Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.
Challenge info ¶
Crooked Crockford [by sx02089]
Some bits are missing.
The challenge ¶
We start of by downloading the Crooked_Crockford.zip file and verifying it’s sha256sum with the hash displayed on the challenge page.
$ echo "41a427e48b765325d40be361b312e1a727e8266b4651c22259956e5c47c39788 Crooked_Crockford.zip" | sha256sum -c - Crooked_Crockford.zip: OK
We then proceed to unzip this file using the password provided on the challenge page.
$ unzip Crooked_Crockford.zip Archive: Crooked_Crockford.zip [Crooked_Crockford.zip] crooked_crockford.txt password: inflating: crooked_crockford.txt
This text file contains a series of ‘r’ and ‘,’ characters.
$ cat crooked_crockford.txt r,,,,rr,rr,r,rr,r,,,,,rr,rr,r,r,,r,r,rr,,,,rr,,rr,rrr,,,r,,,r,,r,rr,,,r,r,,rrr,r,,,,r,,,,,rr,r,rr,r,,r,rrr,,rrr,r,,,r,,r,,rrr,r,,r,,,,rr,rr,r,,,,,rr,r,rrrr,,r,rrr,,r,rr
This looks like some data that was being encoded.
At first I thought this could be morse code, with ‘r’ perhaps standing for long and ‘,’ for short beeps, but the use of the letter ‘r’ for this wouldn’t make sense. Also, there’s no clear separation between words.
It would make more sense if this is binary data. We’ll for now assume that ‘r’ stands for a 1 and ‘,’ for a 0.
$ cat crooked_crockford.txt | sed -e 's/r/1/g' | sed 's/,/0/g' 100001101101011010000011011010100101011000011001101110001000100101100010100111010000100000110101101001011100111010001001001110100100001101101000001101011110010111001011
Using some online searches using the challenge name brings us to page on dcode.fr about the Crockford base32 encoding.
It looks like we need to get some ASCII characters and then convert those using the Crockford decoder.
Note that ASCII can be 7 bits long. So let’s split this converted data into 7 bit chunks and decode to ASCII using another encoder on dcode.fr.
$ cat crooked_crockford.txt | sed -e 's/r/1/g' | sed 's/,/0/g'| fold -w7 1000011 0110101 1010000 0110110 1010010 1011000 0110011 0111000 1000100 1011000 1010011 1010000 1000001 1010110 1001011 1001110 1000100 1001110 1001000 0110110 1000001 1010111 1001011 1001011 # C5P6RX38DXSPAVKNDNH6AWKK
We then return to the Crockford decoder
Getting the flag ¶
Let’s fix this to follow the Hack The Box flag syntax: