEXADECIMAL DESCRIPTION 98 | -------------------------------------------------------------------------------- 99 | 0 0x0 JPEG image data, JFIF standard 1.01 100 | ``` 101 | 102 | And I tried stegsolve, and other steganography tools but nothing interesting and got stuck with this challenge. No clues at all. 103 | 104 | So I tried steghide but I need a password, so what I did is try everything related to Beatles. 105 | 106 | I tried `Beatles`, `John`, `John Lennon`, `Paul`, `Paul McCartney`, `The Beatles`, then I tried `THEBEATLES` after staring in the image for fcking few minutes. 107 | 108 | ``` 109 | $ steghide extract -sf BAND.JPG -p THEBEATLES 110 | wrote extracted data to "testabeatle.out". 111 | ``` 112 | 113 | Okay, we got another file to check and it's a binary file. 114 | 115 | ``` 116 | $ file testabeatle.out 117 | testabeatle.out: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped 118 | ``` 119 | 120 | Oh boy! I'm dead. 121 | 122 | Wait.. let's use strings first maybe there is something hidden in the file. 123 | 124 | ``` 125 | # strings testabeatle.out | awk 'length($0) > 20' 126 | /lib64/ld-linux-x86-64.so.2 127 | _ITM_deregisterTMCloneTable 128 | _ITM_registerTMCloneTable 129 | Hey Paul! If you are here... Give my your favourite character! 130 | Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin! 131 | ########################################Challenge############################################################ 132 | Tell me PAul! The result of 5+5? 133 | Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)? 134 | Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40 135 | Hey Paul! nice!!! this is the message 136 | VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K 137 | WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!! 138 | ########################################END OF CHALLENGE############################################################ 139 | GCC: (Debian 7.2.0-5) 7.2.0 140 | __do_global_dtors_aux 141 | __do_global_dtors_aux_fini_array_entry 142 | __frame_dummy_init_array_entry 143 | _GLOBAL_OFFSET_TABLE_ 144 | _ITM_deregisterTMCloneTable 145 | __libc_start_main@@GLIBC_2.2.5 146 | __isoc99_scanf@@GLIBC_2.7 147 | _ITM_registerTMCloneTable 148 | __cxa_finalize@@GLIBC_2.2.5 149 | ``` 150 | 151 | See, strings can do the work! We found a BASE64 here. 152 | 153 | ``` 154 | $ echo "VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K" | base64 --decode 155 | The tour was canceled for the following month...! 156 | 157 | I'll go out for dinner with my girlfriend named Yoco! ;) 158 | 159 | HTB{S0rRy_My_FR13nD} 160 | ``` 161 | 162 | We finally got the flag! 163 | 164 | By the way, I tried to run the binary file too and it's easy to solve lol. 165 | 166 | ``` 167 | $ ./testabeatle.out 168 | Hey Paul! If you are here... Give my your favourite character! 169 | 170 | Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin! 171 | ########################################Challenge############################################################ 172 | Tell me PAul! The result of 5+5? 173 | 10 174 | Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)? 175 | 5 176 | Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40 177 | 2.4 178 | Hey Paul! nice!!! this is the message 179 | VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K 180 | ########################################END OF CHALLENGE############################################################ 181 | ``` 182 | -------------------------------------------------------------------------------- /stego/beatles/m3ss@g#_f0r_pAuL: -------------------------------------------------------------------------------- 1 | Url Cnhy, 2 | 3 | Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref. 4 | 5 | Pbhyq lbh spenpx vg sbe zr??? 6 | 7 | V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu... 8 | 9 | Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq... 10 | 11 | -Wbua Yraaba 12 | 13 | 14 | CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire! 15 | -------------------------------------------------------------------------------- /stego/da-vinci/Plans.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/Plans.jpg -------------------------------------------------------------------------------- /stego/da-vinci/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Da Vinci (30 Points) 2 | 3 | **Try to find out the secret which is hiding inside of these pictures and learn the truth about Mona Lisa!** 4 | 5 | The author gave us three pictures. 6 | 7 | **monalisa.jpg**
8 | 9 | 10 | **Plans.jpg**
11 | 12 | 13 | **Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg**
14 | 15 | 16 | Let's see if there's something in these images using `strings` command. 17 | 18 | ``` 19 | $ strings monalisa.jpg | awk 'length($0) > 10' 20 | ;CREATOR: gd-jpeg v1.0 (using IJG JPEG v62), quality = 92 21 | 5Optimized by JPEGmini 3.9.20.0L Internal 0x8c97c7da 22 | )))))))))))))))))))))))))))))))))))))))))))))))))) 23 | EK:p%q%FvR\e 24 | d'v[{EmXx1 25 | T\c!`.w0x-B ]. 26 | dk*bbJB[>X[e 27 | O:V=v,Tee3n-7Y 28 | EbqL%g>@Dq$ 29 | z#iWV(mO)~PL 30 | c<[;pg],s{p 31 | NbfVh1Y~v":> 32 | k^*kTJ$2LT^BC 33 | 6Yw6L<7(^]i 34 | T::Ks\"c'e8 35 | famous.zipUT 36 | ia 37 | \2nA{D9x 38 | FayU)W^[Ja= 39 | famous.zipUT 40 | ``` 41 | 42 | Ohh.. a zip file, will try to use binwalk later to properly check that image. 43 | 44 | ``` 45 | $ strings Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg | awk 'length($0) > 10' 46 | """""""""""""""""""""""""""""""""""""""""""""""""" 47 | %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 48 | &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 49 | ``` 50 | 51 | Okay.. Nothing Interesting here.. 52 | 53 | ``` 54 | $ strings Plans.jpg | awk 'length($0) > 10' 55 | //33//@@@@@@@@@@@@@@@ 56 | #0+.'''.+550055@@?@@@@@@@@@@@@ 57 | ?:Vn.$R0!B@X2 58 | rLXn0~uHg*T 59 | zX^(1*cxY3: 60 | RN;m@. 61 | VebJ 62 | https://www.youtube.com/watch?v=jc1Nfx4c5LQ 63 | ``` 64 | 65 | Wait.. what?! A YouTube Link? 66 | 67 | 68 | 69 | Playing the video will prompts us `Picasso's Guernica` and the title of that video is `Guernica 3D`. 70 | 71 | Hmmm?? Well, let's leave that for now and move forward with binwalk. 72 | 73 | Let's now use binwalk to check if there are any embedded files in these images aside from what we've discovered earlier. 74 | 75 | ``` 76 | $ binwalk monalisa.jpg 77 | 78 | DECIMAL HEXADECIMAL DESCRIPTION 79 | -------------------------------------------------------------------------------- 80 | 0 0x0 JPEG image data, JFIF standard 1.01 81 | 450363 0x6DF3B Zip archive data, at least v2.0 to extract, uncompressed size: 117958, name: famous.zip 82 | 450440 0x6DF88 Zip archive data, encrypted at least v2.0 to extract, compressed size: 117776, uncompressed size: 122869, name: Mona.jpg 83 | 568411 0x8AC5B End of Zip archive 84 | 568537 0x8ACD9 End of Zip archive 85 | ``` 86 | 87 | ``` 88 | $ binwalk Plans.jpg 89 | 90 | DECIMAL HEXADECIMAL DESCRIPTION 91 | -------------------------------------------------------------------------------- 92 | 0 0x0 JPEG image data, JFIF standard 1.02 93 | ``` 94 | 95 | ``` 96 | $ binwalk Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg 97 | 98 | DECIMAL HEXADECIMAL DESCRIPTION 99 | -------------------------------------------------------------------------------- 100 | 0 0x0 JPEG image data, JFIF standard 1.01 101 | ``` 102 | 103 | So there's only 1 image with an embedded zip file named `famous.zip` and inside of that zip file is an image named `Mona.jpg`. 104 | Let's try to extract the file using this command: `binwalk -e monalisa.jpg`. 105 | 106 | Extracted Files are: 107 | - _monalisa.jpg.extracted/ 108 | - 6DF3B.zip 109 | - famous.zip 110 | 111 | When opening the famous.zip file, it asks us for a password. Going back to the given images above, the third image gave us a hint. So let's try to use `TOM` as password. 112 | 113 | ``` 114 | $ unzip famous.zip 115 | Archive: famous.zip 116 | [famous.zip] Mona.jpg password: 117 | password incorrect--reenter: 118 | password incorrect--reenter: 119 | skipping: Mona.jpg incorrect password 120 | ``` 121 | 122 | Oh fudge, what to do now.. Well, the next thing I did is to find for a tool that will bruteforce the zip file with a dictionary. 123 | 124 | Then I found this -> [fcrackzip](https://github.com/hyc/fcrackzip). 125 | fcrackzip is a braindead program for cracking encrypted ZIP archives. 126 | 127 | So Let's try this tool and bruteforce the password of `famous.zip` file. 128 | 129 | ``` 130 | $ fcrackzip -u -D -p rockyou.txt famous.zip 131 | PASSWORD FOUND!!!!: pw == leonardo 132 | ``` 133 | 134 | Poof, we just got the password! 135 | 136 | Let's unzip the `famous.zip` file now. 137 | 138 | ``` 139 | $ unzip famous.zip 140 | Archive: famous.zip 141 | [famous.zip] Mona.jpg password: 142 | inflating: Mona.jpg 143 | ``` 144 | 145 | Great! We just got this image named `Mona.jpg`. 146 | 147 | 148 | 149 | Next step is to `binwalk` that image. 150 | 151 | ``` 152 | $ binwalk Mona.jpg 153 | 154 | DECIMAL HEXADECIMAL DESCRIPTION 155 | -------------------------------------------------------------------------------- 156 | 0 0x0 JPEG image data, JFIF standard 1.01 157 | ``` 158 | 159 | How about `strings`? 160 | 161 | ``` 162 | $ strings Mona.jpg | awk 'length($0) > 10' 163 | %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 164 | &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 165 | RIR^M}g.'>_ 166 | ``` 167 | 168 | Uhmm.. Maybe we can use `steghide` and use `TOM` as password to extract hidden files. 169 | 170 | ``` 171 | $ steghide extract -sf Mona.jpg -p TOM 172 | steghide: could not extract any data with that passphrase! 173 | ``` 174 | 175 | Okay.. Let's try this hint: `Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg` 176 | 177 | ``` 178 | $ steghide extract -sf Mona.jpg -p tom 179 | steghide: could not extract any data with that passphrase! 180 | ``` 181 | 182 | Oh fugde, it's not even working!! 183 | 184 | Ohh.. how about `Guernica` from the YouTube video we've discovered in `Plans.jpg`? 185 | 186 | ``` 187 | $ steghide extract -sf Mona.jpg -p Guernica 188 | wrote extracted data to "key". 189 | ``` 190 | 191 | Holy Moly! Guernica is the password! 192 | 193 | Let's check the content of that file! 194 | 195 | ``` 196 | $ cat key 197 | VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0= 198 | ``` 199 | 200 | Oh, a BASE64 ciphertext. 201 | 202 | ``` 203 | $ echo 'VTBaU1EyVXdNSGRpYTBKbVZFUkdObEZHT0doak1UbEZUVEJDUldaUlBUMD0=' | base64 --decode 204 | U0ZSQ2UwMHdia0JmVERGNlFGOGhjMTlFTTBCRWZRPT0= 205 | ``` 206 | 207 | A BASE64 again? For real?! How many times should I decode that fudge to get the original text? 208 | 209 | Oh fudge.. wait.. The title of the video is `Guernica 3D` and we already used `Guernica` as password.. how about `3D`? :) 210 | 211 | I guess `3D` means `3 times of Decoding`. 212 | 213 | Let's try it! 214 | 215 | ``` 216 | $ cat key | base64 --decode | base64 --decode | base64 --decode 217 | HTB{M0n@_L1z@_!s_D3@D} 218 | ``` 219 | 220 | Booyah! We got the flag! 221 | -------------------------------------------------------------------------------- /stego/da-vinci/Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/Thepassword_is_the_small_name_of_the_actor_named_Hanks.jpg -------------------------------------------------------------------------------- /stego/da-vinci/_monalisa.jpg.extracted/6DF3B.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/_monalisa.jpg.extracted/6DF3B.zip -------------------------------------------------------------------------------- /stego/da-vinci/_monalisa.jpg.extracted/Mona.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/_monalisa.jpg.extracted/Mona.jpg -------------------------------------------------------------------------------- /stego/da-vinci/_monalisa.jpg.extracted/famous.zip: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/_monalisa.jpg.extracted/famous.zip -------------------------------------------------------------------------------- /stego/da-vinci/monalisa.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/monalisa.jpg -------------------------------------------------------------------------------- /stego/da-vinci/youtube.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/da-vinci/youtube.png -------------------------------------------------------------------------------- /stego/digital-cube/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Digital Cube (60 Points) 2 | 3 | **...Strathmore leaned forward and rotated his monitor toward Susan. The screen was black except for a small, white text box blinking in the middle. TIME ELAPSED: 50:50"
4 | TRANSLTR, the single best crypto-machine, could not crack this code. Maybe you can...** 5 | 6 | Author of this challenge gave us a txt file with lots of 1's and 0's. 7 | 8 | ``` 9 | $ cat digitalcube.txt 10 | 1111111111111100111111001100110000001111111111111111111111111111001111110011001100000011111111111111110000000000110011111100000000001100110000000000111100000000001100111111000000000011001100000000001111001111110011001100111100110011000011001111110011110011111100110011001111001100110000110011111100111100111111001100111100110000110000001100111111001111001111110011001111001100001100000011001111110011110011111100110000000000001111111100110011111100111100111111001100000000000011111111001100111111001111000000000011001100001111111100000011000000000011110000000000110011000011111111000000110000000000111111111111111100110011001100110011001111111111111111111111111111001100110011001100110011111111111111000000000000000000110000110011110000000000000000000000000000000000001100001100111100000000000000000011110000111111000000001100111100000000110011111111111100001111110000000011001111000000001100111111110000000011000011111111001100001111000000110000001100000000110000111111110011000011110000001100000011000000001100110011000011111111111100111111110000000000000011001100110000111111111111001111111100000011111111000000110000111100110011001111000000111100111111110000001100001111001100110011110000001111001111110000001111000011001111000011111100001111111111111100000011110000110011110000111111000011111111110000001100000011110000001111110011000011001111111100000011000000111100000011111100110000110011111100000000000011001111110000000011000000110000000000000000000000110011111100000000110000001100000000000000001100000000110000001100110011110000000011110000000011000000001100000011001100111100000000111100111111111100111111110011001111001111111111110000001111111111001111111100110011110011111111111100000000000000000000001100000011000011110000001100000011000000000000000011000000110000111100000011000000111111111111111100001100111111110011001100110011000011111111111111000011001111111100110011001100110000110000000000110011000011001100111100000011001100001100000000001100110000110011001111000000110011000011001111110011001111110011110000111111111111000011110011111100110011111100111100001111111111110000111100111111001100000011000011110000111111000000111111001111110011000000110000111100001111110000001111110011111100110000001100000000001100000000110011001100111111001100000011000000000011000000001100110011000000000011001100000011001111000011111100111100110000000000110011000000110011110000111111001111001111111111111100110011110011111100110000001100111111111111111111001100111100111111001100000011001111 11 | ``` 12 | 13 | Let's try to convert it to ASCII. 14 | 15 | ```ASCII 16 | ÿüüÌÿÿÿ?3ÿüÏÀ À3ð0ÏÌÏ3 üóó3ÌÃ?<üÏ0ÀÏÏ?3Ì03óÏÌ?Ìüóóó?<Ì?ÀÀ3ð0ÿüÌÌÏÿÿÿ333ÿð ðÃ<ðü<?ü?ÏÏð ?Ì< óÌÃÿÏð30ÿóüð0ó3Àóü <Ìð<ü ðü?ÿà 30 | 31 | Well, It looks like a QR Code! 32 | 33 | Let's use GIMP and shade all 1's with black paint and leave all 0's as it is.. 34 | 35 | 36 | 37 | Much better than ASCII ART of QR Code. 38 | 39 | Let's scan this QR and get the flag. 40 | 41 | 42 | 43 | Wee! QR is not Dead! 44 | -------------------------------------------------------------------------------- /stego/digital-cube/digitalcube.txt: -------------------------------------------------------------------------------- 1 | 1111111111111100111111001100110000001111111111111111111111111111001111110011001100000011111111111111110000000000110011111100000000001100110000000000111100000000001100111111000000000011001100000000001111001111110011001100111100110011000011001111110011110011111100110011001111001100110000110011111100111100111111001100111100110000110000001100111111001111001111110011001111001100001100000011001111110011110011111100110000000000001111111100110011111100111100111111001100000000000011111111001100111111001111000000000011001100001111111100000011000000000011110000000000110011000011111111000000110000000000111111111111111100110011001100110011001111111111111111111111111111001100110011001100110011111111111111000000000000000000110000110011110000000000000000000000000000000000001100001100111100000000000000000011110000111111000000001100111100000000110011111111111100001111110000000011001111000000001100111111110000000011000011111111001100001111000000110000001100000000110000111111110011000011110000001100000011000000001100110011000011111111111100111111110000000000000011001100110000111111111111001111111100000011111111000000110000111100110011001111000000111100111111110000001100001111001100110011110000001111001111110000001111000011001111000011111100001111111111111100000011110000110011110000111111000011111111110000001100000011110000001111110011000011001111111100000011000000111100000011111100110000110011111100000000000011001111110000000011000000110000000000000000000000110011111100000000110000001100000000000000001100000000110000001100110011110000000011110000000011000000001100000011001100111100000000111100111111111100111111110011001111001111111111110000001111111111001111111100110011110011111111111100000000000000000000001100000011000011110000001100000011000000000000000011000000110000111100000011000000111111111111111100001100111111110011001100110011000011111111111111000011001111111100110011001100110000110000000000110011000011001100111100000011001100001100000000001100110000110011001111000000110011000011001111110011001111110011110000111111111111000011110011111100110011111100111100001111111111110000111100111111001100000011000011110000111111000000111111001111110011000000110000111100001111110000001111110011111100110000001100000000001100000000110011001100111111001100000011000000000011000000001100110011000000000011001100000011001111000011111100111100110000000000110011000000110011110000111111001111001111111111111100110011110011111100110000001100111111111111111111001100111100111111001100000011001111 2 | -------------------------------------------------------------------------------- /stego/digital-cube/qr-ascii.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/digital-cube/qr-ascii.png -------------------------------------------------------------------------------- /stego/digital-cube/qr-readable.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/digital-cube/qr-readable.png -------------------------------------------------------------------------------- /stego/digital-cube/qr.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/digital-cube/qr.jpg -------------------------------------------------------------------------------- /stego/forest/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Forest (40 Points) 2 | 3 | **Explore the forest and capture the flag!** 4 | 5 | 6 | 7 | Let's check the image using `binwalk` and `strings` command first. 8 | 9 | ``` 10 | $ binwalk forest.jpg 11 | 12 | DECIMAL HEXADECIMAL DESCRIPTION 13 | -------------------------------------------------------------------------------- 14 | 0 0x0 JPEG image data, JFIF standard 1.01 15 | ``` 16 | 17 | ``` 18 | $ strings forest.jpg | awk 'length($0) > 10' 19 | %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 20 | &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 21 | e5/.U).mRMh 22 | hd\.WyRPt9# 23 | U_4S?#~.kpx 24 | Wg^Erc(J9d( 25 | ZZ<30I"XB2VR 26 | (YLS,Bb\)TG 27 | nmc?i?g?z*m{ 36 | Fv}3]v?2Eqj%12 37 | 7nozQ}T[W_- 38 | g},sGK 47 | 3X{(s=#]'*S_ 48 | !-q,!KnH`RI^ 49 | {d^DXne\G#m 50 | 9;J-smu$q,3 51 | mm<3e#[\j96 52 | ]]Gme#HU.o 53 | ``` 54 | 55 | Uhmm.. Nothing interesting here. 56 | 57 | Let's try stegsolve and use different bit planes.. 58 | 59 | Oh look, I found something interesting with Random Colour Map Plane. 60 | 61 | 62 | 63 | ```IsJuS1Af0r3sTbR0``` 64 | 65 | Maybe we can use this on steghide as a password and extract a file? Let's try! 66 | 67 | ``` 68 | $ steghide extract -sf forest.jpg -p IsJuS1Af0r3sTbR0 69 | wrote extracted data to "nothinghere.txt". 70 | ``` 71 | 72 | And we got something from steghide! 73 | 74 | ``` 75 | $ cat nothinghere.txt 76 | Gur sberfg vf n pbzcyrk rpbflfgrz pbafvfgvat znvayl bs gerrf gung ohssre gur rnegu naq fhccbeg n zlevnq bs yvsr sbezf. Gur gerrf uryc perngr n fcrpvny raivebazrag juvpu, va ghea, nssrpgf gur xvaqf bs navznyf naq cynagf gung pna rkvfg va gur sberfg. Gerrf ner na vzcbegnag pbzcbarag bs gur raivebazrag. Gurl pyrna gur nve, pbby vg ba ubg qnlf, pbafreir urng ng avtug, naq npg nf rkpryyrag fbhaq nofbeoref. UGO{NzNm1aTfXvyYmMOe0} 77 | ``` 78 | 79 | Ohh, a Substition Cipher.. How? I noticed repeating words in the ciphertext.. `Gur = The` and `UGO = HTB`. 80 | 81 | Decoding the ciphertext will gives us this message: 82 | ``` 83 | The forest is a complex ecosystem consisting mainly of trees that buffer the earth and support a myriad of life forms. The trees help create a special environment which, in turn, affects the kinds of animals and plants that can exist in the forest. Trees are an important component of the environment. They clean the air, cool it on hot days, conserve heat at night, and act as excellent sound absorbers. HTB{AmAz1nGsKilLzZBr0} 84 | ``` 85 | -------------------------------------------------------------------------------- /stego/forest/forest.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/forest/forest.jpg -------------------------------------------------------------------------------- /stego/forest/random-colour-map.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/forest/random-colour-map.jpg -------------------------------------------------------------------------------- /stego/hackerman/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Hackerman (30 Points) 2 | 3 | **There should be something hidden inside this photo... Can you find out?** 4 | 5 | 6 | 7 | Keyword: "something hidden inside this photo" 8 | 9 | Let's use binwalk to check if there's a file inside this photo. 10 | 11 | ``` 12 | $ binwalk hackerman.jpg 13 | 14 | DECIMAL HEXADECIMAL DESCRIPTION 15 | -------------------------------------------------------------------------------- 16 | 0 0x0 JPEG image data, JFIF standard 1.01 17 | ``` 18 | 19 | Uhmm.. Fudge! Let's check the content using `strings` command and see if there's something inside. 20 | 21 | ``` 22 | $ strings hackerman.jpg | awk 'length($0) > 10' 23 | %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 24 | &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 25 | 5634275d694f8665957746c9619132f0 26 | ``` 27 | 28 | Hmmm.. What is this: `5634275d694f8665957746c9619132f0`? 29 | 30 | Let's ask Google: 31 | 32 | 33 | 34 | Oh, wow! It's MD5 and `almost` is the equivalent value. 35 | 36 | Okay, we got a word and it could be a password to extract a file/data from the image. 37 | 38 | Well, we can use steghide for that. 39 | 40 | ``` 41 | $ steghide extract -sf hackerman.jpg -p almost 42 | wrote extracted data to "hackerman.txt". 43 | ``` 44 | 45 | Woohoo! Let's cat the content of the txt file. 46 | 47 | ``` 48 | $ cat hackerman.txt 49 | SFRCezN2MWxfYzBycH0= 50 | ``` 51 | 52 | Ohh, Base64.. Let's decode it.. 53 | 54 | ``` 55 | $ cat hackerman.txt | base64 --decode 56 | HTB{3v1l_c0rp} 57 | ``` 58 | 59 | Yey! 60 | -------------------------------------------------------------------------------- /stego/hackerman/google.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/hackerman/google.png -------------------------------------------------------------------------------- /stego/hackerman/hackerman.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/hackerman/hackerman.jpg -------------------------------------------------------------------------------- /stego/milkshake/Milkshake.mp3: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/milkshake/Milkshake.mp3 -------------------------------------------------------------------------------- /stego/milkshake/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Milkshake (10 Points) 2 | 3 | **Can you bring all the boys to the yard?** 4 | 5 | The author of this challenge gave us an MP3 file. 6 | 7 | ``` 8 | $ file Milkshake.mp3 9 | Milkshake.mp3: Audio file with ID3 version 2.4.0, extended header, contains:MPEG ADTS, layer III, v1, 128 kbps, 44.1 kHz, JntStereo 10 | ``` 11 | 12 | I played the mp3 file and there's a sound that irritates my ear. I guess there might be something inside the mp3 file, maybe a text? that creates an irritating sound when played. 13 | 14 | Let's use Audacity and use Spectogram to validated our suspicion. 15 | 16 | 17 | 18 | Oh, yeah! The author loves strawberry milkshake. 19 | -------------------------------------------------------------------------------- /stego/milkshake/spectogram.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/milkshake/spectogram.png -------------------------------------------------------------------------------- /stego/pusheen-loves-graphs/Pusheen: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/pusheen-loves-graphs/Pusheen -------------------------------------------------------------------------------- /stego/pusheen-loves-graphs/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Pusheen Loves Graphs (30 Points) 2 | 3 | **Pusheen just loves graphs, Graphs and IDA. Did you know cats are weirdly controlling about their reverse engineering tools? Pusheen just won't use anything except IDA.** 4 | 5 | Let's use `file` command first. 6 | 7 | ``` 8 | $ file Pusheen 9 | Pusheen: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, not stripped 10 | ``` 11 | 12 | Okay, an executable file. 13 | 14 | Let's check it with `strings`. 15 | 16 | ``` 17 | $ strings Pusheen | awk 'length($0) > 10' 18 | /lib/ld-linux.so.2 19 | 20 | repsych.asm 21 | _GLOBAL_OFFSET_TABLE_ 22 | printf@@GLIBC_2.0 23 | __bss_start 24 | .gnu.version 25 | .gnu.version_r 26 | ``` 27 | 28 | Okay.. Let's run the file. 29 | 30 | ``` 31 | $ ./Pusheen 32 | ▐▀▄ ▄▀▌ ▄▄▄▄▄▄▄ 33 | ▌▒▒▀▄▄▄▄▀▒▒▐▄▀▀▒██▒██▒▀▀▄ 34 | ▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▀▄ 35 | ▌▒▒▒▒▒▒▒▒▒▒▒▒▒▄▒▒▒▒▒▒▒▒▒▒▒▒▒▀▄ 36 | ▀█▒▒█▌▒▒█▒▒▐█▒▒▀▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▌ 37 | ▀▌▒▒▒▒▒▀▒▀▒▒▒▒▒▀▀▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▐ ▄▄ 38 | ▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▌▄█▒█ 39 | ▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▐▒█▀ 40 | ▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▐▀ 41 | ▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▌ 42 | ▌▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▐ 43 | ▐▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▌ 44 | ▌▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▐ 45 | ▐▄▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▄▌ 46 | ▀▄▄▀▀▀▀▄▄▀▀▀▀▀▀▄▄▀▀▀▀▀▀▄▄▀ 47 | 48 | ``` 49 | 50 | Okay, that's cute but let's go back to solving.. Let's try to open the file with IDA. 51 | 52 | ``` 53 | IDA or The Interactive Disassembler is a disassembler for computer software which generates assembly language source code from machine-executable code. It supports a variety of executable formats for different processors and operating systems. 54 | ``` 55 | 56 | Right after we opened the file with IDA, something pop up in the screen. 57 | 58 | 59 | 60 | We need to change the limit of nodes to properly view the graph. 61 | 62 | So to do this, Go to `Options > General > Graph` then change nodes from 1000 to 10000 or higher. 63 | 64 | 65 | 66 | The graph is now dispalyed on the screen and the flag is found. 67 | 68 | 69 | -------------------------------------------------------------------------------- /stego/pusheen-loves-graphs/change-node.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/pusheen-loves-graphs/change-node.png -------------------------------------------------------------------------------- /stego/pusheen-loves-graphs/graph.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/pusheen-loves-graphs/graph.png -------------------------------------------------------------------------------- /stego/pusheen-loves-graphs/node-updated.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mmetalmaster/hackthebox/8070e6f88db54171deda9dde925e9fcb8e1667df/stego/pusheen-loves-graphs/node-updated.png -------------------------------------------------------------------------------- /stego/raining-blood/README.md: -------------------------------------------------------------------------------- 1 | # Stego Challenge: Raining Blood (40 Points) 2 | 3 | **Can you find the hidden message?** 4 | 5 | The author of this challenge gave us an MP3 file. 6 | 7 | ``` 8 | $ file RainingBlood.mp3 9 | RainingBlood.mp3: Audio file with ID3 version 2.3.0, contains:MPEG ADTS, layer III, v1, 320 kbps, 44.1 kHz, JntStereo 10 | ``` 11 | 12 | Let's check the content of the file using `strings` command and use `awk` command to filter the result. 13 | 14 | ``` 15 | $ strings RainingBlood.mp3 | awk 'length($0) > 20 && length($0) < 80' 16 | !22222222222222222222222222222222222222222222222222 17 | %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 18 | &'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz 19 | !#'),.1368;=@BEGJMORTWY\^acfhknqsvx{} 20 | f