This is my write-up on how I managed to solve some challenges on ROOTCON 2020 Easter-Egg Hunt. The challenges include, but not limited to Forensics, Crypto, Malware Analysis and Puzzles. The objective is to solve the challenges and acquire the flag.
Time Egg Solution
Browse on the given link to learn more about the challenge.
From there you are given two messages:
The idea of the challenge is to take advantage of one-time pad key re-use.
XOR the two given messages.
import sys def sxor(s1,s2): return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2)) s1 = "83d7f7966225c71b556cfd1fa28aa1cb364903c74bfad82400a5b8326ebf110cf610".decode('hex') s2 = "8380cb903366dd4b7822ba48a9dacf8b6b4b6aa81df1f14b46afd4736ae9111ee2".decode('hex') s3 = sxor(s1, s2) print s3.encode('hex') #result: 00573c0651431a502d4e47570b506e405d02696f560b296f460a6c410456001214
The difficult part of the task is you need to make intelligent guesses on trying to complete the key. Eventually, this will result on getting “r4cc00n5_5t0l3_4ll_0f_y0ur_3gg5!” as the key and XORing it with the generated XOR string will result on getting the flag.
Space Egg Solution
Install can-utils, then use log2asc to convert the log files in friendly format.
Examine the ASC file, then from it, take note of the 400, 401, 402 and 403 events Rx values (as these events stands out).
Decode the hex values to get the flag.
(73 70 61 63 65 73 61 74 65 6C 6C 69 74 65 73 68 61 76 65 63 61 6E 74 6F 6F) = spacesatelliteshavecantoo.
Alternatively, you can use canplayer to replay log file, and fire up Wireshark to examine the traffic while examining the data. Combining parts of it will also result on getting the flag.
Power Egg Solution
Build a wordlist that would satisfy the password requirements. (eg. year-goon-color). Then crack the given md5 hash using hashcat or john the ripper.
This will result on finding that “2169-ShipCode-eminence” password match the given hash.
Use the password to decrypt the “the_power_egg.enc” file using openssl with “2169-ShipCode-eminence” as the decryption password.
This will result on getting a PNG file with a QR code. Open the file and use QR code scanner to view the flag.
Reality Egg Solution
Examining the file, shows that it has a behavior similar to Zloader banking trojan (aka Terdot).
Edit the hex format of the file to unhide the hidden sheet. This will result on being able to see the hidden Sheet2. More information on this available on Excel Maldocs Hidden Sheets article.
Examine the column section, and notice that the Column “N” is hidden. Unhide the column and then jump to the (starting) 500th row.
Then convert the decimals values to ASCII to get the command below:
Browse to http://easteregg.rootcon.net/sFpWgx9WkHQQ542K/36xQCWUDNaJpdbTB to view the flag.
Soul Egg Solution
Browse to given link to view the image.
The image shows strings that are encoded using Atlantean Language.
Just use any decoder like https://i.imgur.com/gdQmdNv.gif or https://www.dcode.fr/atlantean-language to get the flag.
Mind Egg Solution
Note that this is only partial solution as I wasn’t able to complete this challenge.
Use zero-width characters decoder on “To Wanda.txt” file to acquire second part of the secret which is: h_my_l0v3. I’ve used https://330k.github.io/misc_tools/unicode_steganography.html.
Then use volatility on the vision file (memory dump) to acquire the encoded first part of the secret which is: MUlPdVg1dTsybDJldW9MPSg/SkJGIy11bURKc2AvQDdHMyU3ODczKEByMg==.
Stucked on hint.txt particularly on the “def” part to fully decode the first part (all others are just using base encoding schemes, e.g. base64 -> base85 -> base58).
Though the my_treasures zip file link can just be found by using strings on the vision memory dump file and searching for http.
This will result on finding out: https://uploadfiles[dot]io/kiyqnnt9 which is the link to download the my_treasures file.
Note: Solved this after the event, and below is the solution.
Use the “sc4rl37_w1tch_my_l0v3” secret as the password to unzip the my_treasures file. This would result on several image files. One of the file contains a QR code which is the flag.