LabyREnth CTF 2017: Threat 3

We were given the url http://youwontfind.me to begin with. Visting this site reveal an awful site which somewhat represents the dark age of geocities. Obviously, the first instinct was to inspect the HTML source code, which contains several GIFs and a comment containing some kind of hex string.

html
<!DOCTYPE html>
<html>
<head>
<style>
body { background-image: url("starry.gif");}
</style>
</head>
<body>
<img src="under_constructionA.gif"><br>
<font color="yellow">
<center><marquee><h1>Can you find me?</h1></marquee>
<img src="flamingline.gif">
<img src="labyrinth.gif">
<br></center>
<img src="getie.gif">
<font size="2">
<p align="right">copyright s. williams
</body>
</html>
<!-- 642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C1A065E42022C2032 -->

Inspection of the GIF images concluded that they were benign. Running a WHOIS on the domain revealed several interesting registrant details.

Domain Name: YOUWONTFIND.ME
Registry Domain ID: D425500000003684894-AGRS
Registrar WHOIS Server:
Registrar URL: http://www.gandi.net
Updated Date: 2017-05-01T15:59:56Z
Creation Date: 2017-05-01T15:48:59Z
Registry Expiry Date: 2018-05-01T15:48:59Z
Registrar Registration Expiration Date:
Registrar: Gandi SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email:
Registrar Abuse Contact Phone:
Reseller:
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
Registry Registrant ID: C17578851-AGRS
Registrant Name: Sarah Williams
Registrant Organization:
Registrant Street: 285 Lafayette Street
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 10012
Registrant Country: US
Registrant Phone: +1.4048675309
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: sarah.williams.1986@yandex.com

It appears that the domain was registered under the person called Sarah Williams, with the email sarah.williams.1986@yandex.com. Googling the above email resulted with a Github URI https://gist.github.com/anonymous/cde711c9837f24315941d03937c95577, which contains a list of Facebook account dump.

Eva.Rhonda.1994@aol.com:n-buiiir!mvcz - 1994RhondaEvaamong
Herminia.Dorian.1993@hotmail.com:p+9pu9-avtok0k-x - positiveHerminia1993Dorian
Cecilia.Faith.1990@laby.rr.com:!c54nnvzneaylgu2id - 1990FaithCeciliaprogram
Sarah.Williams.1986@yandex.com:us09871bsej8 - TheSarahWilliams1986M
Nadine.Earl.2001@aol.com:sbcn!tcugc21h-q47x6 - Nadine2001Earlperform
Camille.Jeremy.1996@hotmail.com:infp3y - CamilleJeremybecome1996
Megan.Ian.2009@aol.com:y_z-6btaijdsg-if9 - IanavailableMegan2009
Luann.Adela.1989@laby.rr.com:y@s5bh3uxc+t@sazy-4 - LuannAdelanation1989

The dump appears to be a facebook password dump, however it turns out to be just the profile username. Visitng https://www.facebook.com/TheSarahWilliams1986 resulted in tons of base64 encoded posts.

From Sarah’s facebook profile overview, we were able to identify her twitter account (https://twitter.com/1986_SWilliams) which indirectly revealed her linkedin account (https://www.linkedin.com/in/sarahw1986/) within one of her twitter post.

Sarah’s experience description within linkedin was embedded with several links, one of which points to her stackexchange profile (https://stackexchange.com/users/10581007/babytoby)

It appears that Sarah had ask a question on stackoverflow. https://stackoverflow.com/questions/43807871/python-script-isnt-working/43807928#43807928

Sarah posted the entire encryption code on stackoverflow and asking the community why it couldn’t run properly.

The code can be easily fixed with proper type casting and indentation. Analysis of the code shows that it’s a XOR encryption algorithm which takes in 8 bytes key and encrypts a plaintext string.

If the plaintext string % 8 != 0, the algorithm appends @ at the back of the plaintext.

It turns out that it’s a rather simple algorithm, byte[i] ^ key[i] until the length of 8. for the next byte[7+i], it is xored with the previous result of byte[i] ^ key[i]

Alright, looking at back the entire challenge, there’s a weird hex string embedded within the comment of youwontfind.me 642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C1A065E42022C2032

It seems that this is the ciphertext. Right now, we are missing the key. It appears that Sarah mentioned and love toby alot. I started to search for any string of length 8 as the key. babytoby seems to be a likely candidate for a key.

so, using python, chr(0x32 ^ ord(“b”)) == P

xoring the reminding bytes will give u the flag:

PAN{61dcf45c4ba9286f2edf9f7e2d0def096b903541600624c299a731b8520bdedf}

Leave a Reply

Your email address will not be published. Required fields are marked *