The second cryptotrail

In April 2016, I got bored and created a second crypto trail on Unlike the first this trail wasn't confined to a single domain, or even to just the clearnet.

However, in order to follow the trail, you needed to be able to access a site served using a V2 Onion. However, V2 onions have since been deprecated and are no longer accessible.

The trail is now broken.

But, it is still possible to complete the challenges, so this post will begin by presenting the challenge and then will provide the solution.

The challenges

You don't need to solve the challenges in any given order, but you will need to combine the answers to each in the correct order to be able to move onto the final challenge

Challenge 1


Challenge 2


Challenge 3


Challenge 4

Hey, if you type in your pw, it will show as stars

** see!


Challenge 5

At this point, you should know what to do

. . . . . . . . . . . . . . . . . . . . . . . . .


Beware Spoilers

This section details how to follow the trail.

Challenge 1 Solution

The user is presented with two images, one of which is a QR code (source2.gif), the other(img.gif) is a white block with black dots.

img.gif was created by XOR'ing source2.gif with the image we're trying to recover

convert img.gif source2.gif -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" img2.gif

When scanned, the QR code should give the string NnpkZ2g1YTVlNnpwY2

Challenge 2 Solution

Challenge 2 is actually reasonably straightforward, the user is presented with a string, they simply need to recognise that it's a hex dump of a gzipped string

echo -n "1F8B0800FEE995560003CBC84ECD342D4BCACD294BCAB4CC4ACECB29F7E302000CA9C24B14000000" | xxd -r -ps | gunzip

Will give them the result hkei5vbmlvbi9jcnlwN

Challenge 3 Solution

The user is presented with a JPG of a gerbil. A quick check with strings shows there's a comment

strings gerbil.jpg
%Srtzrag vf: mA3pwQkoC92ZGJzQzq5Macl

The comment has been ROT13'd (the hint being that vf rotates to is)

echo -n "Srtzrag vf: mA3pwQkoC92ZGJzQzq5Macl" | tr $(printf %13s | tr ' ' '.')\a-z a-za-z
Segment is: zA3cjQxbC92ZGJmQmd5Mnpy

So, the next segment is zA3cjQxbC92ZGJmQmd5Mnpy

Challenge 4 Solution

Challenge 4 makes reference to a common meme, and then links to an encrypted zip file. The password for that file (in keeping with the meme) is hunter2

Extracting the zip gives a file called ans, which contains xxd output:

0000000: 4834 7349 4350 7237 6c56 5941 4132 4675  H4sICPr7lVYAA2Fu
0000010: 6333 646c 6369 3530 6548 5141 4338 374c  c3dlci50eHQAC87L
0000020: 4e76 544c 6361 324d 4369 3378 4358 5a7a  NvTLca2MCi3xCXZz
0000030: 4c50 634e 4353 784e 3941 6771 5358 4b30  LPcNCSxN9AgqSXK0
0000040: 7465 5543 414c 732b 4d46 5164 0a41 4141  teUCALs+MFQd.AAA
0000050: 410a                                     A.

Passing that back through xxd will give a base64 encoded gzipped string, so solving the challenge is as simple as

cat ans | xxd -r | base64 -d | gunzip

Which will give the final part of the string Snk1NlEyZUtLSFAwMTQuaHRtbA==

Challenge 5 Solution

In order to get the URL for Challenge 5, the answers from the previous challenges must be combined and base64 decoded

echo -n "NnpkZ2g1YTVlNnpwY2hkei5vbmlvbi9jcnlwNzA3cjQxbC92ZGJmQmd5MnpySnk1NlEyZUtLSFAwMTQuaHRtbA==" | base64 -d

The trail is broken at this point - it's no longer possible to access 6zdgh5a5e6zpchdz.onion and the source file of that step has been lost to the sands of time.

However, when accessed, it displayed a HTML based QR code - when scanned that code yielded the string H4sIAAQDllYAA7O0SDOwLPbPsTTNdMrwiggKNk31zDHSjkhP9M5MK0gq0E7LCjJL9HHO8AwPLwhIispIS3Oz0A8ONSnxyDEMtLXlAgCZKDyNQQAAAA==

The string is a base64 encoded gzipped base64 encode of a string in the CP1081 character set, so the user needs to expand and then convert it

echo -n 'H4sIAAQDllYAA7O0SDOwLPbPsTTNdMrwiggKNk31zDHSjkhP9M5MK0gq0E7LCjJL9HHO8AwPLwhIispIS3Oz0A8ONSnxyDEMtLXlAgCZKDyNQQAAAA==' | base64 -d | gunzip - | base64 -d | iconv -f CP1081 -t UTF-8

This gives the URI to access for the final destination - 7G46Cv7qadnJ.php?pass=oZ98JZsBdeou6Re7E34mSJVN


When accessed, the following page was rendered

Trail Complete

And what a reward it is...