John Lennon send a secret message to Paul McCartney about the next music tour of Beatles… Could you find the message and sumbit the flag?
We have two files m3ss@g#_f0r_pAuL & BAND.ZIP
cat m3ss@g#_f0r_pAuL
Url Cnhy,
Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref.
Pbhyq lbh spenpx vg sbe zr???
V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu...
Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq...
-Wbua Yraaba
CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire!
Inside BAND.ZIP file we have a JPEG image but we don’t have a password yet. So let’s check the cipher which we got.
Hey Paul,
My Folder has passphrase with four (4) characters.
Could you fcrack it for me???
I send you a message for our Tour next month...
Don't Share it with other members of our band...
-John Lennon
PS: Peace and Love my friend... Beatles Band for ever!
The decoded text we got has a hint for BAND.ZIP that we have a four characters password for the zip file.
Let’s crack with rockyou.txt
fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt BAND.zip
PASSWORD FOUND!!!!: pw == pass
After taking a look at image strings we found an base64 string let’s decode it.
echo "VkhKNUlFaGhjbVJsY2lFPQ==" | base64 -d
VHJ5IEhhcmRlciE=
echo "VHJ5IEhhcmRlciE=" | base64 -d
Try Harder!
Let’s try something else then…
If we test steghide we have to provide a password for it, which we don’t know yet.
steghide extract -sf BAND.JPG -p THEBEATLES
wrote extracted data to "testabeatle.out".
file testabeatle.out
testabeatle.out: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped
If we take a look at strings for hints we can find base64 code inside
strings testabeatle.out | awk 'length($0) > 20'
/lib64/ld-linux-x86-64.so.2
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
Hey Paul! If you are here... Give my your favourite character!
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of 5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is the message
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
GCC: (Debian 7.2.0-5) 7.2.0
__do_global_dtors_aux
__do_global_dtors_aux_fini_array_entry
__frame_dummy_init_array_entry
_GLOBAL_OFFSET_TABLE_
_ITM_deregisterTMCloneTable
__libc_start_main@@GLIBC_2.2.5
__isoc99_scanf@@GLIBC_2.7
_ITM_registerTMCloneTable
__cxa_finalize@@GLIBC_2.2.5
This one
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K
let’s decode it…
The tour was canceled for the following month...!
I'll go out for dinner with my girlfriend named Yoco! ;)
HTB{S0rRy_My_FR13nD}