The second bentasker.co.uk cryptotrail
In April 2016, I got bored and created a second crypto trail on www.bentasker.co.uk
. Unlike the first this trail wasn't confined to a single domain, or even to just the clearnet.
However, in order to follow the trail, you needed to be able to access a site served using a V2 Onion. However, V2 onions have since been deprecated and are no longer accessible.
The trail is now broken.
But, it is still possible to complete the challenges, so this post will begin by presenting the challenge and then will provide the solution.
The challenges
You don't need to solve the challenges in any given order, but you will need to combine the answers to each in the correct order to be able to move onto the final challenge
Challenge 1
Challenge 2
1F8B0800FEE995560003CBC84ECD342D4BCACD294BCAB4CC4ACECB29F7E302000CA9C24B14000000
Challenge 3
Challenge 4
Hey, if you type in your pw, it will show as stars
** see!
Cthon98>
Challenge 5
At this point, you should know what to do
. . . . . . . . . . . . . . . . . . . . . . . . .
Solution
Beware Spoilers
This section details how to follow the trail.
Challenge 1 Solution
The user is presented with two images, one of which is a QR code (source2.gif), the other(img.gif) is a white block with black dots.
img.gif was created by XOR'ing source2.gif with the image we're trying to recover
convert img.gif source2.gif -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" img2.gif
When scanned, the QR code should give the string NnpkZ2g1YTVlNnpwY2
Challenge 2 Solution
Challenge 2 is actually reasonably straightforward, the user is presented with a string, they simply need to recognise that it's a hex dump of a gzipped string
echo -n "1F8B0800FEE995560003CBC84ECD342D4BCACD294BCAB4CC4ACECB29F7E302000CA9C24B14000000" | xxd -r -ps | gunzip
Will give them the result hkei5vbmlvbi9jcnlwN
Challenge 3 Solution
The user is presented with a JPG of a gerbil. A quick check with strings shows there's a comment
strings gerbil.jpg
JFIF
%Srtzrag vf: mA3pwQkoC92ZGJzQzq5Macl
The comment has been ROT13'd (the hint being that vf
rotates to is
)
echo -n "Srtzrag vf: mA3pwQkoC92ZGJzQzq5Macl" | tr $(printf %13s | tr ' ' '.')\a-z a-za-z
Segment is: zA3cjQxbC92ZGJmQmd5Mnpy
So, the next segment is zA3cjQxbC92ZGJmQmd5Mnpy
Challenge 4 Solution
Challenge 4 makes reference to a common meme, and then links to an encrypted zip file. The password for that file (in keeping with the meme) is hunter2
Extracting the zip gives a file called ans
, which contains xxd
output:
0000000: 4834 7349 4350 7237 6c56 5941 4132 4675 H4sICPr7lVYAA2Fu
0000010: 6333 646c 6369 3530 6548 5141 4338 374c c3dlci50eHQAC87L
0000020: 4e76 544c 6361 324d 4369 3378 4358 5a7a NvTLca2MCi3xCXZz
0000030: 4c50 634e 4353 784e 3941 6771 5358 4b30 LPcNCSxN9AgqSXK0
0000040: 7465 5543 414c 732b 4d46 5164 0a41 4141 teUCALs+MFQd.AAA
0000050: 410a A.
Passing that back through xxd will give a base64 encoded gzipped string, so solving the challenge is as simple as
cat ans | xxd -r | base64 -d | gunzip
Which will give the final part of the string Snk1NlEyZUtLSFAwMTQuaHRtbA==
Challenge 5 Solution
In order to get the URL for Challenge 5, the answers from the previous challenges must be combined and base64 decoded
echo -n "NnpkZ2g1YTVlNnpwY2hkei5vbmlvbi9jcnlwNzA3cjQxbC92ZGJmQmd5MnpySnk1NlEyZUtLSFAwMTQuaHRtbA==" | base64 -d
6zdgh5a5e6zpchdz.onion/cryp707r41l/vdbfBgy2zrJy56Q2eKKHP014.html
The trail is broken at this point - it's no longer possible to access 6zdgh5a5e6zpchdz.onion
and the source file of that step has been lost to the sands of time.
However, when accessed, it displayed a HTML based QR code - when scanned that code yielded the string H4sIAAQDllYAA7O0SDOwLPbPsTTNdMrwiggKNk31zDHSjkhP9M5MK0gq0E7LCjJL9HHO8AwPLwhIispIS3Oz0A8ONSnxyDEMtLXlAgCZKDyNQQAAAA==
The string is a base64 encoded gzipped base64 encode of a string in the CP1081 character set, so the user needs to expand and then convert it
echo -n 'H4sIAAQDllYAA7O0SDOwLPbPsTTNdMrwiggKNk31zDHSjkhP9M5MK0gq0E7LCjJL9HHO8AwPLwhIispIS3Oz0A8ONSnxyDEMtLXlAgCZKDyNQQAAAA==' | base64 -d | gunzip - | base64 -d | iconv -f CP1081 -t UTF-8
This gives the URI to access for the final destination - 7G46Cv7qadnJ.php?pass=oZ98JZsBdeou6Re7E34mSJVN
Reward
When accessed, the following page was rendered
And what a reward it is...