Hack the Box - Beatles Challenge

steganography
ctf
challenges
#1

John Lennon send a secret message to Paul McCartney about the next music tour of Beatles… Could you find the message and sumbit the flag?

We have two files [email protected]#_f0r_pAuL & BAND.ZIP

cat [email protected]#_f0r_pAuL 
Url Cnhy,

Zl Sbyqre unf cnffcuenfr jvgu sbhe (4) punenpgref.

Pbhyq lbh spenpx vg sbe zr???

V fraq lbh n zrffntr sbe bhe Gbhe arkg zbagu...

Qba'g Funer vg jvgu bgure zrzoref bs bhe onaq...

-Wbua Yraaba


CF: Crnpr naq Ybir zl sevraq... Orngyrf Onaq sbe rire!

Inside BAND.ZIP file we have a JPEG image but we don’t have a password yet. So let’s check the cipher which we got.

https://www.guballa.de/substitution-solver

Hey Paul,

My Folder has passphrase with four (4) characters.

Could you fcrack it for me???

I send you a message for our Tour next month...

Don't Share it with other members of our band...

-John Lennon


PS: Peace and Love my friend... Beatles Band for ever!

The decoded text we got has a hint for BAND.ZIP that we have a four characters password for the zip file.

Let’s crack with rockyou.txt

fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt BAND.zip 


PASSWORD FOUND!!!!: pw == pass

After taking a look at image strings we found an base64 string let’s decode it.

echo "VkhKNUlFaGhjbVJsY2lFPQ==" | base64 -d
VHJ5IEhhcmRlciE=

echo "VHJ5IEhhcmRlciE=" | base64 -d
Try Harder!

Let’s try something else then…

If we test steghide we have to provide a password for it, which we don’t know yet.

steghide extract -sf BAND.JPG -p THEBEATLES
wrote extracted data to "testabeatle.out".

file testabeatle.out 
testabeatle.out: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 2.6.32, BuildID[sha1]=ca68ea305ff7d393662ef8ce4e5eed0b478c8b4e, not stripped

If we take a look at strings for hints we can find base64 code inside

strings testabeatle.out | awk 'length($0) > 20'
/lib64/ld-linux-x86-64.so.2
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
Hey Paul! If you are here... Give my your favourite character!
Ok Paul... A little challenge for you mate, cause last month someone crazy man hacked...WTF! Let's Begin!
########################################Challenge############################################################
Tell me PAul! The result of  5+5?
Ok!ok! it was easy... Tell me now... The result of: 5+5-5*(5/5)?
Last one! The result of: (2.5*16.8+1.25*10.2+40*0.65+1.5*7.5+1.25*3.2):40
Hey Paul! nice!!! this is  the message
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K
WTF! You are not Paul!! SOS SOS SOS HACKER HERE!! I will call the police someone want to steal my data!!!
########################################END OF CHALLENGE############################################################
GCC: (Debian 7.2.0-5) 7.2.0
__do_global_dtors_aux
__do_global_dtors_aux_fini_array_entry
__frame_dummy_init_array_entry
_GLOBAL_OFFSET_TABLE_
_ITM_deregisterTMCloneTable
[email protected]@GLIBC_2.2.5
[email protected]@GLIBC_2.7
_ITM_registerTMCloneTable
[email protected]@GLIBC_2.2.5

This one
VGhlIHRvdXIgd2FzIGNhbmNlbGVkIGZvciB0aGUgZm9sbG93aW5nIG1vbnRoLi4uIQ0KDQpJJ2xsIGdvIG91dCBmb3IgZGlubmVyIHdpdGggbXkgZ2lybGZyaWVuZCBuYW1lZCBZb2NvISA7KQ0KDQpIVEJ7UzByUnlfTXlfRlIxM25EfQ0K

let’s decode it…

The tour was canceled for the following month...!

I'll go out for dinner with my girlfriend named Yoco! ;)

HTB{S0rRy_My_FR13nD}