Hack the Box Challenge: Art


Hint: Can you find the flag?

Art as in the concept, or the name? Let's find out! I download the zip file using wget then extract is using unzip and the provided password. Seriously? A PNG file? I type in xdg-open art.zip to open the file in Image Viewer.

Oh that's pretty. Looks kind of like a maze with lots of pretty colors. Ok… maybe the flag is hidden using steganography. The file size is 5.4 kB, so probably not, but let's check anyway.

I should probably note at this point, that I am not very good at steganography - luckily there's Google and tools already written that work in Kali. I managed to find two such tools: Steghide and StenoSuite. I'll start with StegoSuite first, so let's get that installed.

apt-get install stegosuite -y

I don't like installing a lot of things at once, I'd rather install one tool, use it first, and if it doesn't meet my needs, uninstall and try another one. I think this comes from my time as a computer tech many years ago. During my troubleshooting days, I'd try one thing at a time trying to solve the problem. This way I could easily keep track of what was done to resolve the issue.

With Stegosuite installed, let's go straight to the man pages.

Looks like it has a very intuitive GUI, so I launch it through the terminal by typing in stegosuite. I load the image file and click Extract. Well at first glance, there's nothing there. It looks like it locked up trying to find anything. I went back to Hack the Box to double-check something. Yeah, there's a whole Stego set of challenges, and this one came from Misc. I'm going to rule out steganography for this challenge. Let's move on.

Ok, so we know there's nothing embedded in that file, now what? If you've been following along with my challenge walkthroughs, you might remember Inferno and the god-awful esoteric language Malbolge. Sigh, let's Google "esoteric programming languages"… holy shit, there's actually a Wikipedia article titled that. I mean I get it, it's fun to make a language to "test the boundaries of computer programming language design". Isn't that the basis of "hacking" - figuring out an unorthodox solution for a complex problem. I started skimming through this article just to see if anything pops out. Wow, the second image for Piet looks familiar. Oh hey, check out the description, it uses bitmaps that looks like abstract… ART. This is a good one HTB, I'll give you this one. Back to Google to search for more information on Piet, perhaps even an online interpreter! Well the first result I find is the webpage of the creator of the language, http://www.dangermouse.net/esoteric/piet.html. I dig around a little and find links to interpreters, it looks like npiet might work for us, since I really don't want to install, configure and figure this language out. I head over to that page, browse for art.png then click Upload and Execute, let's see what happens!

That is so cool! There's the complete flag, that's everything we need to successfully complete this challenge.

This was a tricky one, if you don't know to go searching for esoteric programming languages, you'll be stuck on this one for a long time. It wasn't very tool heavy, it didn't require much in the way of hacking. The one thing it does force you to do is think outside the box - isn't that what hacking is about though? I love it!

Until next time!

Comments

Post a Comment

Popular posts from this blog

Exporting BitLocker Recovery Keys From AD Using PowerShell

In preparation for migrating our workstations over to Microsoft BitLocker Administration Management (MBAM), I wanted to backup the recovery keys for my team's systems since we're testing and implementing it. In order to do this, I needed to write something that would pull in every computer in an OU in AD, then grab the msFVE-RecoveryInformation class for each object. I know, I know... there's better ways to create the PSObject. I've been mired in writing in PowerShell 2.0 to support the Windows XP systems here at the company. I know, I know... yes, we still have Windows XP. Yes, there are plans on moving to a supported OS. No, I don't know when that will be.
Read more

Hack the Box Challenge - Blackhole

Image
It looks like HTB has added a few new Miscellaneous challenges since my last post, time to get back to work! First on my list is Blackhole, a 20 point challenge with a hint of "A strange file has been discovered in Stephen Hawking's computer. Can you discover what it is?" Let's get started! I use wget to download the zip file, then unzip to extract it. After I enter the password, it looks like there's another archive in here, let's try to extract that one as well. Well, according the file manager, it has the folder icon, but when I run the file hawking command, it appears to be a jpeg - let's rename it and see what happens. Using the rename command, mv hawking hawking.jpg changes the extension to a jpeg. Now I can see a picture of Stephen Hawking with a nice quote, "Life would be tragic if it weren't funny." This is probably going to be a stego challenge, awesome! I'll use steghide like I did in the Milkshake challenge,
Read more

Hack the Box Challenge - You Can Do It!

Hint: The flag is in the format HTB{plaintext} Not much in the way of a hint, but let's get this show started! I download the zip file using wget , then extract it using unzip and the password provided. Just like the last Crypto challenge "Classic, yes complicated!", we're given a txt file that contains a "scrambled" string. I'm going to try to use ROT13 again to see if we have any luck. Nope, of course it wouldn't be THAT easy! I see the last character of this string is a "!". That's probably padding, so let's see what we can find. My research didn't find anything with padding, what else could it be? The first letter is "Y" and the last character is "!", same as the challenge name. I bet this is an anagram, off to find an online anagram solver! Searching online was a bust, but I was able to solve it by writing it out and crossing the letters as I used them. Just like the challenge, you can d
Read more