Link for the room: https://tryhackme.com/room/cicada3301vol1
There are a lot of stories surrounding cicada 3301, and this room was inspired by this mysterious crypto challenges.
Let’s start:
Initially we are provided with 2 files:
Analyzing 3301.wav
We used https://www.sonicvisualiser.org/ for analizing the 3301.wav file.
We can process the audio waves from it, and with a couple steps we retrieve:
Only a minor tweak to change the color so it’s legible for QR scanners:
The QR code led us to a site with some information in it.
We decode the given passphrase/key from base 64 with the following commands:
[user@parrot/thm-cicada 17:58]$echo SG01Ul80X1A0NTVtaHA0NTMh | base64 -d
[user@parrot/thm-cicada 18:00]$echo Q2ljYWRh | base64 -d
After some testing, we used the Vigenere Cipher (https://www.dcode.fr/vigenere-cipher)
There were no results trying to decrypt, so I tried Encrypting it again with Vigenere, and the l33t password appeared!
Analyzing welcome.jpg
1.- Hidden information inside welcome.jpg:
For this file, we need to uncover some hidden data (Steganography). There is no information in the metadata, so we “unhide” a useful string using the passphrase given and the online tool https://futureboy.us/stegano/, which is itself a link again.
2.- Embedded file inside welcome.jpg
There is another file embedded into our welcome.jpg file, and we can uncover it with:
Extracting this invitation.txt file:
Cracking the hidden hash
Following the link given in the previous step, and downloading the next image in it, and trying to retrieve hidden information with “steghide” inside our new 85*.jpg file, the passphrase is now invalid 🤔
In Cicada 3301 challenges, the tool used was named outguess, so we can use it to test a new approach to this file, with the -r switch, which will retrieve hidden messages inside files:
We now have something to work with. (hash deliberately cut in image to avoid spoiling)
We also have now some instructions to decode a secret message in “a book”. Let’s see what we end up cracking; we still don’t know what that “book” is.
Ran John the Ripper to try to crack the hash…
While we wait, let’s try an online tool. No results at crackstation.net, so we move on to https://md5hashing.net/
(Image deliberately cut to avoid spoiling)
Enough with decoding, let’s encode!
Now, following the link, we arrive at this book:
…But we already know what to do with this, as our “out.txt” has some hints to proceed with this 🤔
The instructions are as follows:
“Use positive integers to go forward in the text use negative integers to go backwards in the text.”
And the “codes” to proceed read as follows:
I:13:1
I:14:7
I:3:29
I:19:8
… And so on
This is a perfect time to practice some python, so we can make a script and “decode” our secret message (Code shared below):
Bingo! That’s our link
Nope, I don’t think that’s it. Back to vim.
In case you want to try it this way, here’s some explanation of this poorly written program:
I saved both the book and the “keys” of our “out.txt” file with some simple formatting (Some simple character substitutions) so it’s easier to process with python:The dots at the beginning of each paragraph (“13. The book…”) of the book were changed with “~” so I don’t have trouble splitting with python.Also, the keys were saved in a new file, with the format “number:number”, also to avoid splitting issues.
secret = ""
for code in codes:
if "/" in code:
secret += "/"
else:
dig = code.split(":")
code_index = dig[0]
code_key = dig[1]
with open('book.txt','r') as book:
for line in book:
divided = line.split("~")
index = divided[0]
text = divided[1]
text = text.replace(" ","")
if index == code_index:
if int(code_key) < 0:
code_key = int(code_key) + 2
secret += line[int(code_key)]
breaktry:
secret += text[int(code_key)-1]
break
except IndexError:
breakprint(secret)
The strings we needed to encode, with the instruction “Use positive integers to go forward in the text use negative integers to go backwards in the text.”, the negative integers meant going from the start of the string, backwards, including the initial paragraph numbers. (So -2 in the paragraph “53.This shall regenerate” is 5, not “t”).
This script was completely unnecessary because there were only 19 lines to “encode” and it could’ve been done perfectly fine with the naked eye, but it was a fun character-handling experiment.
This leads to the last piece of this Cicada 3301 puzzle, and with our final link open, and nothing else to retrieve from it, except for some plaintext.
Poor John the ripper is still trying to crack the hash.. I forgot it :)