Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

Crooked Crockford [by sx02089]
Some bits are missing.

The challenge

We start of by downloading the Crooked_Crockford.zip file and verifying it’s sha256sum with the hash displayed on the challenge page.

$ echo "41a427e48b765325d40be361b312e1a727e8266b4651c22259956e5c47c39788 Crooked_Crockford.zip" | sha256sum -c -
Crooked_Crockford.zip: OK

We then proceed to unzip this file using the password provided on the challenge page.

$ unzip Crooked_Crockford.zip 
Archive:  Crooked_Crockford.zip
[Crooked_Crockford.zip] crooked_crockford.txt password: 
  inflating: crooked_crockford.txt

This text file contains a series of ‘r’ and ‘,’ characters.

$ cat crooked_crockford.txt 
r,,,,rr,rr,r,rr,r,,,,,rr,rr,r,r,,r,r,rr,,,,rr,,rr,rrr,,,r,,,r,,r,rr,,,r,r,,rrr,r,,,,r,,,,,rr,r,rr,r,,r,rrr,,rrr,r,,,r,,r,,rrr,r,,r,,,,rr,rr,r,,,,,rr,r,rrrr,,r,rrr,,r,rr

This looks like some data that was being encoded.

At first I thought this could be morse code, with ‘r’ perhaps standing for long and ‘,’ for short beeps, but the use of the letter ‘r’ for this wouldn’t make sense. Also, there’s no clear separation between words.

It would make more sense if this is binary data. We’ll for now assume that ‘r’ stands for a 1 and ‘,’ for a 0.

$ cat crooked_crockford.txt | sed -e 's/r/1/g' | sed 's/,/0/g'
100001101101011010000011011010100101011000011001101110001000100101100010100111010000100000110101101001011100111010001001001110100100001101101000001101011110010111001011

Using some online searches using the challenge name brings us to page on dcode.fr about the Crockford base32 encoding.

It looks like we need to get some ASCII characters and then convert those using the Crockford decoder.

Note that ASCII can be 7 bits long. So let’s split this converted data into 7 bit chunks and decode to ASCII using another encoder on dcode.fr.

$ cat crooked_crockford.txt | sed -e 's/r/1/g' | sed 's/,/0/g'| fold -w7
1000011
0110101
1010000
0110110
1010010
1011000
0110011
0111000
1000100
1011000
1010011
1010000
1000001
1010110
1001011
1001110
1000100
1001110
1001000
0110110
1000001
1010111
1001011
1001011

# C5P6RX38DXSPAVKNDNH6AWKK

We then return to the Crockford decoder

allthosenumbers

Getting the flag

Let’s fix this to follow the Hack The Box flag syntax: HTB{S0m3_t3xt}.

HTB{allthosenumbers}