In April 2016, I got bored and created a second crypto trail on `www.bentasker.co.uk`. Unlike the first this trail wasn't confined to a single domain, or even to just the clearnet.

However, in order to follow the trail, you needed to be able to access a site served using a V2 Onion. However, V2 onions have since been deprecated and are no longer accessible.

The trail is now broken.

But, it is still possible to complete the challenges, so this post will begin by presenting the challenge and then will provide the solution.

### The challenges

You don't need to solve the challenges in any given order, but you will need to combine the answers to each in the correct order to be able to move onto the final challenge

#### Challenge 2

``````1F8B0800FEE995560003CBC84ECD342D4BCACD294BCAB4CC4ACECB29F7E302000CA9C24B14000000
``````

#### Challenge 4

Hey, if you type in your pw, it will show as stars

** see!

Cthon98>

Challenge4.zip

#### Challenge 5

At this point, you should know what to do

. . . . . . . . . . . . . . . . . . . . . . . . .

### Solution

`Beware Spoilers`

This section details how to follow the trail.

#### Challenge 1 Solution

The user is presented with two images, one of which is a QR code (source2.gif), the other(img.gif) is a white block with black dots.

img.gif was created by XOR'ing source2.gif with the image we're trying to recover

``````convert img.gif source2.gif -fx "(((255*u)&(255*(1-v)))|((255*(1-u))&(255*v)))/255" img2.gif
``````

When scanned, the QR code should give the string `NnpkZ2g1YTVlNnpwY2`

#### Challenge 2 Solution

Challenge 2 is actually reasonably straightforward, the user is presented with a string, they simply need to recognise that it's a hex dump of a gzipped string

``````echo -n "1F8B0800FEE995560003CBC84ECD342D4BCACD294BCAB4CC4ACECB29F7E302000CA9C24B14000000" | xxd -r -ps | gunzip
``````

Will give them the result `hkei5vbmlvbi9jcnlwN`

#### Challenge 3 Solution

The user is presented with a JPG of a gerbil. A quick check with strings shows there's a comment

``````strings gerbil.jpg
JFIF
%Srtzrag vf: mA3pwQkoC92ZGJzQzq5Macl
``````

The comment has been ROT13'd (the hint being that `vf` rotates to `is`)

``````echo -n "Srtzrag vf: mA3pwQkoC92ZGJzQzq5Macl" | tr \$(printf %13s | tr ' ' '.')\a-z a-za-z
Segment is: zA3cjQxbC92ZGJmQmd5Mnpy
``````

So, the next segment is `zA3cjQxbC92ZGJmQmd5Mnpy`

#### Challenge 4 Solution

Challenge 4 makes reference to a common meme, and then links to an encrypted zip file. The password for that file (in keeping with the meme) is `hunter2`

Extracting the zip gives a file called `ans`, which contains `xxd` output:

``````0000000: 4834 7349 4350 7237 6c56 5941 4132 4675  H4sICPr7lVYAA2Fu
0000010: 6333 646c 6369 3530 6548 5141 4338 374c  c3dlci50eHQAC87L
0000020: 4e76 544c 6361 324d 4369 3378 4358 5a7a  NvTLca2MCi3xCXZz
0000030: 4c50 634e 4353 784e 3941 6771 5358 4b30  LPcNCSxN9AgqSXK0
0000040: 7465 5543 414c 732b 4d46 5164 0a41 4141  teUCALs+MFQd.AAA
0000050: 410a                                     A.
``````

Passing that back through xxd will give a base64 encoded gzipped string, so solving the challenge is as simple as

``````cat ans | xxd -r | base64 -d | gunzip
``````

Which will give the final part of the string `Snk1NlEyZUtLSFAwMTQuaHRtbA==`

#### Challenge 5 Solution

In order to get the URL for Challenge 5, the answers from the previous challenges must be combined and base64 decoded

``````echo -n "NnpkZ2g1YTVlNnpwY2hkei5vbmlvbi9jcnlwNzA3cjQxbC92ZGJmQmd5MnpySnk1NlEyZUtLSFAwMTQuaHRtbA==" | base64 -d
6zdgh5a5e6zpchdz.onion/cryp707r41l/vdbfBgy2zrJy56Q2eKKHP014.html
``````

The trail is broken at this point - it's no longer possible to access `6zdgh5a5e6zpchdz.onion` and the source file of that step has been lost to the sands of time.

However, when accessed, it displayed a HTML based QR code - when scanned that code yielded the string `H4sIAAQDllYAA7O0SDOwLPbPsTTNdMrwiggKNk31zDHSjkhP9M5MK0gq0E7LCjJL9HHO8AwPLwhIispIS3Oz0A8ONSnxyDEMtLXlAgCZKDyNQQAAAA==`

The string is a base64 encoded gzipped base64 encode of a string in the CP1081 character set, so the user needs to expand and then convert it

``````echo -n 'H4sIAAQDllYAA7O0SDOwLPbPsTTNdMrwiggKNk31zDHSjkhP9M5MK0gq0E7LCjJL9HHO8AwPLwhIispIS3Oz0A8ONSnxyDEMtLXlAgCZKDyNQQAAAA==' | base64 -d | gunzip - | base64 -d | iconv -f CP1081 -t UTF-8
``````

This gives the URI to access for the final destination - `7G46Cv7qadnJ.php?pass=oZ98JZsBdeou6Re7E34mSJVN`

#### Reward

When accessed, the following page was rendered

And what a reward it is...