Hackvent
Although I did not have much free time in the advent this year. My friends and I managed to solve all challenges up to day 12 plus 4 hidden challenges.
Again, there is good writeup provided:
Selected Challenges
Day 02 - Wishlist
The fifth power of two
Something happend to my wishlist, please help me.
Solution
It was quite obvious that the contents in the file were base64, however, it decodes to nothing meaningful.
I noticed that the decoded string looks almost the same as the original one and this got me the idea to decode it 2^5 = 32 times.
#!/bin/bash
prev=Wishlist
for i in {1..32}
do
base64 -d $prev.txt > $i.txt
prev=$i;
cat $i.txt
done
This yielded the flag: HV17-Th3F-1fth-Pow3-r0f2-is32
Day 03 - Strange Logcat Entry
An Android log file was provided.
Solution
I browsed the file and found two suspicious entries. they have the same PID, so they must be related:
11-13 20:40:13.542 137 137 I DEBUG : FAILED TO SEND RAW PDU MESSAGE
11-13 20:40:24.044 137 137 I DEBUG:
16
07914400000000F001000B913173317331F300003AC7F79B0C52BEC52190F37D07D1C3EB32888E2E838CECF05907425A6
3B7161D1D9BB7D2F337BB459E8FD12D188CDD6E8 5CFE931
After some researching, this looked like an SMS PDU.
https://www.diafaan.com/sms-tutorials/gsm-modem-tutorial/online-sms-pdu-decoder/
The message is:
Good Job! Now take the Flag: HV17-th1s-isol-dsch-00lm-agic
Day 04 - HoHoHo
Santa has hidden something for you.
Solution
After investigating the PDF a bit I found a custom font which is contained in the PDF.
Opened the PDF with FontForge and found the flag.
HV17-RP7W-DU6t-Z3qA-jwBz-jItj
Day 05 - Only one Hint
some hex
Solution
After calculating the hint and googling the number I discovered that this is a value used in the calculation of CRCs.
There are other possibilities, however, after I did not find a cracker immediately I wrote my own.
https://github.com/m1ckey/CRCracker32
It may not be the most performant cracker, and hashcat would be the better tool, but it was quite fun and it did not take long.
HV17-7pKs-whyz-o6wF-h4rp-Qlt6
Day 06 - Santa's journey
There is a service which returns a random qr code.
Solution
At first Felix and I though we had to trace the locations which were in the responses or have to access the server from a IP which was in this country, but it was much easier.
We just had to get many images and eventually the flag is returned.
#!/bin/bash
while true; do
wget -q http://challenges.hackvent.hacking-lab.com:4200
name=$(zbarimg --raw index.html 2> /dev/null | head -n 1)
mv index.html "$name"
done;
Day 07 - i know
Help to recover this file.
Solution
In the ZIP Archive there was an disk image which could be mounted, however, if you just run
strings SANTA.IMA | grep 'HV17'
the flag is revealed.
It should have been a registry dump.
HV17-UCyz-0yEU-d90O-vSqS-Sd64
Day 09 - JSONion
Solution
There is a JSON which you have modify accordingly to the op (base64, map chars, gzip, etc) and iterate until the flag is revealed.
This was a pure programming task.
The flag is revealed after 92 iterations. There is a trap, where the result is two different operators and you have to choose the right one.
[{"op":"flag","content":"HV17-Ip11-9CaB-JvCf-d5Nq-ffyi"}]
Day 10 - Just play the game
You have to play against a netcat bot TicTacToe 100x
Solution
This was again a pure programming task, but it was great fun ^^
TicTacToe is actually quite easy to solve and you have to write a simple bot.
After 100 wins the flag is revealed.
HV17-y0ue-kn0w-7h4t-g4me-sure
Day 11 - Crypt-o-Math 2.0
This mathematical problem is called 'linear congruence'
I wrote a simple Java program for it, as the Java API is pretty straight forward for this.
But as I read about it i implemented my own extended ECD.
// Sandbox
// Created by Michael Krickl in 2017
import java.math.BigInteger;
import java.util.Arrays;
public class Sandbox {
public static void main(String[] args) {
// ax = b (mod m)
BigInteger b =
new BigInteger("559C8077EE6C7990AF727955B744425D3CC2D4D7D0E46F015C8958B34783", 16);
BigInteger a =
new BigInteger("CDB5E946CB9913616FA257418590EBCACB76FD4840FA90DE0FA78F095873", 16);
BigInteger m =
new BigInteger("9451A6D9C114898235148F1BC7AA32901DCAE445BC3C08BA6325968F92DB", 16);
BigInteger[] eECD = eECD(a, m);
System.out.println(Arrays.toString(eECD(a, b)));
BigInteger x = b.multiply(eECD[1]).mod(m);
System.out.println(x.toString(16));
}
public static BigInteger[] eECD(BigInteger a, BigInteger b) {
BigInteger[] ints = new BigInteger[] {
a, BigInteger.ONE, BigInteger.ZERO
};
if(b.equals(BigInteger.ZERO)) {
return ints;
}
BigInteger[] tmp = eECD(b, a.mod(b));
ints = new BigInteger[] {
tmp[0], tmp[2], tmp[1].subtract((a.divide(b)).multiply(tmp[2]))
};
return ints;
}
}
Hidden 1
While exploring the website I noticed that the day is set with a GET parameter.
https://hackvent.hacking-lab.com/challenge.php?day=1984
When entering this URL the header contains the flag.
Hidden 3
When looking at the /robots.txt file you get the text
We are people, not machines
/people.txt then contains
What's about akronyms?
this is a mistake, however after some trying I found the synonym and the flag was in /humans.txt
Hidden 4
I poked around the website a bit more and found a hacky easter teaser in https://hackvent.hacking-lab.com/css/
Hidden 5
I scanned the ports of challenges.hackvent.hacking-lab.com and found telnet
when you connect to the service some text is flashed by. if you pipe the output to a file you get:
HV17-UH4X-PPLE-ANND-IH4X-T1ME