jebidiah-anthony

write-ups and what not

Mind Challenge

PART 1 : GIVEN FILES

  • mind.tar.gz (The file is too big to host…​)

$ md5sum mind.tar.gz

  b38fd751f8fc2ccd8dc292ef5285b2d3  mind.tar.gz

$ sha1sum mind.tar.gz

  aa4300366226b596cce3b85e89b30795d6b3e0c3  mind.tar.gz

$ gzip -d mind.tar.gz

$ tar xvf mind.tar.gz

  mind/hint.txt
  mind/To Wanda.txt
  mind/vision

PART 2 : A MESSAGE TO WANDA

The file, To Wanda.txt, contains what the challenge is all about. I cleaned it a little bit so it reads:

If you're reading this, I sacrificed my thoughts and memories to protect the‌‌‌‌‍‬‬‌ Mind Egg.

To protect you.

Doing so will make me forget you and every moment we had together.

But doing so also gives us more time to spend new memories once this is all over.


Love,

Victor
---------------------‌‌‌‌‍‍-------------------------------------------------------------------
Eggshield Agent,

If you're reading this‌‌‌‌‍‬‌, the second part of the secret is in this file. Look closely and do it fast! Bonny Stark and the whole world is waiting.

The first one, well.. if you‌‌‌‌‌'re really from Eggshield you should be able to figure it out. Let's go back in time :)

Once you ‌‌‌‌‍‍‬have the secret, use that to open the deepest part of my memories. My treasures.

Lastly, please do tell the Avengersto take care of Wanda for me.

Till then,
Victor

A secret is split into two — in the file itself, To Wanda.txt, and in the file, vision

Looking back at the hexdump of the original To Wanda.txt:

$ cat To\ Wanda.txt | xxd -p | tr -d '\n' | fold -w 100

  496620796f752772652072656164696e6720746869732c20492073616372696669636564206d792074686f75676874732061
  6e64206d656d6f7269657320746f2070726f7465637420746865e2808ce2808ce2808ce2808ce2808de280ace280ace2808c
  204d696e64204567672e0a0a546f2070726f7465637420796f752e0a0a446f696e6720736f2077696c6c206d616b65206d65
  20666f7267657420796f7520616e64206576657279206d6f6d656e742077652068616420746f6765746865722e0a0a427574
  20646f696e6720736f20616c736f206769766573207573206d6f72652074696d6520746f207370656e64206e6577206d656d
  6f72696573206f6e6365207468697320697320616c6c206f7665722e0a0a0a4c6f76652c0a0a566963746f720a0ae2808ce2
  808ce2808ce2808ce2808de2808defbbbfefbbbf0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0ae2808ce2808ce2808ce2
  808ce2808de280acefbbbfe2808d0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0ae2808ce2808c
  e2808ce2808ce2808defbbbfe280ace2808d0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a
  0a0a0a2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2de2808ce2808ce2808ce2808ce2808de2808defbbbfefbbbf2d2d
  2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d
  2d2d2d2d2d2d2d2d2d2d2d2d2d2d2d0a456767736869656c64204167656e742c0a0a496620796f752772652072656164696e
  672074686973e2808ce2808ce2808ce2808ce2808de280acefbbbfe2808c2c20746865207365636f6e642070617274206f66
  207468652073656372657420697320696e20746869732066696c652e204c6f6f6b20636c6f73656c7920616e6420646f2069
  7420666173742120426f6e6e7920537461726b20616e64207468652077686f6c6520776f726c642069732077616974696e67
  2e0a0a546865206669727374206f6e652c2077656c6c2e2e20696620796f75e2808ce2808ce2808ce2808ce2808cefbbbfe2
  808ce2808c277265207265616c6c792066726f6d20456767736869656c6420796f752073686f756c642062652061626c6520
  746f20666967757265206974206f75742e204c6574277320676f206261636b20696e2074696d65203a290a0a4f6e63652079
  6f7520e2808ce2808ce2808ce2808ce2808defbbbfe2808de280ac6861766520746865207365637265742c20757365207468
  617420746f206f70656e2074686520646565706573742070617274206f66206d79206d656d6f726965732e204d7920747265
  6173757265732e0a0a4c6173746c792c20706c6561736520646f2074656c6c20746865204176656e67657273746f2074616b
  652063617265206f662057616e646120666f72206d652e0a0a54696c6c207468656e2c0a566963746f72#e2808ce2808ce280
  8ce2808ce2808cefbbbfe2808cefbbbf

There are 9 hex strings consisting of the unicode characters — e2808c, e2808d, e280ac, efbbbf — that are scattered all over the text:

e2808c : U+200C : ZERO WIDTH NON-JOINER
e2808d : U+200D : ZERO WIDTH JOINER
e280ac : U+202C : POP DIRECTIONAL FORMATTING
efbbbf : U+FEFF : ZERO WIDTH NO-BREAK SPACE

Zero width characters are non-printing and if you search for how to hide text using such characters, you’ll come across this — Unicode Steganography with Zero-Width Characters.

I recreated the process of encoding characters to zero width (for fun’s sake and this writeup) in order to find out how it works:

The zero width characters that will be used are set:

chars = '\u200c\u200d\u202c\ufeff'.split('');
// chars = ['\u200c', '\u200d', '\u202c', '\ufeff'];

Next, the following values are set:

radix = chars.length;
// radix = 4;

codelengthText = Math.ceil(Math.log(65536) / Math.log(radix))
// codelengthText = 8;

var base = '';
for(i = 0; i < codelengthText; i++){ base += '0'; }
// base = '00000000';

Now, to perform the encoding:

charToEncode = 'A';
// FOR EXAMPLE ONLY

var c = charToEncode.charCodeAt(0);
// c = 65;

var d = c.toString(radix);
// d = c.toString(4);
// d = 1001;
// 65 was converted from decimal to base4

var result = (base + d).substr(-codelengthText);
// result = ('00000000' + 1001).substr(-8);
// result = '00001001';

var encodedCharacter = '';
for(i=0; i<result.length; i++) { encodedCharacter += chars[result[i]]; }
// encodedCharacter = '\u200c\u200c\u200c\u200c\u200d\u200c\u200c\u200d'
// or in hex:
// encodedCharacter = 'e2808ce2808ce2808ce2808ce2808de2808ce2808ce2808d'

And true enough when reversing the process after gathering the hex strings from the hexdump earlier:

characters = [
    "e2808c e2808c e2808c e2808c e2808d e280ac e280ac e2808c",
    "e2808c e2808c e2808c e2808c e2808d e2808d efbbbf efbbbf",
    "e2808c e2808c e2808c e2808c e2808d e280ac efbbbf e2808d",
    "e2808c e2808c e2808c e2808c e2808d efbbbf e280ac e2808d",
    "e2808c e2808c e2808c e2808c e2808d e2808d efbbbf efbbbf",
    "e2808c e2808c e2808c e2808c e2808d e280ac efbbbf e2808c",
    "e2808c e2808c e2808c e2808c e2808c efbbbf e2808c e2808c",
    "e2808c e2808c e2808c e2808c e2808d efbbbf e2808d e280ac",
    "e2808c e2808c e2808c e2808c e2808c efbbbf e2808c efbbbf"
]

subs = ["e2808c", "e2808d", "e280ac", "efbbbf"]

secret = ""
for i in characters:

    i = i.split(" ")

    for x in range(len(i)):
        i[x] = str(subs.index(i[x]))

    secret += chr(int(''.join(i), 4))

print(secret) # h_my_l0v3

The second part of the secret is revealed to be h_my_l0v3!!

PART 3 : VISION’S MEMORY

Let’s run the file, vision, in volatility to see if it’s a memory dump then gather information about the image

$ volatility -f vision imageinfo

  Volatility Foundation Volatility Framework 2.6
  INFO    : volatility.debug    : Determining profile based on KDBG search...
            Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418
                       AS Layer1 : WindowsAMD64PagedMemory (Kernel AS)
                       AS Layer2 : FileAddressSpace (.../mind/vision)
                        PAE type : No PAE
                             DTB : 0x187000L
                            KDBG : 0xf80002c0f0a0L
            Number of Processors : 1
       Image Type (Service Pack) : 1
                  KPCR for CPU 0 : 0xfffff80002c10d00L
               KUSER_SHARED_DATA : 0xfffff78000000000L
             Image date and time : 2020-04-10 14:11:55 UTC+0000
       Image local date and time : 2020-04-10 22:11:55 +0800

According to To Wanda.txt, "Let’s go back in time :)" after which we could open his treasures once we complete the secret:

In order to gather leads, I first checked what processes were running using pstree then find something I could relate to going back in time:

$ volatility -f vision --dtb=0x187000 --kdbg=0xf80002c0f0a0 --profile=Win7SP1x64 pstree

  Volatility Foundation Volatility Framework 2.6
  Name                                                  Pid   PPid   Thds   Hnds Time
  -------------------------------------------------- ------ ------ ------ ------ ----
  ---omitted---
  . 0xfffffa80036ff770:cmd.exe                         2484    516      1     22 2020-04-10 14:06:58 UTC+0000
  ---omitted---
   0xfffffa8001d82b30:firefox.exe                      2836   2868     75   1383 2020-04-10 14:08:51 UTC+0000
  . 0xfffffa80034f8b30:firefox.exe                     2188   2836     25    350 2020-04-10 14:08:54 UTC+0000
  . 0xfffffa800198cb30:firefox.exe                     2668   2836     11    292 2020-04-10 14:08:53 UTC+0000
  . 0xfffffa8003021060:firefox.exe                     3116   2836     24     65 2020-04-10 14:12:11 UTC+0000
  . 0xfffffa8001934b30:firefox.exe                     3296   2836     34    387 2020-04-10 14:09:26 UTC+0000
  . 0xfffffa8001928b30:firefox.exe                     1332   2836     21    318 2020-04-10 14:08:55 UTC+0000
  . 0xfffffa8003522b30:firefox.exe                     3000   2836     24    334 2020-04-10 14:12:07 UTC+0000
  . 0xfffffa80024ab060:firefox.exe                     4060   2836     27    337 2020-04-10 14:12:04 UTC+0000
  . 0xfffffa800365db30:firefox.exe                     4052   2836     25    353 2020-04-10 14:11:59 UTC+0000
  . 0xfffffa80034e0b30:firefox.exe                     3460   2836     21    318 2020-04-10 14:08:58 UTC+0000
  . 0xfffffa8003282b30:firefox.exe                     1960   2836     28    324 2020-04-10 14:11:02 UTC+0000
  ---omitted---

The processes — cmd.exe and firefox.exe caught my attention since if going back in time is considered to having "history", then this two should be prime candidates.

Next thing I did was to dump the process memory of firefox.exe to see if I can find recently accessed webpages:

$ volatility -f vision --dtb=0x187000 --kdbg=0xf80002c0f0a0 --profile=Win7SP1x64 memdump -D ./ -p 2836

  Volatility Foundation Volatility Framework 2.6
  ------------------------------------------------------------------------
  Writing firefox.exe [  2836] to 2836.dmp

$ strings 2836.dmp | grep -e "^http.-treasure" | sort | uniq

  https://s7.addthis.com/static/sh.f48a1a04fe8dbf021b4cda1d.html#rand=0.7661267717714668&iit=1586527975883&tmr=load%3D1586527971495%26core%3D1586527971558%26main%3D1586527975877%26ifr%3D1586527975893&cb=0&cdn=0&md=0&kw=upload%20files%2Cfile%20hosting%2Cfile%20sharing%2Csend%20files&ab=-&dh=uploadfiles.io&dr=&du=https%3A%2F%2Fuploadfiles.io%2Fkiyqnnt9&href=https%3A%2F%2Fuploadfiles.io%2Fkiyqnnt9&dt=Upload%20files%20for%20free%20-%20my_treasures%20-%20Uploadfiles.io&dbg=0&cap=tc%3D0%26ab%3D0&inst=1&jsl=1&prod=undefined&lng=en&ogt=description%2Cimage%2Ctitle%2Curl%2Csite_name%2Ctype%3DFile%20storage%20and%20sharing&pc=men&pub=ra-56b61b1b0db9758f&ssl=1&sid=5e907ee30dfa06af&srf=0.01&ver=300&xck=0&xtr=0&og=type%3DFile%2520storage%2520and%2520sharing%26site_name%3DUpload%2520Files%26url%3Dhttps%253A%252F%252Fuploadfiles.io%26title%3DUpload%2520files%2520for%2520free%2520-%2520my_treasures%2520-%2520Uploadfiles.io%26image%3Dhttps%253A%252F%252Fuploadfiles.io%252Fassets%252Fimg%252Ficons%252Fwidget.svg%26description%3DUpload%2520files%252C%2520for%2520free%252C%2520securely%252C%2520anonymously%252C%2520without%2520limits.%2520%2540UploadFilesFree&csi=undefined&rev=v8.28.3-wp&ct=1&xld=1&xd=1
  https://uploadfiles.io/kiyqnnt9Upload files for free - my_treasures - Uploadfiles.iooi.selifdaolpu.
  https://www.google-analytics.com/collect?v=1&_v=j81&a=894596498&t=timing&_s=2&dl=https%3A%2F%2Fuploadfiles.io%2Fkiyqnnt9&ul=en-gb&de=UTF-8&dt=Upload%20files%20for%20free%20-%20my_treasures%20-%20Uploadfiles.io&sd=24-bit&sr=2240x1400&vp=2007x1289&je=0&plt=7996&pdt=0&dns=0&rrt=0&srt=333&tcp=0&dit=6184&clt=7092&_gst=8001&_gbt=8556&_u=AACAAEAB~&jid=&gjid=&cid=1925544683.1586512461&tid=UA-73416834-1&_gid=1259732472.1586512461&z=1308647110

I found a URL that lets you download a file, my_treasures:

mind my treasures

Once downloaded:

$ file my_treasures

  my_treasures: Zip archive data, at least v2.0 to extract

$ unzip my_treasures

  Archive:  my_treasures
  [my_treasures] mytreasures/00b7580c843db8b527c63f0d44496101.raw password:

It’s asking for a password but we only have the second part of the secret; however, we haven’t checked cmd.exe yet:

$ volatility -f vision --dtb=0x187000 --kdbg=0xf80002c0f0a0 --profile=Win7SP1x64 cmdscan

  Volatility Foundation Volatility Framework 2.6
  --------------------------------------------------
  CommandProcess: conhost.exe Pid: 2936
  CommandHistory: 0x6d140 Application: cmd.exe Flags: Allocated, Reset
  CommandCount: 5 LastAdded: 4 LastDisplayed: 4
  FirstCommand: 0 CommandCountMax: 50
  ProcessHandle: 0x60
  Cmd 0 @ 0x6bbc0: cd C:\Users
  Cmd #1 @ 0x6bbe0: cd vshade
  Cmd #2 @ 0x6bc00: cd Desktop
  Cmd #3 @ 0x4d050: echo "MUlPdVg1dTsybDJldW9MPSg/SkJGIy11bURKc2AvQDdHMyU3ODczKEByMg=="
  Cmd #4 @ 0x4d2f0: winpmem-2.1.post4.exe -o output.aff4
  Cmd #15 @ 0x30158: 
  Cmd #16 @ 0x6c2b0: 
  --------------------------------------------------
  CommandProcess: conhost.exe Pid: 2936
  CommandHistory: 0x71e00 Application: winpmem-2.1.post4.exe Flags: Allocated
  CommandCount: 0 LastAdded: -1 LastDisplayed: -1
  FirstCommand: 0 CommandCountMax: 50
  ProcessHandle: 0x8c

$ echo MUlPdVg1dTsybDJldW9MPSg/SkJGIy11bURKc2AvQDdHMyU3ODczKEByMg== | base64 -d

  1IOuX5u;2l2euoL=(?JBF-umDJs`/@7G3%7873(@r2

The decoded base64 is gibberish but we almost forgot that there was a given hint.txt in this challenge:

$ cat hint.txt

  def -> 58 -> 85 -> 64 -> ?

Since the one we found at the memory dump was base64 encoded and the last number in the string is 64, this must be the process on how the first part of the secret was encoded:

mind hint

We now have the first and second halves of the secret — sc4rl37_w1tch_my_l0v3!!

PART 4 : GETTING THE FLAG

Using the secret to extract the contents of my_treasures:

$ unzip my_treasures

  Archive:  my_treasures
  [my_treasures] mytreasures/00b7580c843db8b527c63f0d44496101.raw password: sc4rl37_w1tch_my_l0v3
  ---omitted---

There are a lot of files extracted but one file seems to have a longer filename than the others:

$ ls -Al

  ---omitted---
  -rwxrwxrwx 1 jebidiah jebidiah    9082 Apr 10 16:44 e1eb1281e3015390f37b03f0282b6623.raw
  -rwxrwxrwx 1 jebidiah jebidiah    1976 Apr 10 16:44 e24ff82569798c5e4b9fa1bb424404e8.raw
  -rwxrwxrwx 1 jebidiah jebidiah   31287 Apr 10 17:21 e25463c82c609c52547f8f1523ff47833b6.raw
  -rwxrwxrwx 1 jebidiah jebidiah  279411 Apr 10 17:24 e26bbe7ada21e4e5e18bbc9bd974796c.raw
  -rwxrwxrwx 1 jebidiah jebidiah    6695 Apr 10 16:44 e2899df66e8851d71d599f3576d41894.raw
  ---omitted---

When opened, it gives us an egg with a QR code:

e25463c82c609c52547f8f1523ff47833b6

Which when scanned gives us the flag!!

FLAG : rc_easter{y0u_c0uld_n3veR_huRt_m3_I_ju57_f33l_y0u}