Following the bentasker.co.uk cryptotrail

My recent migration from Joomla! to Nikola has come at the cost of partially breaking one of the cryptotrails hidden in the original site.

I first added this cryptotrail into www.bentasker.co.uk in August 2014.

The trail was designed to test across a range of skills that all self-respecting hackers should work to develop - not just technical knowledge, but observation and fact-finding skills.

This post details how the trail could be followed, and how to resolve each step of it.

Finding the trail

My webserver gives a curious response header - Authorisation - not only it it a non-americanised spelling, but Authorization is a request header (so doesn't belong in a response).

The value is a base64 encoded string, and decoding it will give the start pages's URL

echo -n "aWlpaWk6aHR0cHM6Ly93d3cuYmVudGFza2VyLmNvLnVrL2ZvbGxvd3RoZXRyYWls" | base64 -d
iiiii:https://www.bentasker.co.uk/followthetrail

(5 i's, geddit?)

Start Page - Encrypted email (broken)

The start page lays out the rules of the trail, along with the first challenge

Largely out of boredom, a little while back, I laid a trail of reasonably simple clues around the site.

Solving each puzzle will give you a page to request for the next clue (or another part of that puzzle). - Unless a FQDN has been included, append your result to https://www.bentasker.co.uk/ - The page name will always be alphanumeric, if there are special characters you've either solved the puzzle incorrectly or not finished it yet! - At no point is there any need to attack or infiltrate any system to solve a puzzle, you may need to do some coding, but other than that it's all about observation and analysis In theory the difficulty should increase as you progress, though the trail has changed a little since it's creation as external resources became unavailable.

The first puzzle is an easy start, an email containing an encrypted body:

Message-Id: <E1XBkby-0001rn-8q@ghcq.home>
Delivered-To: b@localhost
Received: from gmail-imap.l.google.com [173.194.66.108]
        by ghcq.home with IMAP (fetchmail-6.3.17)
        for  (single-drop); Fri, 01 Aug 2014 00:10:03 +0100 (BST)
Received: by 10.76.167.232 with SMTP id zr8csp113176oab; Thu, 28 Jul 2011
 16:06:19 -0700 (PDT)
X-Received: by 10.180.20.15 with SMTP id j15mr1168602wie.60.1406847978144;
 Thu, 28 Jul 2011 16:06:18 -0700 (PDT)
X-Secured-With: secureMailLinks.js
Date: Thu, 28 Jul 2011 14:05:06 +0100
To: barry@example.com
Subject: Link to Documents
User-Agent: secMail.js
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: Dade 
X-UID: 121                                                  
Status: O

NTMgNjMgOSA4MCA1IDUwIDMxIDg3IDggMzYgMzMgMTYgMiA1OCA0MCAyMiA0NSAxMyAyNSA5MSAxNiA3MSAxOSA2IDk5IDY2IDEyMSAyIDE5IDQ4IDEwNCAyNCA0IDkyIDM0IDI0IDYzIDYgNDMgNCA5OCAxMyA1NyA5MiA1NyA4OSAxMTcgNjkgMTEgNjEgOCAyNiAyMiA5MiA2MSA5NSA1MyA0NCA1MiA3OCA1OCA1NCAzMCAyMiAyNCA5OCAyNyA=

Included in the headers is X-Secured-With, making reference to a piece of Javascript (that ever so conveniently happens to also be loaded by the page, and can be seen here).

The crypto password is hardcoded into a slightly better hidden function called getMailCryptoKey, the key can either be obtained by finding this function, or in the browser console simply running getMailCryptoKey() (the function is buried in amongst the site's template - the key returned is actually the same as the base64 auth header in the previous step, allowing a second route to discovering the start page)

Unfortunately, the decryption function isn't working (the file it's requesting just doesn't exist), so the user will need to write their own. In a browser console, this is as simple as

SecureMailContents.delink = function(str){
                var a, b, enc='', keypos = 0, str = Base64.decode(str),
                key = getMailCryptoKey();

                str = str.split(" ");

                for (var i=0; i<str.length;i++) {
                        if (str[i].length == 0){
                                continue;
                        }
                        a = str[i];
                        b = a ^ key.charCodeAt(keypos);    
                        enc += String.fromCharCode(b);

                        keypos++;
                        if (keypos >= key.length){
                                keypos = 0;
                        }
                }

                return enc;

They should then be able to retrieve the URL by running

SecureMailContents.delink('NTMgNjMgOSA4MCA1IDUwIDMxIDg3IDggMzYgMzMgMTYgMiA1OCA0MCAyMiA0NSAxMyAyNSA5MSAxNiA3MSAxOSA2IDk5IDY2IDEyMSAyIDE5IDQ4IDEwNCAyNCA0IDkyIDM0IDI0IDYzIDYgNDMgNCA5OCAxMyA1NyA5MiA1NyA4OSAxMTcgNjkgMTEgNjEgOCAyNiAyMiA5MiA2MSA5NSA1MyA0NCA1MiA3OCA1OCA1NCAzMCAyMiAyNCA5OCAyNyA=');

Which will give them The details are at https://www.bentasker.co.uk/3izplroo0otf7carey5w

Phase 2 - PPM (Working)

Phase 2 is reasonably straight forward. A link is given to https://www.bentasker.co.uk/images/FTT/stripe.ppm.

The PPM image shows a black background with two white stripes across it.

stripe

However, PPM is an ASCII format, so a quick analysis of the file with uniq should show that there is quite a lot of 'nearly black' pixels

cat stripe.ppm | sort | uniq -c
 411554 0
    973 1
    153 10
      6 100
      6 101
     30 103

Increasing the colour of those pixels reveals a message

sed -i 's/1/255/g/' stripe.ppm

The message is ?gI2xIehHG>:?C?3c2@2 which doesn't fit with the URL definition on the start page. ROT13 wouldn't remove the special characters, but ROT47 may have introduced them

echo "?gI2:IehHG>:?C?3c2@2" | tr '\!-~' 'P-~\!-O'
n8xaix69wvminrnb4aoa

Or in Python

s = "?gI2:IehHG>:?C?3c2@2"
x = []
for i in xrange(len(s)):
        j = ord(s[i])
        if j >= 33 and j <= 126:
            x.append(chr(33 + ((j + 14) % 94)))
        else:
            x.append(s[i])

a = ''.join(x)
print a

So the next page is https://www.bentasker.co.uk/n8xaix69wvminrnb4aoa

Phase 3 (Broken)

A short IRC transcript is given with one user asking another to check their logs as they've sent them a file. An unbound query log is then displayed.

IRC Logs

The file has been exfiltrated by DNS and needs to be decoded, it should be reasonably obvious by looking that it's in Hex, so assuming the log transcript is saved to log_extracted.log

awk '!x[$0]++' log_extracted.log > log_extracted2.log # Remove the duplicate entries
cat log_extractedtest.log | cut -d. -f4 | cut -d\  -f2 > hexlines
xxd -r -p < hexlines > file

Checking the resulting file with less will display some Lorem Ipsum text, but included within the block is https://www.bentasker.co.uk/images/FTT/password.html

Visiting that page returns an apparent 404, however a number of things are amiss

  • The server returned a 200 header
  • The server information at the bottom of the page reads Apache/2.2.15 (Utopia) Server mod_hive/3.6 mod_ssl/2.2.25 OpenSSL/0.9.8e-fips-rhel5 mod_VisualBasic3 mod_bwlimited/1.4. But, Utopia is Microsoft Bob and there is no mod_VisualBasic (of any version)
  • Viewing the source of the page will reveal a comment after a lot of whitespace, containing 1yiymt2n89jb63m so the next page is https://www.bentasker.co.uk/1yiymt2n89jb63m

Phase 4 (Broken)

Phase 4 simply provides a copy of an email containing a uuencoded body for file passwords.odt.

Date: Thu, 28 Jul 2011 14:05:06 +0100
To: barry@example.com
Subject: Passwords
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
From: Dade


begin-base64 644 passwords.odt
UEsDBBQACAgIAAdcEEUAAAAAAAAAAAAAAAAnAAAAQ29uZmlndXJhdGlvbnMy
L2FjY2VsZXJhdG9yL2N1cnJlbnQueG1sAwBQSwcIAAAAAAIAAAAAAAAAUEsD
BBQAAAgAAAdcEEUAAAAAAAAAAAAAAAAYAAAAQ29uZmlndXJhdGlvbnMyL2Zs
b2F0ZXIvUEsDBBQAAAgAAAdcEEUAAAAAAAAAAAAAAAAfAAAAQ29uZmlndXJh
dGlvbnMyL2ltYWdlcy9CaXRtYXBzL1BLAwQUAAAIAAAHXBBFAAAAAAAAAAAA
AAAAGAAAAENvbmZpZ3VyYXRpb25zMi9tZW51YmFyL1BLAwQUAAAIAAAHXBBF
AAAAAAAAAAAAAAAAGgAAAENvbmZpZ3VyYXRpb25zMi9wb3B1cG1lbnUvUEsD
BBQAAAgAAAdcEEUAAAAAAAAAAAAAAAAcAAAAQ29uZmlndXJhdGlvbnMyL3By
b2dyZXNzYmFyL1BLAwQUAAAIAAAHXBBFAAAAAAAAAAAAAAAAGgAAAENvbmZp
Z3VyYXRpb25zMi9zdGF0dXNiYXIvUEsDBBQAAAgAAAdcEEUAAAAAAAAAAAAA
AAAYAAAAQ29uZmlndXJhdGlvbnMyL3Rvb2xiYXIvUEsDBBQAAAgAAAdcEEUA
AAAAAAAAAAAAAAAaAAAAQ29uZmlndXJhdGlvbnMyL3Rvb2xwYW5lbC9QSwME
FAMAAAgANWQQRW1gSfYoAQAAlgQAABUAAABNRVRBLUlORi9tYW5pZmVzdC54
bWytlEtqwzAQhvc5hdG2WGqzKiZOFoWeID2AKo8dgTQSmlFIbl85kEcpCTH1
TvPQ/38MI602B++qPSSyAVvxJl9FBWhCZ3Foxdf2s34Xm/Vi5TXaHoib86Eq
95AuYStywiZostSg9kANmyZEwC6Y7AG5+d3fnJwu0Q3AUqwX1dWvtw5qQE7H
6prLztVR864V6p7INe2hs7rmY4RW6BidNZpLm9pjJ0/A8pZTMhxYqCkM2132
36itI8Xno4w43GGwXg+gSn2aiwnII1+Z4x3hkVyV8jRdAmaLA80uHDWR5AM/
Eo1OW5wm64H17KzERwfzj+Cck6nrn9jI0vUy2eMjYG+HnE4StFTaGHBQwpCU
ySk93pn/eT35yijjiCCzleZWYTRfqT9fy3rxA1BLAwQUAAAIAAAHXBBFwZcw
cWYEAABmBAAAGAAAAFRodW1ibmFpbHMvdGh1bWJuYWlsLnBuZ4lQTkcNChoK
AAAADUlIRFIAAAC1AAABAAgCAAAAekGgjAAABC1JREFUeJzt271qFF0AgOFE
o5KoSFKISBRsjIq22noV3py3YOklpLFOKgstLMQEU6j4h7oeXBwE/V5IMHwu
PE8Rzs7MhizzcuachazMZrMl+A8r//cfwD9NHxR9UPRB0QdFHxR9UPRB0QdF
HxR9UPRB0QdFHxR9UPRB0QdFHxR9UPRB0QdFHxR9UA7Xx2w2W15env0wH5w4
cWJ6Ob9mfny6bH7BdJbFcrg+pnu/9LOVr1+/jvEUwbdv3+Znx+DkyZNjML9g
Mq789ZfwjzvK/DFu+f7+/rlz58bL8+fPj+N7e3sXLlxY/uHUqVPzaePjx49v
3ry5ePHi7zWIY1Ecev0xbvaYGB49erS5ubm1tXX69OnXr18/ffr0ypUrly5d
evny5Th+5syZV69ejbOPHz++f//+hw8fxltGK2trazdv3hxj88eiOHQf475+
+vTp3r17T548OTg42NjY2NnZuX79+vPnz1+8ePHs2bORxdu3b8e8cuvWrVHP
w4cPr127tr6+vru7O07duHHjOD4Gx+Qo+5eRyHhqPHjw4P37958/fx63fDxK
RhBjnhgFjFPb29vv3r0bj6G7d+/euXNndXV1PIxu37599uzZlZUV/xG+QI6y
Ph2zwtWrV6e9ydLP9cQ0HmuRL1++jCbGvDLVcPny5V83Pn/7g3Asjr6/Xfqx
SVn6mcWv5mvVcXy+eZl2NGMwJcVCOPT8Mf/5x9XlNH+MFOYl/XEpamW6QP7m
96fTjR+TxO8HWUS+X6fog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IPij4o+qDog6IP
ij4o+qDog6IPij4o+qDog/Id5/fzCGmxSdsAAAAASUVORK5CYIJQSwMEFAAI
CAgAB1wQRQAAAAAAAAAAAAAAAAsAAABjb250ZW50LnhtbM1YTW/bOBC991cI
KrCnVeiPpmjU2L0UwRZIinaTRbtHhqJsohSpkpRl//sOKYumHMnR1i2wOdgW
583Mm+HMkMr1u23Bow1VmkmxiKcXkziigsiMidUi/ufhJnkTv1u+uJZ5zghN
M0mqggqTECkMfEegLXTaSBdxpUQqsWY6FbigOjUklSUVrVYaolPnq1nRZsdH
qztwqG3o1oxVttiOLn4c79mBQ+1M4XqsssVCUkP1XI5V3mqe5BKyXpTYsCMW
W87Et0W8NqZMEarr+qKeX0i1QtOrqyvkpJ4w8biyUtyhMoIop9aZRtOLKWqx
BTV4LD+LDSmJqnikanRqsMFPdlVvVqMrYrMaSA1ZYzW6Nhy4u73zbPz2zrNQ
t8BmPbAnb9AdCN3H3e2hFlQx1pfFdlJFFCtHh9mgQ30ppadqFZoGdXRnk8kr
1DwH6PokvFbMUBXAyUk4wZz4jMuiL2mAmyJAJHRjy9QXvk2EHlCYoUbswTob
NP317vaerGmBD2D2PDhhQhssDplRdhMGI71EipZSGZ+YfPzAhN2aeW5rU/Dh
drfSFrpSWdYLBTpzBK0PjZdsGK1fxp1Jfrogro4Kwo3F51QcKJybJxWmE2Qx
vo2hRA5DXq38OZTLSkAQcHbtE0i3JVXMijB3amnHQlj1XP6Eyf3ZFVjoDHRG
eTsxfEi9ZqRMCg0FBI0iyzTQ7p4PqtiOM2ebQ2b5scWjQUG0npu+enj4G1lZ
Yo9HOAD2noJrwSxetneAZn5o5BdyuAskOSY0ySjhenndzHK/HDXPlvcivlGU
3mOhp3EEY7sFFYzvDrI46liwwmRFBcQLk0TXTOsYnfZyy+D4cZsY3YNa3uPs
D1xK/fYY2KyeJKBkgUUHUTJDYNhvsGKuyv8DuSba57kBbgS1JjdnUHuvJMuc
t+gGc/6IybdBej3YMRR32tDiHI5BlfxcAZ3N4AsVnyss/mXRHSNKRn9RNpil
HuwvyxIaasD9Oq4M1KphJHF2fGe6z05En6be1559iRVeKVyuWwEs2Iu/e0ga
rXs4/TKssrg1bMdHUsL8ocowqiN/mqQwSGAwwvH5ejJ/fRkHEu8oOcLYAAO+
J8jPfgv5XKZEcgm32Je5+4t747m8zCbPxeMwT+JBg9u0FzzKbOcfLL3ltXt/
0fR7BS9pfrufLkZuKWO65HiXyMrASwBNOFyf4DoAdJ24ycMHzittmjljOZ5l
7KEtzfOswM+zjbxv3rdc2oezVjYqvYWBzsNATy0/SrMGEtGaKrqnUf5+z/83
DDTo8iPUcGTU7s9IBDmJKDPwfUgN6lQ76jQCGvgnxPIHUEsHCM3iOObdAwAA
xRAAAFBLAwQUAAgICAAHXBBFAAAAAAAAAAAAAAAADAAAAG1hbmlmZXN0LnJk
Zs2TzW6DMBCE7zyFZc7YQC8FBXIoyrlqn8A1hlgFL/KaEt6+jpNWUaSq6p/U
465GM9+OtJvtYRzIi7KowVQ0YyklykhotekrOrsuuaXbOtrYtisfmh3xaoOl
nyq6d24qOV+WhS03DGzPs6IoeJrzPE+8IsHVOHFIDMa0jggJHo1CafXkfBo5
zuIJZldRdOugkHn3ID2L3TqpoLIKYbZSvYe2IJGBQI0JTMqEdIMcuk5LxTOW
81E5waHt4sdgvdODojxg8CuOz9jeiAym5V7gvbDuXIPffJVoeu5jenXTxfHf
I5RgnDLuT+q7O3n/5/4uz/8Z4q+0dkRsQM6jZ/qQ57TyH1VHr1BLBwi092jS
BQEAAIMDAABQSwMEFAAICAgAB1wQRQAAAAAAAAAAAAAAAAgAAABtZXRhLnht
bI2TS4+bMBSF9/0ViM4WjIEkYAEjddHVSK3UqTS7yLHvELdgI2OG9N/XPJwy
mSy65Nzv+Bw/KB4vbeO9ge6FkqWPw8j3QDLFhaxL/+fz1yDzH6tPhXp9FQwI
V2xoQZqgBUM9a5U9WUalP2hJFO1FTyRtoSeGEdWBdBaypckctCiXRsjfpX82
piMIjeMYjkmodI1wnudonjqUsyvXDbqZKc4QNDAl9AiHGDl2avi/pSZ2W0kp
dQ2a8KX0HBdHUYqWb0fXmvPm3gYsmyDbkBoavAkYP/veuv3Ngcd+5U53qlEV
cxmmgRpLBNYMVRzhNIiyAO+fcUzihOBduDtgnGcJPhTojqPgjNyxJjHBaZju
4jTDebovkMOWVODC2IsP+KDntarv1vRjDfgwfO9hf1gDfZXc0Ku8sDVIsGal
qydx0vBt3jZKwzhMwuThScjhcnzJ9sd96m2AY6fVL2AGpXHURg9fBtHwwOX8
W3KJuL7Q3tiWvRHMm3VDTw0ETA3SlL696FkULa0/iOo0hd2q3YbEV03TWtPu
7AbxOhiV5k47rBo7W5oZ0G6QumWkvbTxLAz0HWU25BZM9j6qCvTukaB7P2T1
F1BLBwjZprxlwgEAAM4DAABQSwMEFAAACAAAB1wQRV7GMgwnAAAAJwAAAAgA
AABtaW1ldHlwZWFwcGxpY2F0aW9uL3ZuZC5vYXNpcy5vcGVuZG9jdW1lbnQu
dGV4dFBLAwQKAwAAAAAPYxBFBCemzxAAAAAQAAAACAAAAHBhc3MudHh0OXd3
NHlwYXVxeGZkZ2RyClBLAwQUAAgICAAHXBBFAAAAAAAAAAAAAAAADAAAAHNl
dHRpbmdzLnhtbL1abXPaSAz+fr8iw/eUkBcuYZJ0DCktVxIYIM1cvy22MHus
V57ddYB/f9o1pDnALTXsfcrEL5IlPZIeabn9uEjEySsozVHeVWofzionIEOM
uIzvKs+j9ul15eP9H7c4mfAQGhGGWQLSnGowhh7RJ/S61I389l0lU7KBTHPd
kCwB3TBhA1OQ69ca759uOGX5lYXgcnZXmRqTNqrV+Xz+YX7xAVVcrd3c3FTd
3fWjIcoJj/dVlT/9XhUivimyL+Qf45Sdn51dVvP/Kyerj3znmvPK/doPa/Pv
b1cK8j+n3EBifXOyumw/7a5CKhuvHOZvXqvseu+/73yj5wMFbIRpZX3HLFO6
I1DGlfuz2+q2iP3FdmFifMh94ZGZ7hR8Wbu8ujhM+Bfg8XT3Z5/X6leX5aQP
pzgfQEQYg9aUyRj0hoYxogAmK/dGZVBOR0c2Fc41PGIERdInTOi9xZ8mLD3l
MoIFRNvO2g0w9w6lhlru5/JOtPGp2ihunW2xfF4+lIXYq9Vvrg+ASFGq1K/L
S9V8LOD4yeLEHj21ndRBYY7YDKwdJLuJxmBSmIAlMfEdMRmRqE20TVGZgwpS
ly0xMy0UWSI3k/pY0puIs6Nl9bZf2iw0qHZ/e+285Nd39BAEhAaitqILJT59
x8X31aXo9qpg7X6AmuP+7TS/kClmqDn/Tl/tUwkzbbZ42jZ8Vd6qewoJpETj
9O+I/2HwcvJbSM5E4aEbOfF9FkOThbNYYSY3K/2xlLhiZDV5s0KhTgnKHtLP
yR8SIgT8heNCAw7V8ClJzfKnLjpAw4iNe8RgH5mKufQg/1Myhmi41HSjTXD1
YYJT4Uv4jwToM8Wsqx4Um7tScnxlz3JMJHbGqJE+ZWSV8qRnFfSJwPnxs26Y
MCFaLNV9UCGVewJuve4rN34VjPJmECkQZAS47GuBEDb+x1cz0DwaIG6WJzKN
2vfF1Xn9+qoslhZtpAB8B4WfFqYLzE7sHuLQEjwNNA1GipgIqECG1NkgelH0
qGqLpWMQPlBsFacQ9XloMuVFwwM+oSEoW/kWab3xP7onbSn2oKyLLBpQlFCK
pQfxnVhSWCjzdSCjpmBypgkfXTvTMhFmwvEUXz4cABEwm0CBMcrqpfJmK7Yv
fX9l2vDJ0lqnX7iZPjKZMdG0xdVXJSKXhjNfXehZAzktATWChXlRLE395LKF
xwAsFl5p+OwQGS+OUfmaF0SumQ5TFpIZIxzZhmdLrIcy7mQPcP4VYHOWPlJg
eiJyACASBTQfhF7jbxG98puf8AfG7jLyyJNKG6eY8DbVHdnl2kfCBoJoiPMg
kegWkyGI48Mgj9MbqfJhRhRRmwUlmfhFry1vRVsgM8bRQ0wcY/cBtmGmHOFd
1xpH6Hx0JN1lYxAPq328r8I8ALuhh8IB9uCe2uZKG5uYedZ0pE+YvVUC4iI0
1fZRc9u4/Shz/nMV1Nd0Dso6zZ7KkOfyfVnBSnnK4+kp0TwUmTW4JLTZK3zL
z2t6siVQ+yByLcofsuaBUaYyDS1MEra1P9l/lbQhzv4dYqbC8supXmbsWUaX
EkP8zUFE2idiWyhpxvlBXXqSoEu4/d88v2Nz7Markqu31UlQX6GhBCQkfYUt
vk7K65dNLpla7hMQOwTuHAAv6xd/1g9ZEa63X4NR11d9ADUEk22Rq990QSB4
LKnUDA2m66Lmo+a4oNkK6qMdSOo0pomK0O6PpK3YsyvLKy2BGRqmPDD1t6me
Uiml4msL59EPYoI0FUvqa8rmrbdp472//DjKBJnB5zRiprCrHLyRT0G1FSY7
M+4I2GrbbuDdjC88onZv+4EXVvmVSHigOZP9TIYm87XYyMkRGdGnyR+mKCjr
fan5bEewn4yWB2xrzZLY3RM+wIRlwst8F+WHiL3JRIOf7YgDq82LESSp8ALc
R2amTepptvW7XvWzkeVgUnzQ2SONIrPcJcXHjiVP+d3n2QWBpxM7y88/Cxyz
t6nQGlMGM4Xnx9WtH2hVi366dv8vUEsHCHFzNfvYBQAA/CYAAFBLAwQUAAgI
CAAHXBBFAAAAAAAAAAAAAAAACgAAAHN0eWxlcy54bWztWtuO4zYSfd+vMBQk
b7Is2R63vdMTYBPMJsBMgmQmWOxTQEuUzW1KFEjKl/n6FElRomTJrfQlCIzt
hwbMOiwWD6uKRVJvvz1ldHLAXBCW33vhdOZNcB6zhOS7e++3z+/9O+/bd/94
y9KUxHiTsLjMcC59Ic8Uiwl0zsXGCO+9kucbhgQRmxxlWGxkvGEFzm2njYve
6KFMi1Y2trsGu70lPsmxnRW21Rdtx4+swW7vhKPj2M4KC5y63VM2tvNJUD9l
fsyyAknSseJESf5w7+2lLDZBcDwep8f5lPFdEK7X60BLa4PjGleUnGpUEgeY
YjWYCMJpGFhshiUaa5/CuiblZbbFfDQ1SKKLVRWH3WiPOOwGqIn3iI/2DQ1u
L+88Gb+888TtmyG5H1iTu+AjCPW/jx8aX+DZ2LEUtkVVzEkxepoG7fZnjNWm
qg4mQLW50Wy2CMxvB328Cj9yIjF34PFVeIxoXDPOsj7SABcGgPDxQbmpRXM1
6UHNy4DjgnFZG5KOT1DATlSH115mdDi8lNRCdzxJeqFgzjyAUANH9w8EH7/y
Wpnz+gKsOwug09BjXTTIzVNXO4SzQGHqsIElaZIq39VpP2VlDpOAraIiEJ8K
zIkSIaq7bVoaXC+j7Akqq73C0dAKbyHmso/vz78GSuardA8JrdLi7HKR985u
aSmD7SxFMfYTHFPx7q1JRXXzxPxWxt177znGn1AuQm8CWceCMkLPjcybtDQo
ob/DOUwKAkEciRBecH2UDwSyp+Zk8gm6pT2DfYMKJv7ZBZrWqwZwlqG8hSiI
jCFXHRAn2mn+hHFmto/bBrgRphlunmHa95yRRI82eY8o3aL4YdC8HuwYE89C
4uw5Njpe8jQHerYF/8H5LyXK/0smH0nM2eQHTAZZ6sG+GEvBUABW7abEtHNJ
cIpKWhWeVnNl646jYk9iz2Kr337BIdNxSaBQVfMTkrMHDKUCZVCbfDVfvFmi
hTdRmW+TEkprySpapzFEXco2R1Dls0LqvJEzX/2uuog9StjRB2sFlv7p3ptN
53HWKzx3hBIqDR8KM+yLAsVQFvp7xskXpnKegkZ3V8EHNan4Ego72VitF9Ae
nRXJFOZxJHLvm0I7RVQ4PlYgjjTfLba1SOF9VEqmxgDHIwlmBoposUd2AG3G
lmMERSwsEYmllahKQtmWsQS6U+7LbcupSJ5gtX2rA4k7GWuktRE2Q/AbVgjl
dcNm13Bl98VsSoGBhlytqh68chbJS9wyaiiFgzNpuSBfQB5GhdRtFOW7Eu2g
Cee6IYYNUXLwmH//q2YIS6io/AfMcz273jF9qGtQPpQEG6wa32LD2XRZ1HRb
U6z0y95KKpus4LufLkdXBTjFp4EspgetIWbynUFr6Z50h61FP/7kNUvYyghj
0kS95t5V54U12J+LPc718vkUJQmQr23RKYCSjNTmj/TxosxjWRqFKoXALGHe
sJiPB4F1Xj8hkApyNQjUL8uwidB2mBRAZhOe//flv7Evu66GbdLq+h/HGSK5
r06n1gmjC1BRin0H8oxAMYcHJ3tS7PqQuQfZMq7iQjkdbBrgQRQVQnn0cwf2
OTt2BoeWToQ+YFz4ku2w3KuLBhWBjw3sDmgc+xPEU4J44g0mCrt4FAkB5kEw
NaF1qe8HjBInpgfVQUN9h+b3m5KruHUBn6Hh92j2+5Yl5z6zHktpGeKQb4Cy
Qu3wi0jv8E37lkmpDt+w+YdRk1picHjQXiLa3VvrRdClQa5LA0SP6CweSz4D
mUWHmU0sr3+U6OawRRPGF2mov2K+GL1CP71ythqG6mcrbyYxlAt7Z3M9rVWm
jAJZe2vwoMU1YtjmJpUqq5sgfiR4+wICtsiCorMTMhNX/JyAfHKsDcbZYjU2
znRxsMdkt5dqw5l9PZ6lD1A0PGX6V9INVSpHhHjLIaNRDhm+oEfai5ZxPH2H
9BnvBT0FiOHoT6blKvc+Jy3rFw5z/67PRKIt0a5kr+dnw6l6oMIzbaoHlLpw
rIRD9+glN5xV0p7Of5FLjCvlHItreWXzaJ/6EU6mpxf0KKL1XfWoF1r9v3sU
68mwUppD/wXxPxuJ1wFSfMC0ghs6VANMqy66ysxXjysI0mzNs0p3Vdcu0a6I
CaIrcVg5HZPY3lqgLYjBcXa5utPuU9uBVLp1YwplNTvixN+eTeKFethzBq8P
h3Z8lSpWb2wW0etK9AXJvee7kiq/UJzKpkvDc++kQTrE50imo5tiOpzOwje9
TLuSFtNW8OpMz2+M6Wg1QHQt6PCs21+d5sWN0byMFgM8N5IO0Ubw6kwvb4zp
1epugOlG0mHaCF6d6Tc3xXQ0nc37t0NX0mLaCl6d6dWNMR3d9W+HrqTDtBG8
OtN3N8b0sj9NO4IOz8u/JEmvb4zm1XqI50bSIdoIXp3pcHZTVM+ns0X/fuhK
WlRbwXOobotc/nMmsYBzaJ6SXVndPdcCvzqQp4xJ9btvKcJqxub5/oBoidWR
2zTajsKhQL/buX3MOV097Cl99nspNd/xFuI8GTKQ9Bto1StGGgv6hhm8ZTAf
PehnhvW6ubTqY6dS0rCg1raSkTzm+rtUVfw534tobc1nIurpB3SS2LcCez+y
g9VGZ1jd1uXAxyILvR5Q5/ZLS44kUZ9xRnBsm4WVE2qBvYyN1tPV4AyrIYBA
6TNO1Bdt1VIzLjki0uveAA7c/vVXKe1GXhk09Czc+XrC+J+foVM9F3VT3Xw5
VAEELqw6w8UMTrB3zSD2UdrfYpi5xitMOAt7MChVT799kCb+7j3BKKmvvlDy
v1JI4wXGN0w7hyC2q7P8urkXNR/wzPSf537u0bfOdrZ7jNRTpv4RuBQ4jZeK
Go+8dMFKkCFR66hHqxqVpquvka7Njus6kdBRH/R/pP/uD1BLBwhw+PedcggA
AOQvAABQSwECFAAUAAgICAAHXBBFAAAAAAIAAAAAAAAAJwAAAAAAAAAAAAAA
AAAAAAAAQ29uZmlndXJhdGlvbnMyL2FjY2VsZXJhdG9yL2N1cnJlbnQueG1s
UEsBAhQAFAAACAAAB1wQRQAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAVwAA
AENvbmZpZ3VyYXRpb25zMi9mbG9hdGVyL1BLAQIUABQAAAgAAAdcEEUAAAAA
AAAAAAAAAAAfAAAAAAAAAAAAAAAAAI0AAABDb25maWd1cmF0aW9uczIvaW1h
Z2VzL0JpdG1hcHMvUEsBAhQAFAAACAAAB1wQRQAAAAAAAAAAAAAAABgAAAAA
AAAAAAAAAAAAygAAAENvbmZpZ3VyYXRpb25zMi9tZW51YmFyL1BLAQIUABQA
AAgAAAdcEEUAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAABAABDb25maWd1
cmF0aW9uczIvcG9wdXBtZW51L1BLAQIUABQAAAgAAAdcEEUAAAAAAAAAAAAA
AAAcAAAAAAAAAAAAAAAAADgBAABDb25maWd1cmF0aW9uczIvcHJvZ3Jlc3Ni
YXIvUEsBAhQAFAAACAAAB1wQRQAAAAAAAAAAAAAAABoAAAAAAAAAAAAAAAAA
cgEAAENvbmZpZ3VyYXRpb25zMi9zdGF0dXNiYXIvUEsBAhQAFAAACAAAB1wQ
RQAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAqgEAAENvbmZpZ3VyYXRpb25z
Mi90b29sYmFyL1BLAQIUABQAAAgAAAdcEEUAAAAAAAAAAAAAAAAaAAAAAAAA
AAAAAAAAAOABAABDb25maWd1cmF0aW9uczIvdG9vbHBhbmVsL1BLAQI/AxQD
AAAIADVkEEVtYEn2KAEAAJYEAAAVAAAAAAAAAAAAIICkgRgCAABNRVRBLUlO
Ri9tYW5pZmVzdC54bWxQSwECFAAUAAAIAAAHXBBFwZcwcWYEAABmBAAAGAAA
AAAAAAAAAAAAAABzAwAAVGh1bWJuYWlscy90aHVtYm5haWwucG5nUEsBAhQA
FAAICAgAB1wQRc3iOObdAwAAxRAAAAsAAAAAAAAAAAAAAAAADwgAAGNvbnRl
bnQueG1sUEsBAhQAFAAICAgAB1wQRbT3aNIFAQAAgwMAAAwAAAAAAAAAAAAA
AAAAJQwAAG1hbmlmZXN0LnJkZlBLAQIUABQACAgIAAdcEEXZprxlwgEAAM4D
AAAIAAAAAAAAAAAAAAAAAGQNAABtZXRhLnhtbFBLAQIUABQAAAgAAAdcEEVe
xjIMJwAAACcAAAAIAAAAAAAAAAAAAAAAAFwPAABtaW1ldHlwZVBLAQI/AwoD
AAAAAA9jEEUEJ6bPEAAAABAAAAAIAAAAAAAAAAAAIICkgakPAABwYXNzLnR4
dFBLAQIUABQACAgIAAdcEEVxczX72AUAAPwmAAAMAAAAAAAAAAAAAAAAAN8P
AABzZXR0aW5ncy54bWxQSwECFAAUAAgICAAHXBBFcPj3nXIIAADkLwAACgAA
AAAAAAAAAAAAAADxFQAAc3R5bGVzLnhtbFBLBQYAAAAAEgASAKYEAACbHgAA
AAA=
====

After saving the uuencoded version to a text file (in the example, uuenc)

uudecode uuenc

Opening the file with an office suite will display a single page containing Nothing here.

ODF files are actually zipped XML, so

unzip passwords.odt

Included within the file is a file called pass.txt, containing a string that doesn't meet the password requirements given on the start page. The actual password has been gzipped and then base64 encoded

cat pass.txt | base64 -d | gunzip

Gives 9ww4ypauqxfdgdr so the next url is https://www.bentasker.co.uk/9ww4ypauqxfdgdr

Phase 5

Phase 5 is the final challenge.

Unlike previous phases, a page containing the clue isn't obviously displayed (though it may appear to be).

A file containing a quote from the Hackers script is displayed, the file contains a lot of whitespace and large block of apparent cipher text, but it's literally random strings.

The important bit is the headers in the HTTP 303 that was given when the user accessed https://www.bentasker.co.uk/9ww4ypauqxfdgdr. 

$ GET -Ssed https://www.bentasker.co.uk/9ww4ypauqxfdgdr
GET https://www.bentasker.co.uk/9ww4ypauqxfdgdr
303 See Other
Cache-Control: no-cache
Connection: close
Date: Sat, 16 Aug 2014 12:37:41 GMT
Location: /images/FTT/bigfile.html                         <------------- Nothing of use in there
Server: nginx/1.0.15
Content-Length: 33
Content-Type: text/html; charset=UTF-8
Authorisation: Basic aWlpaWk6aHR0cHM6Ly93d3cuYmVudGFza2VyLmNvLnVrL2ZvbGxvd3RoZXRyYWls
Client-Date: Sat, 16 Aug 2014 12:37:41 GMT
Client-Peer: 46.32.254.153:443
Client-Response-Num: 1
Client-SSL-Cert-Issuer: /C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
Client-SSL-Cert-Subject: /C=GB/OU=Domain Control Validated/CN=www.bentasker.co.uk
Client-SSL-Cipher: RC4-SHA
Client-SSL-Socket-Class: IO::Socket::SSL
X-Cache-Status: MISS
X-MWTB-DLTR-16: 326e64767175616f343067316a7579206b6b736820777a6c                    <------------------- This is the important bit

MWTB-DLTR is an opaque reference to Hackers (Mess With The Best, Die Like The Rest). 16 has been appended because the value is in base16 (hex)

echo "326e64767175616f343067316a7579206b6b736820777a6c" | xxd -ps -r
2ndvquao40g1juy kksh wzl

The resulting value is encoded using a Caesarian Cipher. The encryption shift is actually 18, but as the user won't know this, the easiest way to decode is

ciph="2ndvquao40g1juy kksh wzl"; for i in {1..25}; do echo $i $ciph | tr $(printf %${i}s | tr ' ' '.')\a-z a-za-z; done

Which will give a range of output, none of which wil look, at first glance like words. However, reading right to left makes a difference

echo "2vldyciw40o1rcg ssap eht" | rev

Giving the pass gcr1o04wicydlv2 (the decrypt shift, obviously, is 8 (26-18)), so the next page is https://www.bentasker.co.uk/gcr1o04wicydlv2

Final Page

The final page displays an encrypted (and base64 encoded) copy of the Hacker Manifesto, along with the fairly cryptic hint

I love them, and for a while hyperv_vmbus.h agreed. 14 cycles and we're chaining though happily don't need to remember the spelling of Dutch names U2FsdGVkX1+v4DKb4wbYXipa0QWqe8c8TkyKCdZGNiwpnIJ+2euosZFMvPKDBVZq4oELFm/wJXj1 qtl8ru3lb8Q6qsIg7s37ClO6cY2T6kvAypdF8tRQsXqUeBq+vggDPBjJU+eikFY4fc12aNE+N9fX rzTPGdKs5pmwgeUcppJdz9GFvxi/eAwx1I55xxnDFU3DOviUeMqYu0pfFThRSssJ2thCZAtVfqSI Xm2c6qMOltpMVu8BGeKTDRs/o6mYEyZPe8ZAREMNpo5g667TgIC/eEZgvNUSIr+J7bKCBS9HIgo0 jl+APIiamGzMcVVW4H6M3d/5/sWM6w4wJQrRzSXxTbz0zU/qrjx80J2ZzA2AsY8jXFvtJMY0Usto kazcCVqqWtqgCYE9Y2Lx88M2ma9pcBRPDhcyL7c02p/8xnpFmMyUFo7HvlhEnACNmHud82lGQBN0 Hh3CaBEv+OUtxDG6qdg7JB4AgwW6rCoKXFLumrU/rmMRgyh/ltgLoLJZZjMgAKSU7AcaiTJ+msZ5 LHPqvae4lBCme7a/MdUow5tvbLy8gRB22yqTprsExv+3CjM6Rrg9diX/LHV6WYuq1gxaY0gj4mT9 tad8AJ5XJFcjUhq1Gup9AYXtfXjLGI9VCMDds77/pFwfB2mnSnYVAv7BdCjH+oC3b8Kest8uCjoo J+aA5NFpbzZX9G+bLSXLvayMo5SGu1nUfs6Vq1xvwJk6mtEmjdalvmHXWchDY1xJtSQgJoHeYE7t 9IRPq5qFjgsIsNjAy9iVfwnbRk3AK5W8IrcE234yZ4VlgnVJtxPy8P+ovvZyx9s2Nl0CC/UIFC80 azpwvMvIO6grvGPtMu/B8W1ESDm6mOEVo0AkZ1oR5iy80pSGBz/rCKkolFWvXpdLcavejjr8Gu93 PSNOre+9AGZwrBWXDkDt0qwYGJJPXBtiSNxNOHFN1lJHm7nWTTuL8deNNdmCF/gcekDDnt32qBb8 gJZwXD3EldyeRKTbdADR0PX+EwfR2KEQed0wrrC0MOde4q573KAaRmgGL1KXVZI3PqJ8rIdTOyoI f7U8FWf6DVqnF20ysSFYf0+LGIFSyjFzQ67dXo++eF7yt/E5Bco2WOK+qSm98Lygb1wSh54qCMpZ XnOtwUSzvvPOBjrS8RxsJWrsVEq2/wvpANYnI7FvDT3OB4gJMqx15Bkjjm2uDLV2hkuAWKB7eZuh lh10xcvR5M8m9C3vXWvkZU6PgE2Wy+h3Gk8J2yfHBV/1C/oiSZworJDFI42ghYIhiG9PnaMaoCDZ 3lqsnVVywv/Z61nYaX9eYbCewTdELB4lvF7HrE/yU9VA6YBF+315CdcPmqJtlED4QTUniVEftUUP J6Qtlp+6xnJUyB1csBTSaJ3uZUGZoRFx3XjvMgsA0cDLukyZySXGP5IHFeivZja4muSdkFW2MgIR B+rHrra97z2OhVm+DzHfRIZCMoLSVxC/vWHXRHUDCXNWRfFvdXqObh0b4j3dOljAa0eGN+sGYWYj dkOXE7S/KLsTLmhtIk3JPwo3r04ZqDRQz7wL34dpYON1lkzYMvK8z6yDjn2djxnFzlkrAElZx8fe 87u9MEK9LsqN5SBleZbCrKzSGxig8yqNBqsjqelnGh6XQB08A97uWLOBd0ZCP65Ib0iqgQaOs1Bs hB3rr7xKXOJsa4M78d+MnhXeg26NqwIc6hBsmKK8vo+XjvfoBn+EmGr5XI/tW1tclq3dxI1d5wdk +ClM4L/Fw7OEhOYOniSpSJPDrhHSwjqQu3SEj249ykmnxtGQE+ZpWTghz7kWjC29krbXjS7B+2Pl huDru8igWMxJVhr/z1ZtFlpzQBrl9IViiSvY35BeesEXD1dQzfXn8kVVl17JtfDhY7OQMUpYh3Wg Uaqlm9MaDSCsjYr2M8WrlBfWpKHPtdAap7XZyli2cnrMW6Am7+x7he2R8TNLDP5iZbJk0nvN8d+z 11mPzVrbDQGkSeNdlQ2DXAwxMYd41WHN9tA+Ab0mAcJWbd3VT8RmGu27BkUXPrsZlX70BOTGTa1j 2YzWkEQMoE7uCL5/l/ZIer+eqAJk+JMDuwm/KbAp3EjRU0ACFL5lHnAZzqrpQ+nb26OuF7A+LnG4 2xfF33xPaDN6WFNaIJiZQB54l3999PWgtm55u791GfQn9OARkpp1fIX63hgA4Oo5y6TWprn/LhCI R2vDC9/A5XvrIaYrFVdjdX4TtggqnzvK3dr4xzWRklItVR5q4GLn8vkyxBcF0YP019f4XxQjnKEd Vi74sMUFXuopye0iTF2/mMIuXCdkab2cODUUxE5utKySWyZEwH1zL7tEYuzMDmCnJ+MnasJPBLwH fnvmubP+p31Mj6goNt3Is95gPUf/3nY/ZcDoq73v4dLpshjdlRiTq//msjFjqT/BtsXA94e9i6K7 LdUWXXcCYGlfraq4zlMPR4jA8OcRWr5KVL2y0hxfKVJUzQLROF2QpesfJZ0l/XtsyxQMNglwP3Dr Mj0mMtqeVeuLgSfzlzG1v4+ZmvqvX5hEH+pnkfpIROivlYy/mv167gys3eSW1oAgaGhHjtQWWrmN tvKjVCD2A0XDWnZuNDq0E2M1s8o6uHhdB88W7SvRgYYgsYT8r9fgTUI6H53oQACz0yFDgFUxp7J9 3FoC+YLdC+vUZwM1t/DFac7Zu2ZTH90hX670DJaEgeoEKnUN8YK8IOHcO3rmF/hwcPAZCWoXS2+I 0jO1QBwS43JIw3s4oxI4wD+wKa52vZqMiyIMlxeoqeCsqypqiswySdAYAPSU/fQB4JeUeYfythnh jSc/aGDpn+T6Jt4d1meUUQd4dWJGIk10nfNbkiq4MzW8BUjpSLrBPQbxJ9DGAAaeHJM3PMI6icOd TdH7e9YKE8rppl6Oa/NDvZHhLDBvGbi+1r+8MxQhejmXxy8RO7t3oZsjB2I3IOmX8brKMBJVRo99 QQqxm1NtthRyTq49zg4UYT0IfzD7Jcp2d0Nhu6dtUKK7Yqd91V8l5helD9j0uYaPRrEMK4aMf8Fv OFx/nDd0+ot2cdBlSDpz1+UxkY0ISP2XqyxikqzsXFqrD9kxJ+mYiVI/5SgrmxJSEmW3msZkhwGy j2iFNAi96Nmm2BBsh/sq/FhGxS/S73YDa/mUUeypKiSUYYdT9D1ZfYBajVJQ2s9k2XWmIbogQztI nssqJzyvmKQqY/uEbCg6zuhBGvh13lKx8VXHYh6G2BOAK+cJHSe0xdTEi1RuckwtqVqiPQzYc3v+ 9iUSzQ/e+j+cX1/Xitvt90ZOpRX2nlPl7q3gCmPMvPY5ucz2eEOOCztHdFC2Pd+/3sUrTxcHDjNp JfCsAhKItiPVMPvaAYJKy9vfXEzNomk0jBcbdhZsMrUE8sVG/aFiWJTn65spAzOiNro4kATU4YP0 pRfBPEEUjPsKWOze+iA00t/IrJmITjE9dj4vT8nQzNsP33lY1fJSthVZqRcg0Uz++OQaoREBPHua hsbazCDwUr15hnOfbF9NtbHUycOXnMA//WHcx2O+2+IeDZpjYz+AtebDCAY4XfgURgzuE6xAoRe0 iE1dfjKfxIn1vYdJcZBV+EJH5f4/JnvXWLWawqkUXSzU6YzdPpBj5HNh6ZbaRSAQfl4j1lCgFXdT kwu12urcSjo/XaYVS/2JLwo7IQikRRMPfWZc3ERRwR/Y2JjY7twoZwhqTHjH8XHr

The hint:

I love them, and for a while hyperv_vmbus.h agreed. 14 cycles and we're chaining though happily don't need to remember the spelling of Dutch names

The answer to the first, is 0xB16B00B5 (a Microsoft dev inserted it into the HyperV support section of the Linux kernel).

The second sentence makes reference to Dutch names (Rijndael being the basis for AES), chaining is a reference to CBC, and 14 cycles means we're using a 256 bit key.

Recovering the original text is as simple as saving the base64 block to a file, base64 decoding and then un-encrypting it

base64 -d hexblob > crypted
openssl aes-256-cbc -d -in crypted -out textfile2.txt
enter aes-256-cbc decryption password:

Using 0xB16B00B5 as the password

Share this post on Twitter Share this post on Reddit Share this post on LinkedIN Share this post via Whatsapp Share this post via Telegram Share this post via QQ Share this post via Email