Mereacre Liviu Mocrenco Artiom Brinzila Calin Nicu Iurie Gidilica Nichita
The year is 2042. You are a team of Interpol agents involved in the search for stolen digital works of art.
During the investigation, you discovered a network of underground crypto cat traders, but all attempts to physically catch at least one of the network participants were unsuccessful.
Recently, one of your agents reported that there was an offer for the sale of 2 vintage NFTs, the exact value of which has yet to be determined.
He reported that he had come into possession of a rather old information storage device that belonged to the leader of a gang of illegal traders under the pseudonym Byron.
Unfortunately, communication with the agent was interrupted, but a package was delivered to the division office, the only content of which was this ancient data storage device.
Using a quantum replicator, we created perfect copies of the device, which we invite you to study.
For a better immersion into the world of ancient digital artefacts, you were sent to 2024, where, under the guise of hackathon participants, you will have to complete the task assigned to you.
Task: extract maximum useful information from the analysis of the provided device. You are allowed to use any utilities, operating systems and artificial intelligence assistance.
The "ancient storage device" turned out to be a simple USB Flash Drive that had 2 distinct partitions:
![[Pasted image 20240929045608.png]]
![[Pasted image 20241003183907.png]]
![[Pasted image 20241003184127.png]]
After obtaining the source code we noticed that it is stuck in a infinite loop that spams text to the screen so we just edit the function out.
// Validator.Program
using System;
using System.IO;
using System.Security.Cryptography;
internal class Program
{
private static void Main(string[] args)
{
if (1 > args.Length)
{
Console.WriteLine("You forgot something!");
Environment.Exit(42);
}
string pwd = EBG13(Environment.GetEnvironmentVariable(EBG13("NQN")));
//if (!string.IsNullOrEmpty(pwd) && EBG13(EBG13(pwd)) == "Ybirynpr")
//{
byte[] tmp = File.ReadAllBytes(args[0]);
using (SHA256 sha = SHA256.Create())
{
if (BitConverter.ToString(sha.ComputeHash(tmp)).Replace("-", "").ToLower() == Path.GetFileNameWithoutExtension(args[0])!.ToLower())
{
Console.WriteLine("Valid");
}
else
{
Console.WriteLine("Invalid");
}
}
Environment.Exit(0);
return;
//}
//while (true)
//{
// Console.Write("Gotcha! You are dead!");
//}
}
private static string EBG13(string input)
{
if (string.IsNullOrEmpty(input))
{
return null;
}
char[] buffer = new char[input.Length];
for (int i = 0; i < input.Length; i++)
{
char c = input[i];
if (c >= 'a' && c <= 'z')
{
int k = c + 13;
if (k > 122)
{
k -= 26;
}
buffer[i] = (char)k;
}
else if (c >= 'A' && c <= 'Z')
{
int j = c + 13;
if (j > 90)
{
j -= 26;
}
buffer[i] = (char)j;
}
else
{
buffer[i] = c;
}
}
return new string(buffer);
}
}
The next interesting thing we noticed is a function that performs ROT13 and another that checks a certain env variable(NQN=Ybirynpr), if we reverse the effect of ROT13 on this strings we get that the binary checks if the variable ADA is equal to Lovelace.
This is an obvious hint to this notable figure in CS. ![[Pasted image 20240929092754.png]]
If we pass this check we can add files as arguments and it tells us "Valid" or "Invalid". While checking each photo we see that all photos in the Source folder are valid and those from the other partition are all invalid.
All of the images has a very specific name, a certain size and values:
![[Pasted image 20241003185448.png]]
After some trial and error we noticed that their name is the sha256sum of the file:
![[Pasted image 20240929050012.png]]
Now we know that the files in the second partition don't pass the Validator check because their names are different from their hash value.
Next thing we did is an excel sheet to help us visualize the differences: ![[Pasted image 20240929050227.png]]
After trying a bunch of encodings hex->ASCII gave us a promising result, the differences from the Keepass folder are very easily converted like so:
We noticed a pattern, the values from the Remote folder were ascending (00, 01, 02 and 03) and we guessed that the remaining 2 values are also hex:
Each two hex digits can be converted into a decimal number:
This looks exactly like an IP but when we try it it doesn't work so we try to reverse it:
-instead of: 125.251.180.194 -we try: 194.180.251.125
![[Pasted image 20240929050928.png]]
We see that this Ip works and also it's from Moldova!
After a nmap scan we see that port 1788 is open and supports ssh.
Next we try to connect to it via ssh, with the sshkeys from the usb drive using the crime leaders name "byron" and using the password "Cardano".
![[Pasted image 20240929051205.png]]
Inside we see 2 very interesting files, and these are the wallet key and the second is probably used to show us how it was made:
![[Pasted image 20240929051751.png]]
The first file seems common but the first has a very distinct name so we do a little google-fu, first we find a company with the same name that develops WEB3 tech:
![[Pasted image 20240929112818.png]]
They have employees from Moldova so it seems like we are the right track:
![[Pasted image 20240929112841.png]]
Here we can see how another file was encrypted: ![[Pasted image 20240929051803.png]]
This knowledge enables us to perform a Known-plaintext attack and retrieve the password of profile.aes which is "Lovelace".
Using the same password we decrypt the blazarlabs.aes and we get a screenshot of the wallet app name and the seed phrase. Obviously the next thing we did is login into this wallet and transfer all the contents into out wallet.
![[Pasted image 20240929142817.png]]
![[Pasted image 20240929142923.png]]
![[Pasted image 20240929142940.png]]
This is how we completed the challenge.
-HEX team