Note to fellow-HTBers: Only write-ups of retired HTB machines or challenges are allowed.

Challenge info

misDIRection [by incidrthreat ]
During an assessment of a unix system the HTB team found a suspicious directory. They looked at everything within but couldn’t find any files with malicious intent.

The challenge

We start of by downloading the misDIRection.zip file and verifying it’s sha256sum with the hash displayed on the challenge page.

$ echo "31e8e4bd7838c4731831ceb5ca42e2b94430c241aea0cf2814ef8e9bd53c5043 misDIRection.zip" | sha256sum -c -
misDIRection.zip: OK

We then proceed to unzip this file using the password provided on the challenge page. This will give us a whole directory structure with multiple folders and files.

$ unzip misDIRection.zip 
Archive:  misDIRection.zip
   creating: .secret/
   creating: .secret/S/
[misDIRection.zip] .secret/S/1 password: 
 extracting: .secret/S/1             
   creating: .secret/V/
 extracting: .secret/V/35            
   creating: .secret/F/
 extracting: .secret/F/2             
 extracting: .secret/F/19            
 extracting: .secret/F/27            
   creating: .secret/o/
   creating: .secret/H/
   creating: .secret/A/
   creating: .secret/f/
   creating: .secret/r/
   creating: .secret/m/
   creating: .secret/B/
 extracting: .secret/B/23            
   creating: .secret/a/
   creating: .secret/O/
   creating: .secret/h/
   creating: .secret/t/
   creating: .secret/2/
 extracting: .secret/2/34            
   creating: .secret/7/
   creating: .secret/R/
 extracting: .secret/R/7             
 extracting: .secret/R/3             
   creating: .secret/b/
   creating: .secret/z/
 extracting: .secret/z/18            
   creating: .secret/j/
 extracting: .secret/j/10            
 extracting: .secret/j/12            
   creating: .secret/P/
   creating: .secret/y/
   creating: .secret/d/
 extracting: .secret/d/13            
   creating: .secret/Y/
   creating: .secret/q/
   creating: .secret/c/
   creating: .secret/6/
   creating: .secret/8/
   creating: .secret/U/
 extracting: .secret/U/9             
   creating: .secret/p/
 extracting: .secret/p/32            
   creating: .secret/W/
   creating: .secret/N/
 extracting: .secret/N/25            
 extracting: .secret/N/11            
 extracting: .secret/N/31            
 extracting: .secret/N/33            
   creating: .secret/g/
   creating: .secret/n/
   creating: .secret/e/
 extracting: .secret/e/5             
   creating: .secret/1/
 extracting: .secret/1/30            
 extracting: .secret/1/22            
   creating: .secret/s/
 extracting: .secret/s/24            
   creating: .secret/i/
   creating: .secret/3/
   creating: .secret/I/
   creating: .secret/D/
 extracting: .secret/D/26            
   creating: .secret/X/
 extracting: .secret/X/29            
 extracting: .secret/X/21            
 extracting: .secret/X/17            
   creating: .secret/Z/
   creating: .secret/4/
   creating: .secret/k/
   creating: .secret/9/
 extracting: .secret/9/36            
   creating: .secret/J/
 extracting: .secret/J/8             
   creating: .secret/C/
 extracting: .secret/C/4             
   creating: .secret/v/
   creating: .secret/M/
   creating: .secret/0/
 extracting: .secret/0/6             
   creating: .secret/G/
   creating: .secret/E/
 extracting: .secret/E/14            
   creating: .secret/Q/
   creating: .secret/K/
   creating: .secret/5/
 extracting: .secret/5/16            
   creating: .secret/x/
 extracting: .secret/x/15            
   creating: .secret/l/
   creating: .secret/u/
 extracting: .secret/u/20            
 extracting: .secret/u/28            
   creating: .secret/L/
   creating: .secret/T/
   creating: .secret/w/

Notice how the folder names form an alphanumeric “alphabet” from 0-9 and a-Z (lower and upper case) and how some folders contain files while others appear to be empty.

$ ls -l .secret/
total 0
drwxr-xr-x 1 user user  2 May  2  2018 0
drwxr-xr-x 1 user user  8 May  2  2018 1
drwxr-xr-x 1 user user  4 May  2  2018 2
drwxr-xr-x 1 user user  0 May  2  2018 3
drwxr-xr-x 1 user user  0 May  2  2018 4
drwxr-xr-x 1 user user  4 May  2  2018 5
drwxr-xr-x 1 user user  0 May  2  2018 6
drwxr-xr-x 1 user user  0 May  2  2018 7
drwxr-xr-x 1 user user  0 May  2  2018 8
drwxr-xr-x 1 user user  4 May  2  2018 9
drwxr-xr-x 1 user user  0 May  2  2018 a
drwxr-xr-x 1 user user  0 May  2  2018 A
drwxr-xr-x 1 user user  0 May  2  2018 b
drwxr-xr-x 1 user user  4 May  2  2018 B
drwxr-xr-x 1 user user  0 May  2  2018 c
drwxr-xr-x 1 user user  2 May  2  2018 C
drwxr-xr-x 1 user user  4 May  2  2018 d
drwxr-xr-x 1 user user  4 May  2  2018 D
drwxr-xr-x 1 user user  2 May  2  2018 e
drwxr-xr-x 1 user user  4 May  2  2018 E
drwxr-xr-x 1 user user  0 May  2  2018 f
drwxr-xr-x 1 user user 10 May  2  2018 F
drwxr-xr-x 1 user user  0 May  2  2018 g
drwxr-xr-x 1 user user  0 May  2  2018 G
drwxr-xr-x 1 user user  0 May  2  2018 h
drwxr-xr-x 1 user user  0 May  2  2018 H
drwxr-xr-x 1 user user  0 May  2  2018 i
drwxr-xr-x 1 user user  0 May  2  2018 I
drwxr-xr-x 1 user user  8 May  2  2018 j
drwxr-xr-x 1 user user  2 May  2  2018 J
drwxr-xr-x 1 user user  0 May  2  2018 k
drwxr-xr-x 1 user user  0 May  2  2018 K
drwxr-xr-x 1 user user  0 May  2  2018 l
drwxr-xr-x 1 user user  0 May  2  2018 L
drwxr-xr-x 1 user user  0 May  2  2018 m
drwxr-xr-x 1 user user  0 May  2  2018 M
drwxr-xr-x 1 user user  0 May  2  2018 n
drwxr-xr-x 1 user user 16 May  2  2018 N
drwxr-xr-x 1 user user  0 May  2  2018 o
drwxr-xr-x 1 user user  0 May  2  2018 O
drwxr-xr-x 1 user user  4 May  2  2018 p
drwxr-xr-x 1 user user  0 May  2  2018 P
drwxr-xr-x 1 user user  0 May  2  2018 q
drwxr-xr-x 1 user user  0 May  2  2018 Q
drwxr-xr-x 1 user user  0 May  2  2018 r
drwxr-xr-x 1 user user  4 May  2  2018 R
drwxr-xr-x 1 user user  4 May  2  2018 s
drwxr-xr-x 1 user user  2 May  2  2018 S
drwxr-xr-x 1 user user  0 May  2  2018 t
drwxr-xr-x 1 user user  0 May  2  2018 T
drwxr-xr-x 1 user user  8 May  2  2018 u
drwxr-xr-x 1 user user  2 May  2  2018 U
drwxr-xr-x 1 user user  0 May  2  2018 v
drwxr-xr-x 1 user user  4 May  2  2018 V
drwxr-xr-x 1 user user  0 May  2  2018 w
drwxr-xr-x 1 user user  0 May  2  2018 W
drwxr-xr-x 1 user user  4 May  2  2018 x
drwxr-xr-x 1 user user 12 May  2  2018 X
drwxr-xr-x 1 user user  0 May  2  2018 y
drwxr-xr-x 1 user user  0 May  2  2018 Y
drwxr-xr-x 1 user user  4 May  2  2018 z
drwxr-xr-x 1 user user  0 May  2  2018 Z

The files in these folders appear to be numbers. Look closer and notice they form a numeric range from 1 to 36.

$ find .secret/ -type f | sort -t/ -k3,3 -n
.secret/S/1
.secret/F/2
.secret/R/3
.secret/C/4
.secret/e/5
.secret/0/6
.secret/R/7
.secret/J/8
.secret/U/9
.secret/j/10
.secret/N/11
.secret/j/12
.secret/d/13
.secret/E/14
.secret/x/15
.secret/5/16
.secret/X/17
.secret/z/18
.secret/F/19
.secret/u/20
.secret/X/21
.secret/1/22
.secret/B/23
.secret/s/24
.secret/N/25
.secret/D/26
.secret/F/27
.secret/u/28
.secret/X/29
.secret/1/30
.secret/N/31
.secret/p/32
.secret/N/33
.secret/2/34
.secret/V/35
.secret/9/36

What would we get if we’d extract the folder name based on the file number? Remember that the folder names appear to form an alphabet.
Let’s use find to extract the filenames, some sort magic to sort based on the number and sed to extract the folders. tr will help in removing the newlines.

$ find .secret/ -type f | sort -t/ -k3,3 -n | sed -e 's/.*\/\(.\)\/.*/\1/' >> secret.txt
$ tr -d '\n' < secret.txt 
SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9

This string doesn’t appear to be the flag, that would’ve been too easy :)

Let’s check if this is a hash of some sorts.
Note that Kali/ParrotOS have hashid and/or hash-identifier installed, but I usually get more results using the online version.

$ hash-identifier 
   #########################################################################
   #	 __  __ 		    __		 ______    _____	   #
   #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
   #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
   #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
   #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
   #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
   #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
   #								 By Zion3R #
   #							www.Blackploit.com #
   #						       Root@Blackploit.com #
   #########################################################################

   -------------------------------------------------------------------------
 HASH: SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9

 Not Found.

   -------------------------------------------------------------------------

$ hashid "SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9"
Analyzing 'SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9'
[+] Unknown hash
$ hashid -e SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9
Analyzing 'SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9'
[+] BigCrypt
Online Hash Analyzer

Note how the online Hash Analyzer hints that this might be a base64 encoded string…

Getting the flag

Let’s base64 decode the “hash” we discovered:

$ base64 -d secret.txt 
HTB{DIR3ctLy_1n_Pl41n_Si7e}