Jinn gave me a pdf… Follow along with the files in here.
Running strings doesn’t show much.
yuu@yume:~/Downloads$ strings -a -o -n 6 begin.pdf | less
Using pdfminer is always a good place to start!
yuu@yume:~/Downloads$ pdf2txt.py begin.pdf
https://www.sendspace.com/file/x54qo0
yuu's magic adventure
The link contained in begin.pdf leads to jinn.gif. The genie zipping up his mouth is an important thing to remember as we do a hexdump on this gif.
yuu@yume:~/Downloads$ hexdump -C jinn.gif
000fbaa0 00 50 4b 01 02 1e 03 0a 00 09 00 00 00 b5 86 35 |.PK............5|
000fbab0 4c 6f 08 9d 42 e2 09 06 00 d6 09 06 00 0c 00 18 |Lo..B...........|
000fbac0 00 00 00 00 00 00 00 00 00 b4 81 00 00 00 00 70 |...............p|
000fbad0 72 65 63 69 6f 75 73 2e 7a 69 70 55 54 05 00 03 |recious.zipUT...|
000fbae0 e5 0b 65 5a 75 78 0b 00 01 04 e9 03 00 00 04 e9 |..eZux..........|
000fbaf0 03 00 00 50 4b 05 06 00 00 00 00 01 00 01 00 52 |...PK..........R|
000fbb00 00 00 00 38 0a 06 00 26 00 70 65 64 65 73 74 72 |...8...&.pedestr|
000fbb10 69 61 6e 20 70 61 73 73 77 6f 72 64 20 70 72 6f |ian password pro|
000fbb20 74 65 63 74 73 20 70 72 65 63 69 6f 75 73 2e |tects precious.|
Quickly you notice that at the end, there is some weird data in there.
The magic number 50 48 05 06 indicates that this is a zip file. So how can we open this? Trying out a couple of different zip programs leads to errors. This is because the zip file is password protected!
The clue “pedestrian password protects precious” seems to allude to the use of a common (pedestrian) password. But which one? Luckily we have some nice word lists. The SecLists password archiveis very useful for this kind of thing. Instead of typing millions of passwords by hand, we can automate this process with Python!
import subprocess
import sys
import os
archive = sys.argv[2]
passfile = sys.argv[1]
f = open(passfile, "r")
for line in iter(f):
trypass = line.strip('\n')
print "Trying: " + trypass
FNULL = open(os.devnull,'w')
p = subprocess.call(['/usr/bin/7z','t','-p'+trypass,archive],stdout=FNULL,
stderr=subprocess.STDOUT)
if p == 0:
print "Correct Password is: " + trypass
break
f.close()
This calls 7zip and uses the ’t’ flag to test the archive without trying to open, and tries the pasasword on the command line. It redirects all the output to /dev/null, and leaves you with the correct password once it finds. Let’s see it in action!
$ ./7z2.py ~/SecLists/Passwords/10_million_password_list_top_100000.txt \
~/Downloads/jinn.gif
Correct Password is: qwerty123
Awesome! So what came out of the zip file? Well that would be another zip file.. This one is called precious.zip. Luckily for us, precious.zip isn’t password protected. It contains two files: bonus_round, and under.jpg.
under.jpg features a picture of a stuffed animal next to rock, in front of some stacked rocks. It also clearly has something hidden in the comment section of the image. Running strings and hexdump, we can quickly find the location of the hash at 0x18. I’ll be honest, this part threw me off the most. There was a ‘c’ at the start of the hash:
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 |......JFIF.....H|
00000010 00 48 00 00 ff fe 00 63 4a 41 32 48 47 53 4b 42 |.H.....cJA2HGSKB|
00000020 49 52 49 55 59 57 53 57 4e 35 41 55 43 36 53 4e |IRIUYWSWN5AUC6SN|
00000030 50 41 59 55 49 54 4a 54 4a 56 35 47 4b 4d 32 4f |PAYUITJTJV5GKM2O|
00000040 4b 42 4c 46 49 54 4b 45 4d 5a 4b 55 32 36 53 44 |KBLFITKEMZKU26SD|
00000050 47 4a 47 55 59 54 4a 51 49 52 48 57 47 51 32 42 |GJGUYTJQIRHWGQ2B|
00000060 4a 41 56 58 0a 45 4f 43 50 4a 56 4c 55 43 51 4b |JAVX.EOCPJVLUCQK|
00000070 42 49 45 46 41 3d 3d 3d 3d ff db 00 43 00 03 02 |BIEFA====...C...|
00000080 02 03 02 02 03 03 03 03 04 03 03 04 05 08 05 05 |................|
Usually jpeg comments are signified by 0xff 0xfe, but this one had additional c before the hash began, and i spent a lot of time trying to parse this as base64, base32, and some additional custom bases. Base32 is similar to Base64, but it uses capital A-Z along with 0-7 for it’s character set. After some time of determining the hash type, I removed the ‘c’ from the start of the hash, as well as the ‘0x0a’ @ offset 0x64 and decoded like so:
Original Hash:
JA2HGSKBIRIUYWSWN5AUC6SNPAYUITJTJV5GKM2OKBLFITKEMZKU26SDGJGUYTJQIRHWGQ2BJ\
AVX?EOCPJVLUCQKBIEFA====
Decoding
yuu@yume:~/Downloads$ base32 -d <<< JA2HGSKBIRIUYWSWN5AUC6SNPAYUITJTJV5GKM2OK\
BLFITKEMZKU26SDGJGUYTJQIRHWGQ2BJAVXEOCPJVLUCQKBIEFA====
H4sIADQLZVoAAzMx1DM3Mze3NPVTMDfUMzC2MLM0DOcCAH+r8OMWAAAA
So this Base32 hash contains a base64 hash… What does this result in?
$ base64 -d <<< H4sIADQLZVoAAzMx1DM3Mze3NPVTMDfUMzC2MLM0DOcCAH+r8OMWAAAA
That doesn’t lead to anything. It seems like binary data of some sort. Perhaps if we put it into an outfile we can make it work.
$ base64 -d <<< H4sIADQLZVoAAzMx1DM3Mze3NPVTMDfUMzC2MLM0DOcCAH+r8OMWAAAA > jjj
$ hexdump -C jjj
00000000 1f 8b 08 00 34 0b 65 5a 00 03 33 31 d4 33 37 33 |....4.eZ..31.373|
00000010 37 b7 34 f5 53 30 37 d4 33 30 b6 30 b3 34 0c e7 |7.4.S07.30.0.4..|
00000020 02 00 7f ab f0 e3 16 00 00 00 |..........|
0000002a
Ahah! A magic value, 1F 8B 08. This indicates that this is a gzip file!! So what happens if we open this?
yuu@yume:~/Downloads$ mv jjj jjj.gz
yuu@yume:~/Downloads$ gunzip -d jjj.gz
yuu@yume:~/Downloads$ cat jjj
41.767795N 71.038691W
This is it! Some coordinates… Let’s take a look where they point to.
If you aren’t from New England, you may not have heard of the Freetown State Forest. For the paranormally inclined, it’s part of a region known colloquially as the “Bridgewater Triangle”. Read up more about it here
So…waiting until the next free day to go down there.
It’s a sunday, and hermit and I wake up late as hell. After our race to make breakfast and get ready before we lose our precious daylight, we are out the door for a long drive to the entrance to the Freetown State Forest. It’s about 4PM when we get there, and there’s already a pretty thick fog rolling in.
Through some long muddy trails (and a dad who was clearly on a blunt walk) we reach a spot that the GPS coordinates should point to. Through the trees, I can sort of see the familiar stack of rocks from the picture. Excited, hermit and I run through the brush to the big rock, and it looks pretty unassuming. I start kicking some leaves out of the way, and see nothing. We both are looking around the area, hoping that the package was still there.
Because the forest floor was so damp, pretty much everything we were using to aid our search was breaking as we used them. Finally, we picked up a large rock and started digging with it.
Finally, after almost giving up and trying to get enough service to DM jinn to ask what we need to do, we finally see signs of a trash bag under ground. I dug carefully around it, and finally, pulled a giant box in a trash bag out of the ground, in the middle of this legendarily spooky forest.
It’s starting to get dark very quickly, and we make our way out of there as fast as we can, having taken our time getting to the spot in the first place. By the time we got to our car and took a breath, it was legit night time.
After a quick stop at the mall, we make it back home, and finally open up the package.
Long story short: We had a lot of fun together coming up (with solutions to the puzzle), saw the glitches in the matrix, were brought to the dark forest, and came back to earth feeling hella refreshed. Thanks jinn, for giving us the opportunity to do such an interesting challenge!!
Ctf