Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

Blackhole [by ice3man]
A strange file has been discovered in Stephen Hawking’s computer. Can you discover what it is?

The challenge

We start of by downloading the Blackhole.zip file and verifying it’s sha256sum with the hash displayed on the challenge page.

$ echo "7eb770ee9fdadaccfa2dda10895c1eb3f10a572025e99eac2c01d4ea23ee904a Blackhole.zip" | sha256sum -c -
Blackhole.zip: OK

We then proceed to unzip this file using the password provided on the challenge page.

$ unzip Blackhole.zip 
Archive:  Blackhole.zip
[Blackhole.zip] archive.zip password: 
 extracting: archive.zip

This zip contains another zip “archive.zip” which we’ll also unzip. There’s no password on this zip.

$ unzip -l archive.zip 
Archive: archive.zip
 Length   Date  Time  Name
--------- ---------- -----  ----
  60382 2018-06-16 12:47  hawking
---------           -------
  60382           1 file

$ unzip archive.zip 
Archive: archive.zip
 inflating: hawking

This zip contains a file, which appears to be an image. Opening it shows a picture of an quote by Stephen Hawking.
Note that on Windows and certain Linux distros it appears that the image is inflated as an empty folder. This already reveals there’s something “special” with this image.

$ file hawking 
hawking: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, baseline, precision 8, 794x579, components 3
$ xdg-open hawking
Picture of Stephen Hawking included in the zip file

Since we seem to be dealing with a case of steganography, we’ll use steghide in an attempt to extract the hidden data. I attempt a few passwords related to the challenge: blackhole, hawking.

$ steghide info hawking -p hawking
"hawking":
  format: jpeg
  capacity: 3.3 KB
  embedded file "flag.txt":
    size: 1.6 KB
    encrypted: rijndael-128, cbc
    compressed: yes

$ steghide extract -sf hawking -p hawking
wrote extracted data to "flag.txt".

The content of flag.txt looks like base64 encoded data. Decoding this, the result still looks like base64 encoded data (double encoded).

$ cat flag.txt 
UldaeFluUnhlaUJKZFhoNGRXMTVJRlJ0YVhkMWVuTWdhVzFsSUcxNklGRjZjM2gxWlhRZ1puUnhZV1J4Wm5WdmJYZ2dZblJyWlhWdmRXVm1MQ0J2WVdWNVlYaGhjM1ZsWml3Z2JYcHdJRzFuWm5SaFpDd2dhWFJoSUdsdFpTQndkV1J4YjJaaFpDQmhjaUJrY1dWeGJXUnZkQ0J0WmlCbWRIRWdUM0Y2Wm1SeElISmhaQ0JHZEhGaFpIRm1kVzl0ZUNCUFlXVjVZWGhoYzJzZ2JXWWdablJ4SUVkNmRXaHhaR1YxWm1zZ1lYSWdUMjE1Ym1SMWNITnhJRzFtSUdaMGNTQm1kWGx4SUdGeUlIUjFaU0J3Y1cxbWRDNGdWSEVnYVcxbElHWjBjU0JZWjI5dFpYVnRlaUJDWkdGeWNXVmxZV1FnWVhJZ1dXMW1kSEY1YldaMWIyVWdiV1lnWm5SeElFZDZkV2h4WkdWMVptc2dZWElnVDIxNWJtUjFjSE54SUc1eFptbHhjWG9nTVRrM09TQnRlbkFnTWpBd09TNGdWRzFwZDNWNmN5QnRiM1IxY1doeGNDQnZZWGw1Y1dSdmRXMTRJR1ZuYjI5eFpXVWdhWFZtZENCbGNXaHhaRzE0SUdsaFpIZGxJR0Z5SUdKaFltZDRiV1FnWlc5MWNYcHZjU0IxZWlCcGRIVnZkQ0IwY1NCd2RXVnZaMlZsY1dVZ2RIVmxJR0ZwZWlCbWRIRmhaSFZ4WlNCdGVuQWdiMkZsZVdGNFlYTnJJSFY2SUhOeGVuRmtiWGd1SUZSMVpTQnVZV0YzSUUwZ1RtUjFjWElnVkhWbFptRmtheUJoY2lCR2RYbHhJRzFpWW5GdFpIRndJR0Y2SUdaMGNTQk9aSFZtZFdWMElFVm5lbkJ0YXlCR2RYbHhaU0J1Y1dWbUxXVnhlSGh4WkNCNGRXVm1JSEpoWkNCdElHUnhiMkZrY0MxdVpIRnRkM1Y2Y3lBeU16Y2dhWEZ4ZDJVdUlGUnRhWGQxZW5NZ2FXMWxJRzBnY25GNGVHRnBJR0Z5SUdaMGNTQkVZV3R0ZUNCRllXOTFjV1pyTENCdElIaDFjbkZtZFhseElIbHhlVzV4WkNCaGNpQm1kSEVnUW1GNlpuVnlkVzl0ZUNCTmIyMXdjWGxySUdGeUlFVnZkWEY2YjNGbExDQnRlbkFnYlNCa2NXOTFZblZ4ZW1ZZ1lYSWdablJ4SUVKa2NXVjFjSEY2Wm5WdGVDQlpjWEJ0ZUNCaGNpQlNaSEZ4Y0dGNUxDQm1kSEVnZEhWemRIRmxaaUJ2ZFdoMWVIVnRlaUJ0YVcxa2NDQjFlaUJtZEhFZ1IzcDFabkZ3SUVWbWJXWnhaUzRnVlhvZ01qQXdNaXdnVkcxcGQzVjZjeUJwYldVZ1pHMTZkM0Z3SUhwbmVXNXhaQ0F5TlNCMWVpQm1kSEVnVGs1UFhPS0FtV1VnWW1GNGVDQmhjaUJtZEhFZ01UQXdJRk5rY1cxbWNXVm1JRTVrZFdaaGVtVXVEUXBVUms1N1dqTm9jVVJmZUROR1gyWlVNMTl1TkdWR2JVUndOVjlUTTJaZlN6Qm5YM0F3YVZwOUlBPT0=

$ base64 -d flag.txt 
RWZxYnRxeiBJdXh4dW15IFRtaXd1enMgaW1lIG16IFF6c3h1ZXQgZnRxYWRxZnVvbXggYnRrZXVvdWVmLCBvYWV5YXhhc3VlZiwgbXpwIG1nZnRhZCwgaXRhIGltZSBwdWRxb2ZhZCBhciBkcWVxbWRvdCBtZiBmdHEgT3F6ZmRxIHJhZCBGdHFhZHFmdW9teCBPYWV5YXhhc2sgbWYgZnRxIEd6dWhxZGV1ZmsgYXIgT215bmR1cHNxIG1mIGZ0cSBmdXlxIGFyIHR1ZSBwcW1mdC4gVHEgaW1lIGZ0cSBYZ29tZXVteiBCZGFycWVlYWQgYXIgWW1mdHF5bWZ1b2UgbWYgZnRxIEd6dWhxZGV1ZmsgYXIgT215bmR1cHNxIG5xZmlxcXogMTk3OSBtenAgMjAwOS4gVG1pd3V6cyBtb3R1cWhxcCBvYXl5cWRvdW14IGVnb29xZWUgaXVmdCBlcWhxZG14IGlhZHdlIGFyIGJhYmd4bWQgZW91cXpvcSB1eiBpdHVvdCB0cSBwdWVvZ2VlcWUgdHVlIGFpeiBmdHFhZHVxZSBtenAgb2FleWF4YXNrIHV6IHNxenFkbXguIFR1ZSBuYWF3IE0gTmR1cXIgVHVlZmFkayBhciBGdXlxIG1iYnFtZHFwIGF6IGZ0cSBOZHVmdWV0IEVnenBtayBGdXlxZSBucWVmLWVxeHhxZCB4dWVmIHJhZCBtIGRxb2FkcC1uZHFtd3V6cyAyMzcgaXFxd2UuIFRtaXd1enMgaW1lIG0gcnF4eGFpIGFyIGZ0cSBEYWtteCBFYW91cWZrLCBtIHh1cnFmdXlxIHlxeW5xZCBhciBmdHEgQmF6ZnVydW9teCBNb21wcXlrIGFyIEVvdXF6b3FlLCBtenAgbSBkcW91YnVxemYgYXIgZnRxIEJkcWV1cHF6ZnVteCBZcXBteCBhciBSZHFxcGF5LCBmdHEgdHVzdHFlZiBvdWh1eHVteiBtaW1kcCB1eiBmdHEgR3p1ZnFwIEVmbWZxZS4gVXogMjAwMiwgVG1pd3V6cyBpbWUgZG16d3FwIHpneW5xZCAyNSB1eiBmdHEgTk5PXOKAmWUgYmF4eCBhciBmdHEgMTAwIFNkcW1mcWVmIE5kdWZhemUuDQpURk57WjNocURfeDNGX2ZUM19uNGVGbURwNV9TM2ZfSzBnX3AwaVp9IA==

$ base64 -d flag.txt | base64 -d -
Efqbtqz Iuxxumy Tmiwuzs ime mz Qzsxuet ftqadqfuomx btkeuouef, oaeyaxasuef, mzp mgftad, ita ime pudqofad ar dqeqmdot mf ftq Oqzfdq rad Ftqadqfuomx Oaeyaxask mf ftq Gzuhqdeufk ar Omyndupsq mf ftq fuyq ar tue pqmft. Tq ime ftq Xgomeumz Bdarqeead ar Ymftqymfuoe mf ftq Gzuhqdeufk ar Omyndupsq nqfiqqz 1979 mzp 2009. Tmiwuzs motuqhqp oayyqdoumx egooqee iuft eqhqdmx iadwe ar babgxmd eouqzoq uz ituot tq pueogeeqe tue aiz ftqaduqe mzp oaeyaxask uz sqzqdmx. Tue naaw M Nduqr Tuefadk ar Fuyq mbbqmdqp az ftq Ndufuet Egzpmk Fuyqe nqef-eqxxqd xuef rad m dqoadp-ndqmwuzs 237 iqqwe. Tmiwuzs ime m rqxxai ar ftq Dakmx Eaouqfk, m xurqfuyq yqynqd ar ftq Bazfuruomx Mompqyk ar Eouqzoqe, mzp m dqoubuqzf ar ftq Bdqeupqzfumx Yqpmx ar Rdqqpay, ftq tustqef ouhuxumz mimdp uz ftq Gzufqp Efmfqe. Uz 2002, Tmiwuzs ime dmzwqp zgynqd 25 uz ftq NNO\’e baxx ar ftq 100 Sdqmfqef Ndufaze.
TFN{Z3hqD_x3F_fT3_n4eFmDp5_S3f_K0g_p0iZ}

After double-decoding the flag.txt, we retrieve some text that appears to contain the flag (see syntax at the end) but which seems to still be encoded somehow as it doesn’t follow the proper Hack the Box flag syntax: HTB{S0m3_t3xt}.

My first guess would be that this is ROT13 encoded, as you can clearly see distinct words with recurrences of certain letters.
However, this results in more garbage output.

Perhaps this is still encoded using a Caesar cipher, but using a different number of shifts?
Let’s try a decoder that does ROT1-25 as I’m too lazy to do frequency analysis to figure out the actual “shift distance”.
You can find such decoder at https://tech.pookey.co.uk/non-wp/rot-decoder.php.

Getting the flag

The output next to ROT14 is actually readable and has a flag following the correct syntax.

Stephen William Hawking was an English theoretical physicist, cosmologist, and author, who was director of research at the Centre for Theoretical Cosmology at the University of Cambridge at the time of his death. He was the Lucasian Professor of Mathematics at the University of Cambridge between 1979 and 2009. Hawking achieved commercial success with several works of popular science in which he discusses his own theories and cosmology in general. His book A Brief History of Time appeared on the British Sunday Times best-seller list for a record-breaking 237 weeks. Hawking was a fellow of the Royal Society, a lifetime member of the Pontifical Academy of Sciences, and a recipient of the Presidential Medal of Freedom, the highest civilian award in the United States. In 2002, Hawking was ranked number 25 in the BBC\’s poll of the 100 Greatest Britons.
HTB{N3veR_l3T_tH3_b4sTaRd5_G3t_Y0u_d0wN}