Hackland
Difficuity - Easy
š Hacklandā¦ Letās check this really quick guys. There are some really weird files on Hacksparoās desktop. Letās find out what is really hiding from us. This room is about learning about zip files and how to uncover secrets in a zip file. Letās get started.
TASK 1# Note
- Note: Some browsers may flag these files as malicious because they are in ZIP format.
- it is not maliciousā¦
Q1: Are you ready
- Answer: No answer need
Task 2# Werid Image
The first file is an weird image saying:
āW3lc0m3 to th3 H4ckl4nd. The king Hacksparo left his treasure somewhere. Please find it before pirates do. I believe in you, h4ckerm4n.ā
Q1: please find that treasure
- Okay, letās find the treasure. First, letās start by downloading the file onto our machine.
- It is a zip file to unzip it use:
-
After the file is unzipped, we can see it is an image. We can use many tools here, but I love Stegseek. It is a command-line tool used for detecting hidden data, such as text or files, concealed within image files through steganography techniques. Letās check for hidden data in the image and specify a word list.
-
Got the hidden message from the image, which is encoded in Base64. Letās decode it all (we can use many online tools to decode Base64 data), and we found the first flag. bangš
- Answer: hacksparo{golds_diamonds_money_buy_a_buggati_h4ckerman}
Task 3# find the secret
I think the second file contains some secret. Iām curious to know that secret
Q1: what is Hacksparoās secret
- Downloading the second files
- Letās unzip the file; it has a 3 of files.
- Letās focus on the āprivate_key.ascā file first. Weāll use a tool called āgpg2johnā (which is used to extract hash data) so extract the hash data from the file and save it.
- Using john to crack the hash we get the password
- Now we can easily decrypt the GPG file found when we unzip the main file because without the password we canāt decrypt it. Now that we know the password, letās decrypt it.
- That unveils Hacksparoās secret, but it is a Base64-encoded message. We also get a hash for the root password. Letās decode the message and crack the root password.
- Decoding the Base64 message gives us one part of the flag. Now letās crack the root password.
- Save the hash and crack it with john
-
ššš Spongebob nah i love rick and morty.
-
Answer: hacksparo{is_a_bigfun_of_spongebob}
Task 3# FInd one piece
I know he is a big fan of One Piece, but the third file looks like a CTF. Play the CTF and find the One Piece.
Q: what is the one piece flag
- Download the file and let file one piece flag.
- Unzipping the zip file provides us with a password list and a Base64-encoded message.
- Decoding the Base64 message gives us another zip.
- save it with a file extension.zip
-
To crack the zip file, I used a tool that I found on GitHub called ZIP-Password-Cracker A simple Python script to crack ZIP Passwords. The script uses a mask attack which encompasses both bruteforce and dictionary attacks.
-
Using the command e.g:
python3 PyZIP-Crack.py -zip Example2.zip -wordlist rockyou.txt
- Answer: Hacksparo{L0fiStr@wHatP1r@tes_OnTre@sureIsland_Crew2024}
And we are done, guys! We found everything that Hacksparo is hiding from us.
ALL Flags:
- hacksparo{golds_diamonds_money_buy_a_buggati_h4ckerman}
- hacksparo{is_a_bigfun_of_spongebob}
- Hacksparo{L0fiStr@wHatP1r@tes_OnTre@sureIsland_Crew2024}
Thatās all, friends. Thank you for reading up to this point. I would like to hear your feedback on anything not clear here. Here is my Twitter account @T3chnocr4t. Feel free to DM me if you have any issues with my write-up. Thanks!