Hacky Easter 2017

2

Summary

PS, www.hacking-lab.com Table of Contents

Intro ...... 6 Outro ...... 6 Credits ...... 6 Volunteers ...... 6

Awards ...... 7 Perfect Solvers ...... 7 Hacking-Lab Awards ...... 8

Statistics ...... 9 General ...... 9 Event Activity ...... 9 Solutions per Egg ...... 10 Score Distribution ...... 10

Fun ...... 11 Images ...... 11 1337 Submit...... 12

Solutions ...... 13 Teaser Challenge ...... 13 Challenge ...... 13 Solution of Seppel ...... 14 Solution of M...... 15 Egg 01 – Puzzle this! ...... 17 Challenge ...... 17 Solution of QuQuk ...... 17 Solution of darkstar ...... 17 Solution of ad0larb0ta0shi ...... 18 Solution of sunscan ...... 19 Egg 02 – Lots of Dots ...... 20 Challenge ...... 20 Solution of brp64 ...... 20 Solution of trolli101 ...... 20 Solution of muzido...... 21 Solution of sunscan ...... 21 Egg 03 – Favourite Letters ...... 22 Challenge ...... 22 Solution of ad0larb0ta0shi ...... 22 Solution of 1432 ...... 23 Solution of sym ...... 23 Solution of LlinksRechts ...... 23 Solution of horst3000 ...... 24 Egg 04 – Cool Car ...... 25 Challenge ...... 25 Solution of patrice ...... 25 Solution of 1432 ...... 26 Hack Easter 2017 Summary Page 2

Solution of Seppel ...... 26 Solution of remmer ...... 27 Egg 05 – Key Strokes ...... 28 Challenge ...... 28 Solution of brp64 ...... 28 Solution of inik ...... 28 Solution of Dykcik ...... 28 Solution of TheVamp ...... 28 Egg 06 – Message to Ken ...... 29 Challenge ...... 29 Solution of Buge ...... 29 Solution of soundrh ...... 30 Solution of jcel ...... 31 Solution of inik ...... 31 Egg 07 – Crypto for Rookies ...... 32 Challenge ...... 32 Solution of evandrix ...... 32 Solution of markie ...... 33 Solution of 1432 ...... 33 Solution of horst3000 ...... 34 Egg 08 – Snd Mny ...... 35 Challenge ...... 35 Solution of sym ...... 35 Solution of trolli101 ...... 36 Solution of Kiwi.Wolf ...... 37 Solution of SOKala ...... 37 Solution of mcia...... 38 Egg 09 – Microscope ...... 39 Challenge ...... 39 Solution of markie ...... 39 Solution of HomeSen ...... 39 Solution of eash ...... 40 Solution of Seppel ...... 40 Egg 10 – An egg or not… ...... 41 Challenge ...... 41 Solution of darkstar ...... 41 Solution of patrice ...... 42 Solution of LlinksRechts ...... 42 Solution of remmer ...... 42 Egg 11 – Tweaked Tweet ...... 43 Challenge ...... 43 Solution of sym ...... 43 Solution of jokker ...... 44 Solution of daubsi ...... 44 Solution of HaRdLoCk ...... 45 Egg 12 – Once Upon a File ...... 46 Challenge ...... 46 Solution of HomeSen ...... 46 Solution of HaRdLoCk ...... 47 Solution of mcia...... 48 Solution of Dykcik ...... 48 Egg 13 – Lost the Thread ...... 49 Challenge ...... 49 Solution of jamesdju ...... 49 Solution of soundrh ...... 50 Solution of SOKala ...... 51 Solution of Mitsch...... 51 Egg 14 – Shards ...... 53 Challenge ...... 53 Hack Easter 2017 Summary Page 3

Solution of eash ...... 53 Solution of soundrh ...... 53 Solution of sunscan ...... 55 Solution of Buge ...... 55 Egg 15 –P Cap ...... 56 Challenge ...... 56 Solution of evandrix ...... 56 Solution of eash ...... 56 Solution of remmer ...... 57 Solution of kumaus ...... 58 Egg 16 – Pathfinder ...... 59 Challenge ...... 59 Solution of darkstar ...... 59 Solution of inik ...... 60 Solution of Morpheuz ...... 61 Egg 17 – Monster Party ...... 62 Challenge ...... 62 Solution of Bikey ...... 63 Solution of Darkice ...... 63 Solution of darkstar ...... 64 Solution of jokker ...... 65 Egg 18 – Nitwit's Doormat Key ...... 66 Challenge ...... 66 Solution of pyth0n33 ...... 66 Solution of trolli101 ...... 67 Solution of horst3000 ...... 69 Solution of vitali ...... 70 Egg 19 – Disco Time ...... 71 Challenge ...... 71 Solution of muzido...... 71 Solution of HomeSen ...... 71 Solution of mcia...... 72 Solution of kumaus ...... 72 Egg 20 – Spaghetti Hash ...... 75 Challenge ...... 75 Solution of LlinksRechts ...... 76 Solution of TheVamp ...... 77 Solution of kumaus ...... 79 Egg 21 – MonKey ...... 80 Challenge ...... 80 Solution of jamesdju ...... 80 Solution of mcia...... 81 Dolution of Morpheuz ...... 83 Solution of HaRdLoCk ...... 84 Egg 22 – Game, Set and Hash ...... 85 Challenge ...... 85 Solution of Dykcik ...... 85 Solution of soundrh ...... 86 Solution of Darkice ...... 87 Solution of jcel ...... 87 Egg 23 – Lovely Vase ...... 88 Challenge ...... 88 Solution of SOKala ...... 88 Solution of Morpheuz ...... 89 Solution of Darkice ...... 90 Solution of jokker ...... 91 Egg 24 – Your Passport, please ...... 92 Challenge ...... 92 Solution of daubsi ...... 92 Hack Easter 2017 Summary Page 4

Solution of Morpheuz ...... 93 Solution of sunscan ...... 95

Hack Easter 2017 Summary Page 5

Intro Outro

Hacky Easter 2017 is over! It was a great and exciting competition. Again, 1'700 participants tried to solve the 24 challenges. Nine challenges were sent in by volunteers, a big thank you to them!

For 2018, I already received a couple of challenges by volunteers again, and I have a lot of ideas myself. In case you want to implement one of the challenges, or if you have a good idea, let me know!

Thank you and stay tuned for next year!

PS [email protected]

Credits Credits for the solutions go to (in alphabetical order):

• 1432 • Morpheuz • eash • muzido • Bikey • QuQuk • evandrix • patrice • Buge • S0Kala • horst3000 • pyth0n33 • Dykcik • Seppel • inik • remmer • HaRdLoCk • TheVamp • jamesdju • soundrh • HomeSen • ad0larb0ta0shi • jcel • sunscan • Kiwi.wolf • brp64 • jokker • sym • LlinksRechts • arkice • kumaus • trolli101 • M. • darkstar • markie • vitali • Mitsch • daubsi • mcia

Volunteers A big thank you to the volunteers who provided challenges (in alphabetical order):

• CoderKiwi • Goo9ping • inik • DeathsPirate • MaMe82 • otaku

Hack Easter 2017 Summary Page 6

Awards Perfect Solvers Congrats to the following 53 hackers who solved all Easter eggs (alphabetical order)! Well done!

Buge TheVamp k00g CH1ll Wheat1ey kumaus Darkice __vulture__ m-e DrSchottky angelbot manuelz120 Floxy apox marwin FruFru darkstar mcia HaRdLoCk daubsi opasieben HomeSen eash otaku LogicalOverflow etvr pjslf

Mitsch evandrix power2100 remmer Morpheuz explo1t

OBI faust sunscan

QuQuk h44z thesiki24 Retr0id horst3000 thsv ScaryFish1 ikarus31415 tkabrt

Seppel inik trolli101 Stefan244 jamesdju xdjibi Stjubit jokker

Hack Easter 2017 Page 7 Hacking-Lab Awards As usual, we've created awards in Hacking-Lab for this competition. You got one of them, in case you reached the following total scores (Easter eggs, write-up, and teaser challenge).

 130 points GOLD  110 points SILVER  90 points BRONZE

Your awards are shown on the profile page:

Statistics General

2017 2016 2015 2014 Hackers 1'735 2'154 1’313 728 Points total 21'374 28'672 25’170 13’992 Points per hacker 12.32 13.31 19.17 19.22 Perfect solvers 53 54 55 Eggs solved 7'458 10'050 7’698 4’140 Nations 78 104 86 -

Event Activity Number of hackers and solutions, growing with time.

Hack Easter 2017 Summary Page 9

Solutions per Egg Number of solutions, per egg. Not much of a difference, between medium and hard eggs.

Score Distribution Number of users, for each possible score.

Hack Easter 2017 Summary Page 10

Fun Images Found online and in solution documents provided.

In case you wondered what a bontebok and capybara are:

Hack Easter 2017 Summary Page 11

1337 Submit TheVamp again demonstrated the "1337 way" of how to submit Easter eggs (check out the time of the egg submissions):

Hack Easter 2017 Summary Page 12

Solutions

Teaser Challenge Level: medium Solutions: 283 Author: PS

Challenge

Hack Easter 2017 Summary Page 13

Solution of Seppel

Hack Easter 2017 Summary Page 14

Solution of M.

Hack Easter 2017 Summary Page 15

Hack Easter 2017 Summary Page 16

Egg 01 – Puzzle this! Level: easy Solutions: 882 Author: PS

Challenge An easy one to start with.

(made with jqPuzzle)

Solution of QuQuk I used Snipping Tool and Photoshop to get the QR Code. Sorry, I hate puzzles.

Solution of darkstar For this challenge i used a Genetic Algorithm-Based Jigsaw-Puzzle Solver based on a paper from Dror Sholomon / Omid David / Nathan S. Netanyahu.

Hack Easter 2017 Summary Page 17

Solution of ad0larb0ta0shi 1. Look into the Source code of challenge01.html. Find the "https://hackyeaster.hacking- lab.com/hackyeaster/images/challenge/egg01_shuffled.png" Image which is randomly shuffled and save it locally. 2. Load Image in "Gimp" and place 7 horizontal + 7 vertical Guided Lines. Then apply "Filter > Web > Slice" to divide the Image in 64 Pieces an let Gimp automatically generate an HTML Page with Tiles. 3. Add some Magic Lines of Code from "http://www.web- toolbox.net/webtoolbox/dhtml/dragdrop/dhtml-dragdrop.htm" to the Gimp generated HTML "slice" Page 4. .

5. Now you can move the Tiles in a Way you want and solve the Puzzle to get the Egg No.1.

Hack Easter 2017 Summary Page 18

Solution of sunscan To solve the challenge, we create a HTML page using jqPuzzle and the shuffled image:

Then we can recover the QR code solving the sliding puzzle:

Hack Easter 2017 Summary Page 19

Egg 02 – Lots of Dots Level: easy Solutions: 647 Author: PS

Challenge The dots in the following image contain a secret message. Can you find it?

(Click to enlarge)

Solution of brp64 Since it is a PNG that is driven by palettes, try to look at the palette in GIMP. Indeed, there are two levels with the same colour, changing one of them gives this picture:

Solution of trolli101 The dots picture looks a lot like those colorblind tests. When loading it into Stegsolve, see [1], we use the random color map function to color it an immediately notice the numbers:

When entering the numbers into the egg-o-matic one can get the egg.

Hack Easter 2017 Summary Page 20

Solution of muzido - I opened gimp. I noticed small dots that when using image zoom

- Then I deleted the following colors by using (Tools → Selection Tools → By Color Select)

- I found this image.

Solution of sunscan In the image dots.png there is a series of pixels of a different color:

• Extract the red channel (our pixels will have a RGB value of (143,143,143)); • Filter out everything that is not our pixels; • Detect the image edges; • Convert the image into negative to improve readability. convert dots.png -channel R -separate -fuzz 70% +opaque "#000000" -edge 12 -negate result.png

And we obtain a numeric sequence:

Joining all the numbers we obtain the flag “705749361322842” that we can use to recover the egg.

Hack Easter 2017 Summary Page 21

Egg 03 – Favourite Letters Level: easy Solutions: 802 Author: Goo9ping

Challenge Francesca's favourite letter is s Riley's favourite letter is o Ellie's favourite letter is a Vince's favourite letter is p Quintain's favourite letter is r Otto's favourite letter is i David's favourite letter is p Tom's favourite letter is l Paul's favourite letter is e Ulrich's favourite letter is y Henry's favourite letter is w Norman's favourite letter is h Louis' favourite letter is i Zane's favourite letter is s York's favourite letter is c Bob's favourite letter is h Meave's favourite letter is s Ian's favourite letter is o Sidney's favourite letter is g George's favourite letter is s Kitty's favourite letter is d Wilbert's favourite letter is h Adam's favourite letter is t Xander's favourite letter is i Callum's favourite letter is e Jack's favourite letter is r

Solution of ad0larb0ta0shi Notepad++: Edit > Line Operations > Sort Lines Lexicographically Ascending thepasswordishieroglyphics

Hack Easter 2017 Summary Page 22

Solution of 1432 There are 26 names. Every name begins with another letter of the alphabet. So I just sorted the names alphabetically using Excel:

The message says "the password is hieroglyphics"

Solution of sym Sorted the names alphabetically and then printed the letter after the comma. Here is the PowerShell script I used:

thepasswordishieroglyphics

Solution of LlinksRechts Executing the command cat ch3|sort|awk '{print $5}'|tr -d '\n'

(sort by name, then take the favorite letter of each), resulted in the password

thepasswordishieroglyphics .

Hack Easter 2017 Summary Page 23

Solution of horst3000 Extract first and last letters, use first letter for alphabetical sorting soapripleywhischsogsdhtie thepasswordishieroglyphics –> hieroglyphics

Hack Easter 2017 Summary Page 24

Egg 04 – Cool Car Level: easy Solutions: 481 Author: PS

Challenge Borat wants to impress the girls. Can you help him find a cool car for this purpose?

The right car will make the Cool-o-Meter reach its full level.

Solution of patrice Opened the App on my Phone (Intex Aqua Fish) but I didn’t get what was needed... So I decompiled the App to see what was needed: some data of a sensor The only sensor I could think of was a magnetometer, which the Aqua Fish hadn’t. So I took the Jolla 1 Phone which showed me this after holding it slightly against a magnet:

Hack Easter 2017 Summary Page 25

Solution of 1432 It's pretty clear that this challenge uses a sensor of the phone. At first I thought it's the temperature sensor, since there is a COOL-O-Meter. But that didn't work. Then I remembered this scene from the movie:

So I need a magnet. I moved the magnet around on the back side of the phone and the Cool-O-Meter rised.

Solution of Seppel Solve using Compass Sensor 1. Let‘s start with WHY by googling  Borat & cool car  https://www.youtube.com/watch?v=yAuu3xOsorQ 2. Solve by bringing a magnet near the phone

Hack Easter 2017 Summary Page 26

Solution of remmer This challenge was strangely similar to a challenge from Hacky Easter 2016 for which you had to use the phone as a car's steering wheel. This time, the Cool-o-Meter was controlled by the magnetic field sensor (it is normally used by the compass).

You could find it out by decompiling the Hacky Easter app .apk file; the source code contains the following line: function sensorFeedback(json) { var jsonResp = JSON.parse(json); setLevel(jsonResp.l); if (jsonResp.k) { decryptScrambledEggWithKey(jsonResp.k); clearInterval(intervalId); } } sensorFeedback? Hmm, there are only so many sensors on most phones:  acceleration: I tried to toss it around and to leave it alone – no result.  light / camera: I tried to obstruct and shine a bright light into the light sensor and camera – no result.  sound: I tried to be quiet, to speak softly and to shout – no result  magnetic field: I put my phone on top of my old MacBook that has a magnet to hold the charging cable – it worked!

Hack Easter 2017 Summary Page 27

Egg 05 – Key Strokes Level: easy Solutions: 532 Author: PS

Challenge esc i c e l a n d esc a y a n k e e space f o x space esc o f l o w e r up esc $ esc i y esc e esc a y esc / l a return esc r w esc right right right right esc x i f r esc e esc X x x : s / c e / a g i c / return esc down d d esc i m esc Z Z

Solution of brp64 As an old UNIX-hand, I knew immediately that this is a vi entry sequence. So fire up vi, enter the characters one by one to get the solution (replace esc, space, up, down etc. by the respective key).

Solution of inik This is a vi sequence. Typical is the sequence :s/ce/agic/ After playing this sequence on an empty vi I got: magicwandfrankfoxy, which is the solution.

Solution of Dykcik The challenge specifies keys that have to be typed somewhere. The excessive usage of key suggests vim editor as a recipient of key strokes. I started vim by executing vi command, typed all keys and got: agicwandfrankfox mflower I tried the upper word, the lower one, both concatenated but all trials were unsuccessful. The weird part of typing in the editor was that created a new line with 'A' written instead of going to the line above. After some research, I learned that this weird behavior is present when the editor is started with 'vi'. I started vim with 'vim' typed all keys again and obtained: magicwandfrankfoxy, which was a correct password and revealed the egg.

Solution of TheVamp After many failed attempts of decrypting the message, I get the idea that I should type in the same keystrokes. I opened vim and typed in everything what the challenge said. At the end, I got the word “magicwandfrankfoxy”

Hack Easter 2017 Summary Page 28

Egg 06 – Message to Ken Level: easy Solutions: 460 Author: PS

Challenge Barbie has written a secret message for her sweetheart Ken. Can you decrypt it?

Fabrgal JaeM Hsa faonah uiff;rnl tf btuxbrffuinhzoroyhitbM Fincta dd

Hint:

Solution of Buge Googling barbie encryption found me this page http://www.cryptomuseum.com/crypto/mehano/barbie/ I implemented the described decryption method, trying all possible decoding methods.

#!/usr/bin/env python # -*- coding: utf-8 -*- alph = u'abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ 012345[…]' code1 = u'icolapxstvybjeruknfhqg;dzw >FAUTCYOLVJDZINQKSEHG<.1PB 523406[…]' code2 = u'torbiudfhgzcvanqyepskx¢1w; RC>GHAPNDQIUXSPNRKLG1XYCUDV

That gives the result Beloved Ken. The secret password is lipglosspartycocktail. Barbie xx Zndcjn€ QnrW Etn hnboni fehhzco€ ah dafvdchhfeoikbcbqieadW Zeolan gg Mrxbmrg Pro, Sir trlcra snttybcg et xesjxbttsncaqlbluanex, Mncder vv .ogl"ov Yoc€ Rao iodboe hriiklbv ni gnhmgliihrbeudldperng€ .rbxno jj

So it turns out decoding method 1 is the correct method (even though the challenge shows the hotkey to activate method 2). Entering lipglosspartycocktail gives the egg with the QR code.

Hack Easter 2017 Summary Page 29

Solution of soundrh A Hint was given:

After several attempts, I found something on Google with "barbie computer shift lock". One result has the title "Barbie typewriter - Crypto Museum" which caught my attention of course. Link: http://www.cryptomuseum.com/crypto/mehano/barbie/ It’s an article about a built-in cryptographic capability. The encryption is activated by pressing SHIFT + LOCK + Number. The hint leads to the key 2 and at the end are the substitution tables.

After trying to decode the message by hand, I wrote a little (and messy) Java application:

Hack Easter 2017 Summary Page 30

Running the application led to the following output:

Obviously the first line is the correct one, containing the password. (The hint to key 2 was misleading.)

Solution of jcel The image of the cipher hints to the "Barbie-Cipher" (http://www.cryptomuseum.com/crypto/mehano/barbie/#coding), found on a certain version of the barbie typewriter. The hint provides the selected typewrite variant (the French version of the E-118) and the code version (referred to as code 1 in the page linked above). The following shell script cipher="Fabrgal JaeM Hsa faonah uiff;rnl tf btuxbrffuinhzoroyhitbM Fincta dd" in='icolapxstvybjeruknfhqg;dzw>FAUTCYOLVJDZINQKSEHG<.1PB523406789-' out='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' echo $cipher | tr "$in" "$out" | tr 'M' '.' prints:

Beloved Ken. The secret password is lipglosspartycocktail. Barbie xx

Solution of inik It seems, that there was a barbie typewriter with a hidden cipher function. See http://www.cryptomuseum.com/crypto/mehano/barbie/. It uses monoalphabetic substitution. For the details see: http://www.cryptomuseum.com/crypto/mehano/barbie/#coding

Result: Beloved Ken. The secret password is lipglosspartycocktail. Barbie xx

Hack Easter 2017 Summary Page 31

Egg 07 – Crypto for Rookies Level: easy Solutions: 458 Author: PS

Challenge This crypto is not hard to crack.

Solution of evandrix B O N T [B] B O K (dancing man cipher @ http://www.dcode.fr/dancing-men-cipher) B O N T E [A] O K (b64) B O N T E B [R] K (A=1,B=2,...,Y=25,Z=26) B [A] N T E B O K (ONAGROBX => rot13 => BANTEBOK) [C] O N T E B O K (pigpen cipher @ http://www.dcode.fr/pigpen-cipher) B O N T E B O [A] (anagram) B O [P] T E B O K (ERSWHERN => rot23 => BOPTEBOK) B O N [Y] E B O K (hex) password is the different letter in each col => CAPYBARA

Hack Easter 2017 Summary Page 32

Solution of markie BONTBBOK Dancing Man Cipher BONTEAOK Base64 B0NTEBRK Letters in alphabet ? ? CONTEBOK Pigpen cipher BONTEBOA Backwards BOPTEBOK Ceaser (Key 23) BONYEBOK HEX

I was not able to work out what the fourth crypto was, but this does not matter as you have enough info to solve if from the other 7 clear text. Examining the clear text shows each clear text has 1 letter different. Eg, taking the first letter from each you get B,B,B,B,B,B & C. Putting these into a grid helps to solve it, even with the missing clue. The word spells: C?PYBARA. Guess this is “capybara”, reveals the egg: 2owhVG07plVCwLD1Ggmn

Solution of 1432 The challenge consists of eight differently encrypted texts.

The resulting words are quite similar, all have the same length. At each position they have the same character, except one word, for example only the fifth word starts with a 'C', all others start with a 'B':

Hack Easter 2017 Summary Page 33

The solution: CAPYBARA

Solution of horst3000

BONTBBOK BONTEAOK BONTEBRK BANTEBOK CONTEBOK BONTEBOA BOPTEBOK BONYEBOK

–> take the non-matching char from each column: CAPYBARA

Hack Easter 2017 Summary Page 34

Egg 08 – Snd Mny Level: easy Solutions: 330 Author: PS

Challenge Please, I'm begging you!

Solution of sym In the decompiled APK, there is a file called SndActivity.java.

The code “text = intent.getStringExtra("android.intent.extra.TEXT");” tells us it is listening for a text.

The text is checked via SHA1 hash c95259de1fd719814daef8f1dc4bd64f9d885ff0 which corresponds to the string: money.

Here is how I got the egg on my iPhone: I opened Safari and marked the text “money”. Then I used the “share…” function to send it to SndMnyAction.

Hack Easter 2017 Summary Page 35

Solution of trolli101 In this challenge we need to exploit an activity of the Android application. After decompiling the APK file we can read the details of the activity in the AndroidManifest.xml:

We see the activity method:

So we need to send our action with mime type text/plain and with an extra string that when hashed using SHA1 will give the hash c95259de1fd719814daef8f1dc4bd64f9d885ff0. Given the name of the activity we guess that the value might be money and this can be checked via:

Then we can use drozer to start the activity with the following command that includes all the parameters retrieved previously:

This will display the egg in the application on the phone:

Hack Easter 2017 Summary Page 36

Solution of Kiwi.Wolf  extracted the apk  decompiled the apk  navigated to: heaster.apk/ps/hacking/hackyeaster/android/SndActivity.java if ("android.intent.action.SEND".equals(action) && type != null && HTTP.PLAIN_TEXT_TYPE.equals(type)) { String text = intent.getStringExtra("android.intent.extra.TEXT"); if (text != null && "c95259de1fd719814daef8f1dc4bd64f9d885ff0".equals( sha1(text.toLowerCase())) ) { ((TextView) findViewById(C0085R.id.sndTextView)).setText("Thank you!!"); ImageView image = (ImageView) findViewById(C0085R.id.sndImageView); byte[] decodedString = Base64.decode(new StringBuilder( getString(C0085R.string.f16e) + "ROBVi").reverse().toString(), 0); image.setImageBitmap(BitmapFactory.decodeByteArray( decodedString, 0, decodedString.length)); } } }

 searched the sha1 of c95259de1fd719814daef8f1dc4bd64f9d885ff0 = "money"  So I opened the "notes" app (or any other with input) on my phone typed in "money"  Then I pressed long on it -> send to "sndActivity" Afterwards I got my egg.

Solution of SOKala By reversing the android .apk package and checking the SndActivity class code, I found that it depends on android.intent.action.SEND intent. Also, I found that it must get a word with “c95259de1fd719814daef8f1dc4bd64f9d885ff0” SHA1 hash which is the word "money". So I have to share the word "money" with SndMnyAction to get the egg (After open the SndMnyAction activity).

Bingo!! The egg is here. 

Hack Easter 2017 Summary Page 37

Solution of mcia Not much information here. I again worked with the decompiled APK and went through the code. In one java class I found what was needed to solve this challenge. ps/hacking/hackyeaster/android/SndActivity.java

We need to send an android action.SEND intent as PLAIN_TEXT_TYPE containing a text which matches the sha1 hash “c95259de1fd719814daef8f1dc4bd64f9d885ff0”. Cracking the sha1 hash was easy as no salt was used. The needed text is “money”.

We can send Android intents from the command line with ADB:

I solved this challenge with the following two commands:

Hack Easter 2017 Summary Page 38

Egg 09 – Microscope Level: easy Solutions: 414 Author: PS

Challenge In order to see this easter egg, you have to look closely!

Solution of markie Opening the challenge shows a tiny egg with a qrcode on but it is too small to read. By luck, the browser lost internet connection when I tried to open this and gave me the URL: https://hackyeaster.hacking-lab.com/hackyeaster/challenge09_su5z47IoTT7.html

Examining the source code reveals: src="images/challenge/egg09_fs0sYle2SN.png" which gives the egg: rcwuXWsHjUcU7BbOLC18

Solution of HomeSen Investigating the reverse-engineered Android app’s code gave away that the microscopically tiny image actually was retrieved via a URL, rather being stored that small inside the app itself:

Navigating to the correct URL and downloading the referenced image yielded egg #9

Hack Easter 2017 Summary Page 39

Solution of eash I really don’t know if this was the right answer, but I will describe how I solved the challenge. Using my mobile I have clicked on the “Show Microscope” button, after I did the small egg print screen and send me the PS by email. The egg URL was enbibed in the image. Below is the HTML code.

Solution of Seppel

Hack Easter 2017 Summary Page 40

Egg 10 – An egg or not… Level: medium Solutions: 233 Author: inik

Challenge ... an egg, that's the question!

Solution of darkstar This egg is an SVG file, but accidentally some coordinates were drawn twice with different colors. So the first used color per coordinate will be give the real egg.

Hack Easter 2017 Summary Page 41

Solution of patrice Double entries for the same coordinates with different colors in the svg file? I sorted and extracted the first entries with the following command: ~$ cat aneggornot.svg | grep " new_coordinates.txt

Then I replaced the old coordinates in the svg file with the new ones, which produced an Egg PNG which could be decoded by “zbarimg”.

Solution of LlinksRechts When looking at the definition of the QR code in the svg, I noticed that some of the lines were duplicate. Thi s leads to the initial value being overwritten by a redefinition of the color of a cell. Therefore, I reversed the order of these lines, resulting in the real egg.

Solution of remmer

The QR code is a lie! It would have been too simple. But strangely, the egg is not a .png file, it is an .svg file:

I suspected that the black and white squares were in fact hiding something else, so I edited the definition of #b and #w to be half transparent red and half transparent blue respectively. This can be done by changing the defs to the following:

The resulting picture looks like that:

As you can see, the black and white squares are not mutually exclusive! So, using a picture editing software (that may or may not be MS Paint), flipped the color of all squares that were not only black nor only white, and I obtained the solution.

Hack Easter 2017 Summary Page 42

Egg 11 – Tweaked Tweet Level: medium Solutions: 108 Author: PS

Challenge Blue little birdie created a fancy message. Please tweet it!

Solution of sym In the decompiled APK there is a file called Activity.java that contains the encoded tweet:

These are a lot of URL-encoded characters which after decoding look a bit strange.

The visible characters are not encoded but there are many non-standard characters that are not visible. There must be a hidden message inside. After searching for Twitter Steganography, I found this site: http://holloway.co.nz/steg/ which managed to decode the message: st3g4isfunyo.

Hack Easter 2017 Summary Page 43

Solution of jokker This one took me several hours and got me some headache. I tried different things on my mobile, including playing around with twitter settings, changing system language and activating VoiceOver, a feature that is so damn annoying, I almost threw my mobile against a wall  .

I finally got on the right thought. The message was made out of ASCII and UTF-8 chars. So there’s some kind of secret message in it. With Google, I found the following page: http://holloway.co.nz/steg/

If you put the string into the page with a computer, there is an issue with the copy and paste of the UTF-8 chars. That’s why this challenge was a mobile one, because with a mobile, this issue isn’ t present. The page told me the right password: st3g4isfunyo

Solution of daubsi This one was the most terrifying of all the eggs. I took me almost a month to crack this one. An in the end it was soooo simple. When we tweet blue little birdies tweet we immediately see that is looks quite awkward with all this super positioned characters. We intercept the message using burp and get the raw bytes of the tweet. For days I tried to see some kind of pattern in the bytes. […] Suddenly I stumbled over a guy you also tweeted a message that looked as wobbly as our tweet. And the text actually suggested that there was more than met the eye… So there must be some way to actually create the wobbly tweet on your own! Googled about hiding secret messages in tweets brought the solution: http://holloway.co.nz/steg/ When I found that page after all these days I almost cried ;-) That HAD to be the solution. Unfortunately the decoded message was not accepted as the password. Tried the tweets from some other hackers and found that the decoded messages changed. It seemed to be very dependent on the way you copy/paste it. Decided to pull the Javascript from the site and manipulate it so it would take directly the array of bytes I recorded from the decompiled Android app instead of the text you enter manually in the textboxes… And suddenly the messaged decoded right: “st3g4isfunyo”

Hack Easter 2017 Summary Page 44

Solution of HaRdLoCk this one made me scratch my head for quite some time. but this is because i was expecting something completely different and the title is somehow misleading. however... it turned out, to be some sort of steganography for twitter or in other words, secret messages on twitter. if we google these terms, we will find a webpage which offers us exactly this. http://holloway.co.nz/steg/ i grabbed the twitter http post data from the IDA disassembly of the Hacky Easter App:

%23%EF%BC%A8a%EF%BD%83%EF%BD%8By%CE%95%EF%BD%81ste%EF%BD%92%E2%80%A9201%EF%B C%97%E2%80%A9%E2%85%B0%EF%BD%93%E2%80%80a%E2%80%84l%EF%BD%8F%EF%BD%94%E2%80 %80%CE%BFf%E2%80%89%EF%BD%86un%EF%BC%81%E2%80%A8%23%D1%81tf%E2%80%88%23%EF%B D%88%EF%BD%81%CF%B2king-lab this is obviously URLEncoded. with the help of an online decoder i converted it:

and using the Twitter Secret Message decoder from the page above, i found the solution "st3g4isfunyo"

Hack Easter 2017 Summary Page 45

Egg 12 – Once Upon a File Level: medium Solutions: 252 Author: inik

Challenge Once upon a file there was a hidden egg. It's still waiting to be saved by a noble prince or princess.

Solution of HomeSen Egg #12 was hidden inside a CAB archive, nested inside a file named file which was found inside an encapsulated ZIP archive inside the provided file.

Hack Easter 2017 Summary Page 46

Solution of HaRdLoCk the zipfile here contains another file, which seems to be an image of a disk.

its time for winhex – the best tool for such forensic tasks. there we can select, interpret image as filedisk and like this we can browse the filesystem very easy.

i noticed another file called disk, but it was deleted on this image, therefore it has this gray font. looking at this "hidden" file, we can already see some information about the egg12 and also that this is a microsoft cabinet file (MSCF header) – lets save this as .cab then!

opening this cab file in normal explorer revealed the egg for this challenge:

Hack Easter 2017 Summary Page 47

Solution of mcia ‘binwalk’ is a tool to identify header information within a file. If multiple files are hidden in one single file, ‘binwalk’ can identify and automatically extract these files. With ‘binwalk’ this challenge is pretty easy to solve.

The QR code is in the file ‘egg12.png’.

Solution of Dykcik Onceupon.zip contained a file, which was a disk image. I opened the disk image with autopsy and found a deleted file.zip archive.

Inside the archive was another disk image, I opened that as well and noticed an interesting file with egg12.png.

The interesting file was a Microsoft Cabinet archive, after extracting the archive I got the egg.

Hack Easter 2017 Summary Page 48

Egg 13 – Lost the Thread Level: medium Solutions: 126 Author: CoderKiwi

Challenge Searching for eggs is fun! But sometimes they come in weird shapes and sizes. Download the image and wind up the strand!

Solution of jamesdju Use Python Image Library to process the image (on pixel y=1) to get binary data of 0 for white and 1 for black pixel. The resulting binary blob has 2 different pattern: a. 01011111111111100 - 607 of them b. 11111111111111100 - 234 of them

Grouping this pattern to be x and y respectively also shows another pattern

This QR Code says kiwisarekewl

Hack Easter 2017 Summary Page 49

Solution of soundrh The hint says “wind up”. So, I wrote a PHP script, which reads the middle line and creates a new image which displays that line wrapped. Creating a loop around it with different sizes, every width with a factor of 17 looks a like:

Because every first and third column have the same pixels and the others are all black, only the first is relevant. Thus, the same game again, but only with every 17th pixel. Also with different sizes. There was a QR-Code under the images:

It contains the password: kiwisarekewl.

Here’s my resulting script creating the image, with the divider to only parse every 17th pixel and a zoom to enlarge it directly.

Hack Easter 2017 Summary Page 50

Solution of SOKala By downloading the image, I found it is 14500x3 pixels image. Mmm, looks like a thread that needs to be sewed to be a rectangle. By using Imagemagick tools, I cropped the image into pieces 493x3 by: # convert thread.png -crop 493x3 +repage +adjoin thread%04d.png

Then reassembles it to a rectangle by using: # montage -mode concatenate -tile 1x thread 0*.png Sew.png

By using the stegsolve.jar tool with the Sew.png and choose Analyse  Stereogram solver with offset=8. I got a secret QR code:

By redrawing and scanning it, the password is kiwisarekewl 

Solution of Mitsch What the hell? To get a little bit better idea of the thin line, the png is converted to text with imagemagick. convert thread13.png thread13.txt

The output looks like this with coordinates of the pixels and colours 17,1: (0,0,0,0) #00000000 none 18,1: (0,0,0,1) #000000 black 19,1: (0,0,0,0) #00000000 none 20,1: (0,0,0,1) #000000 black After a lot of unsuccessful attempts to "wind up the strand" a closure look at the number of pixels have a hint. - 14.500 pixels in the line, minus 16px offset at the beginning and 187px at the end results in 14297. - 14297 = 841 x 17 (length of each small subline is 17px) - 841 = 29 x 29 -> is it a QR-code? It's worth to test it. - Take only every 3rd pixel from a line. This is the only one which is toggling between black & white. - create a square 29 x 29 and fill it with the information from the strand.

Hack Easter 2017 Summary Page 51

with a little trick to create a svg-image and awk awk -F "," ' BEGIN { l = 29 o = 19 x = 1 y = 1 } { if ( $5 == "1" ) { rect = "#b" } else { rect = "#w" } if ( o > 0 ) { o-- } else { print " " x++ o = 16 } if ( x > l ) { y++ x = 1 } }' thread13.txt >> thread13_qr.svg a QR-code is created with content: 6b 69 77 69 73 61 72 65 6b 65 77 6c 0a -> kiwisarekewl

Hack Easter 2017 Summary Page 52

Egg 14 – Shards Level: medium Solutions: 252 Author: PS

Challenge Oh no! What a mess!

Solution of eash I would like to thanks Jeff Kayser for amazing script to image join files at https://github.com/jeffkayser/imglue. I did some changes on the imglue.py to attend the needs.

First step I unzipped the file shards.zip to shards/ directory. And realized that I need to order the shards by date creation. To run the script use: #python imglue.py grid shards/* egg-14.png

The script output is the egg-14.png.

Solution of soundrh First of all, I removed the img_ from all filenames. Then I tried various parts (between underscores) of the filenames as the first (for sorting), that the previews looked like they could build an egg. With the last part (0 – 39) the first and last view were all white, so I carried on with that name pattern. Because the windows explorer sorts numerically, but some sort functions do not, I zero-padded the ones with only one digit in the first part. After looking at the size of the shards and the one of a complete egg, I knew that the shards have to be placed in a 40 to 40 grid. I wrote a PHP script, which displays the shards in a table sorted by their name.

Hack Easter 2017 Summary Page 53

I got the following result, there’s more work to do After displaying the names instead of the images, I (which didn’t surprise me): tried it with the letters as the second sort argument.

Better, but not ok. Again after looking at the names, The shards have to be rotated: the lowercase letters have to be put before the uppercase ones.

Last thing: Invert order of lines:

Hack Easter 2017 Summary Page 54

Solution of sunscan In the file shards.zip are present 1600 shards/files so this challenge is a 40x40 puzzle. Each file has the name: img_{SEQUENCE_NUMBER}_{ROW}_{RANDOM_NUMBER}_{COLUMN}.png where ROW is in the range [a-z,A-N] and COLUMN is in the range [0-39].

Using a Bash script with ImageMagick we can combine all the shards in the correct sequence and obtain the egg:

Solution of Buge This had 1600 images that were each 12x12 pixels. So we probably need to organize the images into a larger image 40x40 smaller images in size. I got a file containing the names with ls shards/ > namesfile.txt

The names contain multiple parts separated by underscores. The last part is always a number from 0-39 so that is likely either the x or y position that the image should go. The 2nd part is always a letter a-z or A-N. There are 26 possibilities a-z inclusive and 14 possibilities A-N inclusive, so that's 40 possibilities. So that letter is probably the other coordinate, with a-z indicating 0-25, and A-N indicating 26-39. From testing I found that the letter was the y position, and the number was the x position. from PIL import Image import re def letternum(l): return ord(l) - ord('a') if l >= 'a' and l <= 'z' else ord(l) - ord('A') + 26 names = open('namesfile.txt').read() im = Image.new('RGBA', (480, 480)) for name in names.split(): m = re.match('img_([0-9]+)_([a-zA-Z])_([0-9]+)_([0-9]+).png', name) im2 = Image.open('shards/' + name) y = letternum(m.group(2)) x = int(m.group(4)) im.paste(im2.copy(), (x*12, y*12)) im.save('final.png')

That gave a file final.png that had the egg with the QR code.

Hack Easter 2017 Summary Page 55

Egg 15 –P Cap Level: medium Solutions: 181 Author: PS

Challenge What about a little P cap?

Solution of evandrix (wireshark ≥v2.3.0) editcap cap.pcapng cap.pcap tshark -r cap.pcap --export-objects "smb,smb.out.d" binwalk -e smb.out.d/%5cR05h4L\(1\).jpg mv _%5cR05h4L\(1\).jpg.extracted/imnothere.txt imnothere.jpg convert imnothere.jpg -resize 1200% imnothere-resize.jpg tesseract imnothere-resize.jpg imnothere cat imnothere.txt => 7061n.php @ https://hackyeaster.hacking-lab.com/hackyeaster/7061n.php

Solution of eash Extracted R05h4L.jpg file that was in SMB protocol using Wireshark.

Hack Easter 2017 Summary Page 56

There is a hidden ZIP file in R05h4L.jpg, checked with binwalk command. In the ZIP there is a TXT file named “imnothere.txt”. I used the command binwalk -e to extrat the ZIP and TXT files.

Checked the “imnothere.txt” and realized that was a JPG image file. # file imnothere.txt imnothere.txt: JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=6, orientation=upper-left], baseline, precision 8, 52x10, frames 3

Next step was access URL https://hackyeaster.hacking-lab.com/hackyeaster/7061n.php and grab the egg.

Solution of remmer I solved this one using Wireshark. An SMB exchange between 192.168.1.112 and 192.168.1.10 seems to occur starting from packet No. 223. I right-clicked the packet No. 223 and select Follow > TCP stream, then chose 192.168.1.10:445 -> 192.168.1.112:53565 in order to filter only what the SMB server sent to the SMB client. Then, I chose Show and save data as Raw and saved the result.

Using Binary Ninja and binvis.io, I saw that the resulting file contains a .zip file between offsets 01bcf8 and 01c20d. This .zip file contains a .txt file named imnothere.txt, that is actually a .jpg. It can be opened after changing the extension.

The egg was finally revealed by browsing to https://hackyeaster.hacking-lab.com/hackyeaster/7061n.php.

Hack Easter 2017 Summary Page 57

Solution of kumaus Being a total newbie regarding WireShark, the 1553 lines of capture look scary at first. Two HTTP exchanges occur, GET requests to perdu.com and nothinghere.pl, which turn out to be red herrings. More promising is a lengthy SMB protocol exchange between line 226 and 658.

SMB (Server Message Block) is a protocol most commonly used for remote file access under Windows. This sequence of requests pokes around the directory tree on a remote laptop under a user account [email protected]. After quite some trying, a file R05h4L.jpg is identified and downloaded. The interesting part is: 477 53.633535000 192.168.1.112 192.168.1.10 SMB 166 NT Create AndX Request, FID: 0x28fa, Path: \R05h4L.jpg 478 53.635029000 192.168.1.10 192.168.1.112 SMB 193 NT Create AndX Response, FID: 0x28fa ... 498 53.644356000 192.168.1.112 192.168.1.10 SMB 117 Read AndX Request, FID: 0x28fa, 32768 bytes at offset 0 499 53.644462000 192.168.1.112 192.168.1.10 SMB 117 Read AndX Request, FID: 0x28fa, 32768 bytes at offset 32768 500 53.644538000 192.168.1.112 192.168.1.10 SMB 117 Read AndX Request, FID: 0x28fa, 32768 bytes at offset 65536 501 53.644607000 192.168.1.112 192.168.1.10 SMB 117 Read AndX Request, FID: 0x28fa, 3472 bytes at offset 98304 546 53.654455000 192.168.1.10 192.168.1.112 SMB 1514 Read AndX Response, FID: 0x28fa, 32768 bytes 590 53.665872000 192.168.1.10 192.168.1.112 SMB 1514 Read AndX Response, FID: 0x28fa, 32768 bytes 636 53.673476000 192.168.1.10 192.168.1.112 SMB 1514 Read AndX Response, FID: 0x28fa, 32768 bytes 640 53.674049000 192.168.1.10 192.168.1.112 SMB 1342 Read AndX Response, FID: 0x28fa, 3472 bytes

Lines 546, 590, 636, 640 contain binary data in their payload which can indeed be combined in a hex editor to form a valid JPG file. Or, simpler, wireshark can export the data (File -> Export Objects -> SMB/SMB2), which serves it on a silver platter. The image itself, however, is disappointing. Another red herring? Surely not ... The filename (Roshal > RAR) hints at compressed data, and starting at 0x1885F one indeed finds a ZIP file:

The file imnotthere.txt flies under false flag and is actually another JPG image: Looking at https://hackyeaster.hacking-lab.com/hackyeaster/7061n.php finally gives the egg.

Hack Easter 2017 Summary Page 58

Egg 16 – Pathfinder Level: medium Solutions: 181 Author: MaMe82

Challenge Can you find the right path? hackyeaster.hacking-lab.com:9999

Solution of darkstar In this challenge a server adress is given. nc hackyeaster.hacking−lab.com 9999

Ok, no answer, trying with HTTP request gives:

With User-Agent headerfield set the server responsed with:

Using a brute force approach to find the path.

Hack Easter 2017 Summary Page 59

Solution of inik Found out, that it reacts to http. GET / will response with: {"Answer":"I only talk to PathFinder!"}

So what’s that. I googled for Pathfinder and found 3 possibilities:  Its JSONPath, an Xpath for JSON with a similar syntax. o See http://goessner.net/articles/JsonPath/  It’s geo-json-path-finder, a libaries for routing between to points. o See http://www.liedman.net/geojson-path-finder/  Or is it: http://rpgbot.net/pathfinder/ a role playing game?

None of those links made sense to me, but I didn’t had another clue. I tried random paths as well or sending some random JSON message. Without success.

After putting away the Chall for a few days and looking at it again I thought, I tried to fetch robots.txt, which wasn’t there. Thinking further I thought about ways another ways to (besides path, cookies) to change a http- request and found, that the User-Agent has to be changed to PathFinder to get an answer: Example with wget: wget -qO- --user-agent="PathFinder" http://hackyeaster.hacking-lab.com:9999/ {"Answer":"Follow one of the possible paths","paths":[1,3,5,8]} wget -qO- --user-agent="PathFinder" http://hackyeaster.hacking-lab.com:9999/1 {"Answer":"Go on! Follow one of the possible paths","paths":[5]}

Fiddling around a little, it seemed that there are to many possibilities and so I wrote a program to solve the chall:

Hack Easter 2017 Summary Page 60

The result was: RES: --> {"Answer":"Follow one of the possible paths","paths":[1,3,5,8]} RES: 1 --> {"Answer":"Go on! Follow one of the possible paths","paths":[5]} RES: 15 --> {"Answer":"Go on! Follow one of the possible paths","paths":[3,7,8]} RES: 153 --> {"Answer":"Go on! Follow one of the possible paths","paths":[2]} […] RES: 15729468326935817484371652949658371252897134673164289597213546868542793131486925 7 --> {"Answer":"Thanks PathFinder you saved my life by giving me the solution to this sudoku!","sudoku": [[0,0,0,2,0,4,6,0,0],[2,0,9,0,0,0,0,0,0],[0,0,0,0,0,6,5,0,0], [0,0,6,5,0,0,7,1,0],[0,0,0,9,0,0,0,4,0],[7,3,1,0,0,0,0,0,0], [0,7,0,0,3,0,0,0,8],[0,8,0,0,2,7,0,3,1],[0,1,4,0,6,0,0,0,0]], "your_solution":[[1,5,7,2,9,4,6,8,3],[2,6,9,3,5,8,1,7,4],[8,4,3,7,1,6,5,2,9], [4,9,6,5,8,3,7,1,2],[5,2,8,9,7,1,3,4,6],[7,3,1,6,4,2,8,9,5], [9,7,2,1,3,5,4,6,8],[6,8,5,4,2,7,9,3,1],[3,1,4,8,6,9,2,5,7]], "Secret":"https://hackyeaster.hackinglab.com/hackyeaster/images/challenge/egg16_ UYgXzJqpfc.png"}

Solution of Morpheuz Connecting to the url gives the json-response: {“Answer”: “I only talk to PathFinder!”} The solution was to change the user-agent to ‘PathFinder’. The server offered different ways to go, from 1-9 and you had to append this number to the url. The path would then somewhen end – when it does, you’re on the wrong path. I wrote a little recursive script, which would go through every possible path:

Hack Easter 2017 Summary Page 61

Egg 17 – Monster Party Level: medium Solutions: 75 Author: otaku

Challenge The monsters do have a big party, jumping around like fools.

Each of them has its own jump-pattern. When two or more meet on a field, they are happy to see each other, but continue hopping. Passing the border on either side makes them appear again on the opposite side.

Board:

Hack Easter 2017 Summary Page 62

Solution of Bikey This puzzle seems to have caused problems for many people but has at least one relatively simple solution. Using an excel spreadsheet (27x27 grid) I set out each colour monster on a separate sheet using the value 1 to indicate the starting point for the monsters. Also a master sheet with the totals of each grid square. This was the time consuming bit. The grid suggested that it would produce a QR code but was 2 squares larger than a standard QR grid implying that there would be a blank row around the outside. From this it is only necessary to rearrange each colour to put a blank row to the outside by cutting and pasting vertically and horizontally. There are a couple of places where the grids can be split in more than one place but it is easy to find the correct split. The master sheet now shows the QR pattern in 1’s and by applying colour format the code can be scanned It is not necessary to move the monsters using their jump patterns!

Solution of Darkice For this challenge, it is only needed to let the monsters jump around with their own jumppattern. When starting with the second jump of the pattern, it takes less than 100 jumps of each monster until they are representing a QR code.

Hack Easter 2017 Summary Page 63

Solution of darkstar The QR code of this task was made with the help of these cute monsters. Unfortunately, these monsters can not stand still for a long time so the code is not readable.

To read the code, the starting position of all monsters must be determined.

Hack Easter 2017 Summary Page 64

Solution of jokker One of the hardest challenges in my opinion. Making the monsters jump was an easy task with some JS-code. But it took my hours to get to the right solution. The 27x27 grid indicated, that the final solution will make up a QR-code, because those are 25x25. So I tried different things with RGB combination with a JS-script, but nothing worked.

I got a hint, that the monsters are not jumping like I think and that every monster will be placed alone on the grid. That hint got me on the right track.

We have 6 monsters with jump patterns of the length of 3. So there are 6^3 (216) combinations on how the monsters are starting in the jump pattern. This are too many combinations for a human, but not for a computer. I wrote a python script which tried every starting combination. Every starting combination loops for 100 movements of the monsters and checks if all monsters are placed alone on the grid. As soon as this condition is met, we stop the process. Pasted this starting combination in my JS-code and looped for the same amount of movements. This revealed the QR-code for the challenge.

Hack Easter 2017 Summary Page 65

Egg 18 – Nitwit's Doormat Key Level: medium Solutions: 267 Author: CoderKiwi

Challenge Being sure that no one can read the obfuscated code, bunny Nitwit has hidden the egg behind his login- page.

Find out the username and password to show that he lives up to his own name!

Solution of pyth0n33 We were presented a webpage with a login form. I quickly looked at the page source and noticed a lot of obfuscated javascript code.

I saw a few base64 strings and without looking at the code I decoded these strings. One of these strings contained an image. I decoded the base64 string and saved the image to my computer. The image had strange looking colours. I thought that something is hidden in the pixel values. I used python and the pillow image library to print out the pixel values. The values for the red pixels were in the asci range. So I converted the values to asci characters and combined them. This gave me another base64 string. I decoded it and got a JS code.

Hack Easter 2017 Summary Page 66

The function logMeInScotty contains the username and password check. Combining all the conditions in this function gave me the username: bunnyXm4st3r.

For the password check a different method was used. I copied this message to the google chrome developer console and used magic(“bunnyXm4st3r”) to get the password. So I found the password: cvoozYs4ut5n. With this username and password I got the flag.

Solution of trolli101 This was a "simple" JavaScript de-obfuscation challenge. After trying for some time to reverse the obfuscation by hand I turned to Firefox and was able to see some of the obfuscated code directly in a readable form. I then tried with Chrome and it turns out that the obfuscation can be reversed in a handful of clicks, here is how: 1. Open the challenge page 2. Press F12 to open the debugger 3. Go to the elements tab and expand the HTML code up to the login button and select this tag 4. On the right panel go to the ' Event listeners' tab 5. Expand the ' click' listener up to the handler function called LogMeInScotty() 6. Right-click on the function and choose ' Show function definition'

Bingo, the code is de-obfuscated. The steps 3-6 are shown in the screenshot below:

The code can then be pretty-printed (also possible in Chrome), and some variable replaced for more readability. The result is as follows:

Hack Easter 2017 Summary Page 67

Then it is only a matter of minutes to retrieve the username ' bunnyXm4st3r' and the password can be found by calling the magic() function with the username as argument to find. When entering thes two values in the login page, the egg is displayed.

Hack Easter 2017 Summary Page 68

Solution of horst3000 Extract Script with chrome dev-tools (Go to event listener, click:VMxx). They even pretty print the script :-)

Username:

Username: bunnyXm4st3r Password: cvoozYs4ut5n

Hack Easter 2017 Summary Page 69

Solution of vitali To solve this challenge we need to extract login and password from the obfuscated JS code. It was easy to receive username by analyzing JS function "logMeInScotty" that is used as a click listener for the submit button. So the username is "bunnyXm4st3r".

The main problem was to receive the function "magic". I spent a lot of time trying to understand the JS magic but didn't understand it. So the alternative solution was to directly scan the browser process memory and extract the function code from it. As a result the password is: magic("bunnyXm4st3r") -> "cvoozYs4ut5n" function magic(str) { var l11 = ""; for(var l1I = str.length-1; l1I>=0; l1I--) { if(l1I > 5) { l11 += moreMagic(str[l1I]); } else { l11 = moreMagic(str[l1I]) + l11; } } return l11; } function moreMagic(c) { return String.fromCharCode(c.charCodeAt(0)+1); }

Hack Easter 2017 Summary Page 70

Egg 19 – Disco Time Level: hard Solutions: 139 Author: DeathsPirate

Challenge Disco time!

Solution of muzido I used imagemagick tool.

First I run the following command to handle all frame in gif file. convert disco2.gif test/%d.png

Then I run the following command. montage `ls -1a test/*| grep png | sort -t'/' -k2 -n` -tile 28x149 -geometry 28x28+4+4 final.png

Then run this; mogrify -rotate +90 -flop final.png

I found this image: The flag is PixelPixiesArePractical

Solution of HomeSen The square between the 2 cats was an animated GIF image with 4172 frames. Factoring that number yields the dimensions 28x149 for the resulting image (ignoring the fact that the GIF frames actually were 2x2 pixels

Hack Easter 2017 Summary Page 71

in size). Writing a simple Python script that took each frame’s color and applied it to a new pixel inside the new image revealed the password for the Egg-O-Matic yielding egg #19

Solution of mcia First step with gifs is always to look at the single frames. The gifs with the cats didn’t reveal anything interesting. But disco2.gif did. $ convert *.gif frames/out.png $ ls -u frames/ | head -10 out-4184.png out-4187.png out-4186.png out-4185.png out-4183.png out-4182.png out-4181.png out-4180.png out-4179.png out-4178.png

If we look at the frames folder, we can see a lot of red and white images. Looks like a pattern. We have 31 pictures before the color changes, this seems important. I tried to combine the frames to a new picture with ‘montage’. ‘montage’ takes the pictures by name and orders them from top left corner to the top right corner, then it goes to the next line and so on. I used montage this way: montage frames/*.png -geometry 48x48+1+1 -tile 31x200 result.png

This takes all the pictures from the frames folder and combines it into result.png. Result.png is 48×48 pixels and the boarders between the frames are 1 pixel. It takes 31 pictures per row and then goes to the next row. I had to do some trial and error to find the right values.

After rotating the picture and flipping it vertically I got this picture:

It’s a bit hard to read, but the codeword is “PixelPixiesArePractical“.

Solution of kumaus

Hack Easter 2017 Summary Page 72

Oh no dancing cats!!! Let's try to avoid them and concentrate on disco2.gif. This is an animated GIF having 4172 frames of 2x2 pixels. There is a global colour table, but some frames have local colour tables of different sizes. Further observations:

 Local palette sizes are 4, 2 and 1  image colouring is either  (p00, p01, p10, p11) = (0,2,1,3) ca 2/3  (p00, p01, p10, p11) = (0,0,0,0) ca 1/3  palette entries for (0,0,0,0) are grayscale: 0xFF, 0xFE, 0x55, 0x00  palette entries of shape (0,2,1,3) always have identical colour

To get to the bottom of this, I tried to look for a structure:

The output shows a periodic pattern of size 28, giving 149 lines. Flipping it over and zooming out a long way looks like this:

These are almost recognizable letters. So it seems that each frame has to be mapped into a pixel of an image of size 149 x 28. After some trial and error, the simple approach of picking the first palette entry of each frame worked:

Hack Easter 2017 Summary Page 73

gives the image

which shows the password PixelPixiesArePractical

Hack Easter 2017 Summary Page 74

Egg 20 – Spaghetti Hash Level: hard Solutions: 162 Author: PS

Challenge Lazy Larry needs to improve the security of his password hashing implementation. He decides to use SHA- 512 as a new hashing algorithm in order to be super secure. Unfortunately, the database column for the hash can only hold 128 bit. As Bob is too lazy to extend the column and all the code related to it, he decides to shrink the output of the SHA-512 operation, to 128 bit. For this purpose he picks certain characters from the SHA-512 output for producing the new value.

You got hold of four password hashes, calculated with Bob's new implementation. Can you find the corresponding passwords? hash 1: 87017a3ffc7bdd5dc5d5c9c348ca21c5 hash 2: ff17891414f7d15aa4719689c44ea039 hash 3: 5b9ea4569ad68b85c7230321ecda3780 hash 4: 6ad211c3f933df6e5569adf21d261637

Lucky you, you know that the following web service is calculating Bob's algorithm. However, the web service only accepts strings of length 4 or less - brute-forcing a password list thus is no option, since the passwords you are looking for are all longer. https://hackyeaster.hacking-lab.com/hackyeaster/hash?string=abcd

Hack Easter 2017 Summary Page 75

Solution of LlinksRechts First, I had to find out which of the characters from original the hash were used to calculate the shortened hashes:

I searched my rainbow table (rockyou.txt) for this wildcard string:

Then, I used a script to convert these to wildcard strings for SQL:

This gave me the following passwords:

Hack Easter 2017 Summary Page 76

Solution of TheVamp At first, I checked out manually the custom hashes and tried to compare then. I hoped I could see some differences, but the algorithm is to complex. If I don’t see differences, maybe a little python script could be:

Here is the output of the script:

[…]

Now we know the algorithm and we can crack all the passwords with a dictionary. I added the following lines at the end of the script, so that we are able to crack everything with a Password list. I downloaded the password lists from https://wiki.skullsecurity.org/Passwords

Hack Easter 2017 Summary Page 77

Here is the output of the script. Sadly, the output isn’t so good. In example as he found the “cool” hash, there is a glitch with the running progress-counter.

Hack Easter 2017 Summary Page 78

Solution of kumaus Is the guy called Lazy Larry or Bob? Probably an unsolvable mystery. To sort out which SHA512 characters go into his special hash, I used the service providedto calculate a few examples for the letters 'a' to 'f': a) 2552d46012e2cee9c48f2238b10ec560 b) 580b7ef5583b650e55788477165ecbcf c) da1b8782a23ed2c5d041cc218b952631 d) ad50cdc041f4001d08766c78548a54bc e) c1f7359e805c81c0e7211d89cfffee8b f) 5128f2bd74bc2534954f39e5e1754b4d

The code below compares these to the actual SHA-512 hashes of the letters 'a' to 'f' in order to derive a positional key. This key is then used on all entries of a dictionary (I used rockyou, which may well be overkill) to find the four password hashes.

The solution is: 6ad211c3f933df6e5569adf21d261637: 12345678 --> hash 4 ff17891414f7d15aa4719689c44ea039: Cleveland --> hash 2 87017a3ffc7bdd5dc5d5c9c348ca21c5: Prodigy --> hash 1 5b9ea4569ad68b85c7230321ecda3780: benchmark --> hash 3

Hack Easter 2017 Summary Page 79

Egg 21 – MonKey Level: hard Solutions: 74 Author: PS

Challenge The monkey is laughing at you. Get the hidden egg from his binary.

Solution of jamesdju Decompiled the binary with IDA Pro. Relevant code pieces:

The egg image is encrypted with aes-128 ECB mode with a 16 character key. The key is a string which can be seen in the third picture. It is scrambled during the password check, to look li ke: "makybkomooaenklo". However, the actual key can be obtained by stepping back to sub_A75C call, which simply moves the letters around. The real key is: koolokambamonkey. Decrypting it can be done with openssl. root@kali:~/hackyeaster/2017/c21# openssl enc -d -aes-128-ecb -in encrypted -K 6B6F6F6C6F6B616D62616D6F6E6B6579 > egg.png

Hack Easter 2017 Summary Page 80

Solution of mcia This challenge was the hardest one for me. First step was to rename the ipa file to zip and extract the content. There are a lot of interesting files but no QR code in sight. Running ‘strings’ on the Monkey binary reveals some information. We can see that the library CCCrypt is used, there are function named aesDecrypt and aesEncrypt, we can see an encrypted string which probably is our encrypted QR code. And then there are these two strings “thisIStheKEYyoyo” and “monkeyluv$Banana”. I was a bit disappointed at the first moment, I thought this was too easy! But I was wrong, the 2 strings didn’t work as keys no matter how I tried. It is time to use a disassembler. I used hopper to solve this task.

Most interesting function is onBtnPressed. I worked mostly with the generated pseudo code of hopper, which worked pretty well:

We can see in the else-part at the end of the function, the two strings “thisIStheKEYyoyo” and “monkeyluv$Banana” are used in a log output to display the nopeCat! Nice play PS, nice play! Proceeding with the reverse engineering I found this method call: r4 = [[NSString stringWithFormat:@”%@omo%@”, @”makybk”, @”oaenklo”] retain]; This method results in the string “makybkomooaenklo”. But that string does not work as key either. So, I stepped backwards from where the key actually was used:  aesDecrypt, the key used is r5  r5 is r6 UTF8 decoded  r5 is equal r4, r4 is “makybkomooaenklo”  As r5 was assigned from r6 before, we have to follow r6  r6 was last changed in the function sub_a75c()  input to sub_a75c is the key entered in the app, output is r6

We have to look closer what exactly happens in the function sub_a75c():

Hack Easter 2017 Summary Page 81

If we simplify this method to something more readable and only take the needed values from the array ’27fbc’, we get this function:

We have a password with the length of 16 characters. In this method the order of the characters of our password is chosen and a new string resulting in ‘makybkomooaenklo’ is created. ‘int original_password’ is a pointer to the address of the first element/character of the password used in the app and to it an offset from the array ’27fbc’ is added. All values inside ’27fbc’ are smaller than 0x10. Means that the ordering of the entered password is changed inside this function. In the app someone enters a password, this function changes the order of the characters and the result of it is the known string ‘makybkomooaenklo’. But the first typed password is used to decrypt the egg.

 End ‘result’ is ‘makybkomooaenklo’  result[0] is address_of_first_character_of_our_password + 27fbc[0] (Which is 0x07)  result[0] is the character which is at position 0x07 of our password

We don’t know the entered key, but we know what it becomes after the function ‘sub_a75c’. Now we can reverse the function and get the key to decrypt the QR code!

To reverse the string I loop over the lenght of ‘makybkomooaenklo’ and for each position (0..15) we check at what index in ‘sub_a75c’ this number is located. When we found the position, we know the position of the character in the ‘makybkomooaenklo’ string.

Running the function reveals the password ‘koolokambamonkey‘. With this key we can decrypt the encrypted image of the QR code.

Hack Easter 2017 Summary Page 82

Dolution of Morpheuz The first thing that came to my eyes after renaming the .ipa file to .zip was this cute picture of a cat:

The app seems to log some base64-string along with two honeypot-keys, if some precondition fails. Decoding the base64-string reveals the “fail”-image:

The other branch decodes some base64-encoded data, aes-decrypts it and encodes it back to base64, to, as it looks, display it in a webview (data:image/png;base64;…). The main algorithm takes, scrambles and compares our input against “makybkomooaenklo”. The scramble routine looks like this:

And this is the secretArray:

The following golang-code would reverse this process:

It prints the result “koolokambamonkey” which can be used to decrypt a blob, saved in another base64-string inside the app, with AES-128 CBC. The decrypted blob is a png-image of the qr-code-egg.

Hack Easter 2017 Summary Page 83

Solution of HaRdLoCk hey, this is an iphone binary! very nice! immediately loading in IDA and checking out the strings. we are even lucky and this was compiled in 32bit and 64bit mode – therefore we can use hexrays for pseudo code. i also installed the app itself on my iphone, using cydia impactor from: http://www.cydiaimpactor.com and my developer certificate (but it works also with the free developer certificate) the binary contained some honeypot with wrong keys and dummy images:

of course, it was not that easy. the key itself seems to be checked here:

but whatever i tried, this key "makybkomooaenklo" didnt work on the iphone. i really did overlook something here and when i saw it – facepalm. oh no.

there is a sub before the check!!!!

this is a lookup function, which does change the order of the string based on the table referenced in this sub.

makybkomooaenklo must be reordered according to this table. i made this manually in excel:

and here we go with our egg

Hack Easter 2017 Summary Page 84

Egg 22 – Game, Set and Hash Level: hard Solutions: 226 Author: PS

Challenge Can you beat the tennis master? hackyeaster.hacking-lab.com:8888

Solution of Dykcik To beat the tennis master you have to quickly invert SHA-256 hashes. There are many online services to crack hashes, but most of them are protected by CAPTCHA. Fortunately, hashtoolkit.com is a service which inverts hashes and does not use CAPTCHA. I prepared a script that gets a hash from hacking-lab and asks hashtoolkit.com to invert it, then the script forwards the answer from hashtoolkit.com to hacking-lab. See the script below.

Hack Easter 2017 Summary Page 85

Solution of soundrh I tried to access the URL with curl, but that did not work well. Thus, I accessed it with nc: $ nc hackyeaster.hacking-lab.com 8888 Ready for the game? I did some desperate tries, but the next day, without thinking I just entered y:

I thought I could look up the hash, but that’s too slow. Also, is the hash random. So, I had to build a rainbow table. I used the UNIX word list fist, but that was way too short. I downloaded one from crackstation.net. To parallelise the calculation, I split the file with sed: sed -n 1,9999999p realhuman_phill.txt > realhuman_phill.txt.part1 sed -n 10000000,19999999p realhuman_phill.txt > realhuman_phill.txt.part2 ...

Sometime later (in my case two days with enlarging the virtual machine’s disk twice) it was ready. I created a lookup script and made it more convenient by adding an action listener to the input field and the output span: onfocus='document.getElementById("text").value = window.clipboardData.getData("text").trim(); ondblclick="document.execCommand('copy');"

They work only with Internet Explorer. I lowered the security settings for my virtual machine’s apache to let the annoying “Are you sure?” popups disappear. I placed PuTTY on the left side and the browser on the right side.

After the preparations, I started the game. When a hash was displayed, I could mark the whole line to copy it, click into the input field, where it will be trimmed, and press enter. Then, double click on the fetched text and paste with a right-click and press enter. After a little while, I won the game and got presented the secret:

Nice idea and implementation!

Hack Easter 2017 Summary Page 86

Solution of Darkice When connecting to the server and accepting to the game, a hash will be retrieved. This is a SHA-256 Hash and it was easy to break. However, there will be more than one Hash to be cracked, and there is also a time limit for each Hash. Being too slow or providing the wrong word to a given Hash will result in a point for the opponent. To win the game a python script can be used. After the game is won the password for the Egg-O- Matic™ is printed.

You win! Solution is: !stan-the_marth0n$m4n

Solution of jcel This was an online challenge-response game. Using nc for first trials, the game seemed to consist of a challenge that was a SHA-256 hash, sent by the server, and a response, that was assumed to be the un-hashed string, needed to be sent by the client. So, the solution seemed obvious: Use an online SHA256-cracker to un-hash the challenges. The first trial (I wrote a perl program for the client that submitted the hash to the online service) using hashtoolkit.com only led to my IP being banned by the service. So, I downloaded a raw wordlist (https://crackstation.net/files/crackstation-human-only.txt.gz) and computed the SHA-256 values for them myself, using this as the lookup mechanism for my Perl program. I had to restrict to using only every other word due to memory restrictions. Using this, I was able to beat the tennis master. The final result was: <<< Correct! Point for you. <<< ------<<< Player 3 7 0 6 6 <<< Master > 6 6 6 4 4 <<< ------<<< You win! Solution is: !stan-the_marth0n$m4n

Hack Easter 2017 Summary Page 87

Egg 23 – Lovely Vase Level: hard Solutions: 83 Author: PS

Challenge What a nice vase! Beautiful, don't you think? trickhesitenadrfairairstp tedtunbhscnprissnaoeoasab hacektpsrnediiahrtartirlf

Solution of SOKala Wow, it is really a lovely vase. By meditating in this lovely vase, I found that it has 3 parts as shown in the picture below.

Looking like that each line has been encrypted by an encryption technique like a vase.. All are transposition cipher with different types. 1. Route Cipher • The first one looks like a Route Cipher with the shown route. By trying to decrypt it:

Hack Easter 2017 Summary Page 88

2. Rail Fence Cipher • The second one looks like a Rail Fence Cipher with 3 rows (key). By trying to decrypt it:

3. Transposition Cipher • The second one looks like a Rail Fence Cipher with 3 rows (key). By trying to decrypt it:

And the final password is adrianericksusannabobclairefrank 

Solution of Morpheuz The first line should be read like this (the resulting name ‘enairda’ has to be reversed to adriane and, following the other patterns with a name of a men, combining it with the left-over characters ‘rick’):

The second line must be written in zig-zag and then read like this:

The third line should be read like this:

Hack Easter 2017 Summary Page 89

Combining all solutions results in ‘adrianericksusannabobclairefrank’ which is the word you had to enter on the website.

Solution of Darkice First part: For the first part the pattern on the vase is a hint in how to solve it. Just split the cipher text into 5 * 5 grid and apply the pattern on it.

Solution: the first part is adrianerick

Second Part: For this part, a rail fence cipher is used. To decode it, simply split the cipher text into 3 lines and form a zigzag pattern.

Solution: the second part is susannabob

Third Part: For the last part, split the text into a 5 * 5 grid and then read the columns from bottom to top.

Solution: the third part is clairefrank

To get the egg from the Egg-O-Matic ™ simply combine all solutions. Final Solution: adrianericksusannabobclairefrank

Hack Easter 2017 Summary Page 90

Solution of jokker These are 3 different transposition ciphers. Number 1 and 3 need to be placed in a block of 5x5, writing down the string from top to bottom, from left to right. Number 2 needs to be placed in a specific shape, so we can draw some kind of triangles.

1. String

2. String

3. String

This gave me the final string “adrianericksusannabobclairefrank”.

Hack Easter 2017 Summary Page 91

Egg 24 – Your Passport, please Level: hard Solutions: 93 Author: PS

Challenge After another exhausting Easter, Thumper decides to travel abroad for recreation. As a real h4x0r, he of course is using his own, homemade e-passport:

Write a client which connects to the virtual terminal, and fetch the portrait photo stored on Thumper's passport! The virtual terminal is running on: hackyeaster.hacking-lab.com:7777

As a starting point for your client, the following eclipse project is provided:

Solution of daubsi Ok, ok I confess… I cheated on that one… When I build the cradle project and made everything fly it was apparent that this would become a rather “low level” coding challenge, where you would have to throw the bits and bytes around by talking to the cryptoprocessor of the ID card… But wouldn’t there be a simpler way? I copy/pasted the bytes during initialization that were thrown at me… And immediately found a github project which had code to…. “download a photo from an e passport”!! Wait, what??? Haha! Great stuff! https://github.com/johnjohndoe/ePassLeser

Hack Easter 2017 Summary Page 92

I adapted the code so that it would connect to the hacking lab virtual ID card which took me a ouple of minutes, started up the program and…. observed the bytes flying over the screen and 5 seconds later I had the image file on my disc.. Sorry for that…. ;-)

Solution of Morpheuz We need to authenticate ourselves to read the personal data, including the profile picture. For this, the BAC, Basic Access Control, is applied.

Hack Easter 2017 Summary Page 93

MRZ-Information: P01234567377070762101015 SHA1: e1c4674e9b4cd94227ead2ce476c9578323513ac Most significant 16 bytes: e1c4674e9b4cd94227ead2ce476c9578

KENC-Unhashed = e1c4674e9b4cd94227ead2ce476c957800000001 KMAC-Unhashed = e1c4674e9b4cd94227ead2ce476c957800000002 KENC-Hashed = 035ab2ef604a7e3bd0b9f8d62379679246e8d752 KMAC-Hashed = 9a22a2d608fb58362276fc42e9f431e12b4f67a7 KENC = 035ab2ef604a7e3bd0b9f8d623796792 KMAC = 9a22a2d608fb58362276fc42e9f431e1

As it turned out, I was overcomplicating things… There is a method on the PassPortService to supply a key:

With a little binwalk-magic I got Thumpers profile picture:

Hack Easter 2017 Summary Page 94

Solution of sunscan To recover the photo from the password we need to make a BAC (Basic Access Control) against the ePassport and then read the DG (Data Group) 2 where the photo is located.

First we need to change the connect() method of the class HE17Terminal in HE17Terminal.java to connect to the correct server:

Then we need to modify the class JMRTDMain in JMRTDMain.java to read the ePassport using the jMRTD library:

and show the image using the method showImage():

Hack Easter 2017 Summary Page 95

Finally, we can scan the found QR code:

Hack Easter 2017 Summary Page 96