Written by shakuganz

HackTheBox – Blackhole Write-up

Dear readers,

Today’s post is on a HackTheBox Misc challenge, Blackhole, created on 13th July 2018. It is quite uncommon for me to do a write-up on Misc challenges as it is usually puzzle-based and no actual technical computing-related knowledge si involved. However, Blackhole requires knowledge of stenography and ciphertexts. Thus, I decided to do a write-up of it. Let’s get started!

Fig 1. Blackhole Misc challenge on HackTheBox

Files given

There is only one file provided without any file extension:

Tools required

Analysis

Based on the description of the challenge, it stated that the file is a strange file. I decided to open it up on 010 hex editor. Immediately, I noticed that it has a JIFF file format which is a JPEG file.

Fig 3a. JIFF file format seen on 010 hex editor

Changing the file extension to .jpg and opening up the file, we can see that it is a photo of Stephen Hawking with a quote from him.

Fig 3b. Challenge’s file when opened in JPEG extension

I decided to look through different templates of the challenge’s file, thinking it might be a funky file format. I managed to find it is a file format of JPEG or a 16-bits Windows machine. Due to me having a 64-bits machine, I have to set up a 32-bits Windows machine on a Virtual Machine (VM) before enabling NTVDM which is a hassle. Thus, I tried to see if stenography is involved using steghide.

> steghide -sf ./hawking.jpg
Enter passphrase: 
wrote extracted data to "flag.txt".

True enough, I was prompted to enter a password. I tried to enter the name of the file as the password and it works! The flag.txt file was extracted.

Looking at the content of the file, it is a base64 string.

> cat ./flag.txt
UldaeFluUnhlaUJKZFhoNGRXMTVJRlJ0YVhkMWVuTWdhVzFsSUcxNklGRjZjM2gxWlhRZ1puUnhZV1J4Wm5WdmJYZ2dZblJyWlhWdmRXVm1MQ0J2WVdWNVlYaGhjM1ZsWml3Z2JYcHdJRzFuWm5SaFpDd2dhWFJoSUdsdFpTQndkV1J4YjJaaFpDQmhjaUJrY1dWeGJXUnZkQ0J0WmlCbWRIRWdUM0Y2Wm1SeElISmhaQ0JHZEhGaFpIRm1kVzl0ZUNCUFlXVjVZWGhoYzJzZ2JXWWdablJ4SUVkNmRXaHhaR1YxWm1zZ1lYSWdUMjE1Ym1SMWNITnhJRzFtSUdaMGNTQm1kWGx4SUdGeUlIUjFaU0J3Y1cxbWRDNGdWSEVnYVcxbElHWjBjU0JZWjI5dFpYVnRlaUJDWkdGeWNXVmxZV1FnWVhJZ1dXMW1kSEY1YldaMWIyVWdiV1lnWm5SeElFZDZkV2h4WkdWMVptc2dZWElnVDIxNWJtUjFjSE54SUc1eFptbHhjWG9nTVRrM09TQnRlbkFnTWpBd09TNGdWRzFwZDNWNmN5QnRiM1IxY1doeGNDQnZZWGw1Y1dSdmRXMTRJR1ZuYjI5eFpXVWdhWFZtZENCbGNXaHhaRzE0SUdsaFpIZGxJR0Z5SUdKaFltZDRiV1FnWlc5MWNYcHZjU0IxZWlCcGRIVnZkQ0IwY1NCd2RXVnZaMlZsY1dVZ2RIVmxJR0ZwZWlCbWRIRmhaSFZ4WlNCdGVuQWdiMkZsZVdGNFlYTnJJSFY2SUhOeGVuRmtiWGd1SUZSMVpTQnVZV0YzSUUwZ1RtUjFjWElnVkhWbFptRmtheUJoY2lCR2RYbHhJRzFpWW5GdFpIRndJR0Y2SUdaMGNTQk9aSFZtZFdWMElFVm5lbkJ0YXlCR2RYbHhaU0J1Y1dWbUxXVnhlSGh4WkNCNGRXVm1JSEpoWkNCdElHUnhiMkZrY0MxdVpIRnRkM1Y2Y3lBeU16Y2dhWEZ4ZDJVdUlGUnRhWGQxZW5NZ2FXMWxJRzBnY25GNGVHRnBJR0Z5SUdaMGNTQkVZV3R0ZUNCRllXOTFjV1pyTENCdElIaDFjbkZtZFhseElIbHhlVzV4WkNCaGNpQm1kSEVnUW1GNlpuVnlkVzl0ZUNCTmIyMXdjWGxySUdGeUlFVnZkWEY2YjNGbExDQnRlbkFnYlNCa2NXOTFZblZ4ZW1ZZ1lYSWdablJ4SUVKa2NXVjFjSEY2Wm5WdGVDQlpjWEJ0ZUNCaGNpQlNaSEZ4Y0dGNUxDQm1kSEVnZEhWemRIRmxaaUJ2ZFdoMWVIVnRlaUJ0YVcxa2NDQjFlaUJtZEhFZ1IzcDFabkZ3SUVWbWJXWnhaUzRnVlhvZ01qQXdNaXdnVkcxcGQzVjZjeUJwYldVZ1pHMTZkM0Z3SUhwbmVXNXhaQ0F5TlNCMWVpQm1kSEVnVGs1UFhPS0FtV1VnWW1GNGVDQmhjaUJtZEhFZ01UQXdJRk5rY1cxbWNXVm1JRTVrZFdaaGVtVXVEUXBVUms1N1dqTm9jVVJmZUROR1gyWlVNMTl1TkdWR2JVUndOVjlUTTJaZlN6Qm5YM0F3YVZwOUlBPT0=

I decided to decode it once which gave me another base64 string.

> base64 -d flag.txt
RWZxYnRxeiBJdXh4dW15IFRtaXd1enMgaW1lIG16IFF6c3h1ZXQgZnRxYWRxZnVvbXggYnRrZXVvdWVmLCBvYWV5YXhhc3VlZiwgbXpwIG1nZnRhZCwgaXRhIGltZSBwdWRxb2ZhZCBhciBkcWVxbWRvdCBtZiBmdHEgT3F6ZmRxIHJhZCBGdHFhZHFmdW9teCBPYWV5YXhhc2sgbWYgZnRxIEd6dWhxZGV1ZmsgYXIgT215bmR1cHNxIG1mIGZ0cSBmdXlxIGFyIHR1ZSBwcW1mdC4gVHEgaW1lIGZ0cSBYZ29tZXVteiBCZGFycWVlYWQgYXIgWW1mdHF5bWZ1b2UgbWYgZnRxIEd6dWhxZGV1ZmsgYXIgT215bmR1cHNxIG5xZmlxcXogMTk3OSBtenAgMjAwOS4gVG1pd3V6cyBtb3R1cWhxcCBvYXl5cWRvdW14IGVnb29xZWUgaXVmdCBlcWhxZG14IGlhZHdlIGFyIGJhYmd4bWQgZW91cXpvcSB1eiBpdHVvdCB0cSBwdWVvZ2VlcWUgdHVlIGFpeiBmdHFhZHVxZSBtenAgb2FleWF4YXNrIHV6IHNxenFkbXguIFR1ZSBuYWF3IE0gTmR1cXIgVHVlZmFkayBhciBGdXlxIG1iYnFtZHFwIGF6IGZ0cSBOZHVmdWV0IEVnenBtayBGdXlxZSBucWVmLWVxeHhxZCB4dWVmIHJhZCBtIGRxb2FkcC1uZHFtd3V6cyAyMzcgaXFxd2UuIFRtaXd1enMgaW1lIG0gcnF4eGFpIGFyIGZ0cSBEYWtteCBFYW91cWZrLCBtIHh1cnFmdXlxIHlxeW5xZCBhciBmdHEgQmF6ZnVydW9teCBNb21wcXlrIGFyIEVvdXF6b3FlLCBtenAgbSBkcW91YnVxemYgYXIgZnRxIEJkcWV1cHF6ZnVteCBZcXBteCBhciBSZHFxcGF5LCBmdHEgdHVzdHFlZiBvdWh1eHVteiBtaW1kcCB1eiBmdHEgR3p1ZnFwIEVmbWZxZS4gVXogMjAwMiwgVG1pd3V6cyBpbWUgZG16d3FwIHpneW5xZCAyNSB1eiBmdHEgTk5PXOKAmWUgYmF4eCBhciBmdHEgMTAwIFNkcW1mcWVmIE5kdWZhemUuDQpURk57WjNocURfeDNGX2ZUM19uNGVGbURwNV9TM2ZfSzBnX3AwaVp9IA==

I was quite lost at first and tried to wonder if I have to convert the base64 string into an image. I tried on both the original base64 string and the newly decoded base64 string but it did not work.

Finally, I copy the new base64 string into result.txt and decode it again.

> base64 -d result.txt
Efqbtqz Iuxxumy Tmiwuzs ime mz Qzsxuet ftqadqfuomx btkeuouef, oaeyaxasuef, mzp mgftad, ita ime pudqofad ar dqeqmdot mf ftq Oqzfdq rad Ftqadqfuomx Oaeyaxask mf ftq Gzuhqdeufk ar Omyndupsq mf ftq fuyq ar tue pqmft. Tq ime ftq Xgomeumz Bdarqeead ar Ymftqymfuoe mf ftq Gzuhqdeufk ar Omyndupsq nqfiqqz 1979 mzp 2009. Tmiwuzs motuqhqp oayyqdoumx egooqee iuft eqhqdmx iadwe ar babgxmd eouqzoq uz ituot tq pueogeeqe tue aiz ftqaduqe mzp oaeyaxask uz sqzqdmx. Tue naaw M Nduqr Tuefadk ar Fuyq mbbqmdqp az ftq Ndufuet Egzpmk Fuyqe nqef-eqxxqd xuef rad m dqoadp-ndqmwuzs 237 iqqwe. Tmiwuzs ime m rqxxai ar ftq Dakmx Eaouqfk, m xurqfuyq yqynqd ar ftq Bazfuruomx Mompqyk ar Eouqzoqe, mzp m dqoubuqzf ar ftq Bdqeupqzfumx Yqpmx ar Rdqqpay, ftq tustqef ouhuxumz mimdp uz ftq Gzufqp Efmfqe. Uz 2002, Tmiwuzs ime dmzwqp zgynqd 25 uz ftq NNO\’e baxx ar ftq 100 Sdqmfqef Ndufaze.
TFN{Z3hqD_x3F_fT3_n4eFmDp5_S3f_K0g_p0iZ}

We can see that a string that looks like the flag appeared. It is quite obvious that it is probably ROT13 variant encryption. Counting from the letter “T” to “H”, there are 14 letters. Therefore, I used rot13.com/, set the decryption to ROT14 and it works!

Flag obtained

Stephen William Hawking was an English theoretical physicist, cosmologist, and author, who was director of research at the Centre for Theoretical Cosmology at the University of Cambridge at the time of his death. He was the Lucasian Professor of Mathematics at the University of Cambridge between 1979 and 2009. Hawking achieved commercial success with several works of popular science in which he discusses his own theories and cosmology in general. His book A Brief History of Time appeared on the British Sunday Times best-seller list for a record-breaking 237 weeks. Hawking was a fellow of the Royal Society, a lifetime member of the Pontifical Academy of Sciences, and a recipient of the Presidential Medal of Freedom, the highest civilian award in the United States. In 2002, Hawking was ranked number 25 in the BBC\’s poll of the 100 Greatest Britons.
HTB{N3veR_l3T_tH3_b4sTaRd5_G3t_Y0u_d0wN}

Flag: HTB{N3veR_l3T_tH3_b4sTaRd5_G3t_Y0u_d0wN}

I hope this post has been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my milk tea addiction. The link is here. 🙂

Advertisement

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.