Blackhole is a miscellaneous challenge in hackthebox which requires me to download a file and to find the flag within the file, this post document the process of finding the flag but the flag will not be revealed in this post.

1. Unzip the package

It is a nested zipped package.

At first glance it seemed to be a binary, to check the file type use file hawking


2. Extract the steganographic file

To extract the steganographic file steghide extract -sf hawking, the extraction requires a passphrase which I have made a correct guest, the passphrase is the name of the image file.

Decipher flag.txt

The steganographic extraction produced a flag.txt which has encoded contents.
Base64 has three characteristics:

  1. The total length of the base64 string is divisible by 4.
  2. Base64 uses these [a-zA-Z0-9+/]
  3. The = is always padded at the end of the entire base64 string

In Linux I can use base64 --decode flag.txt, but I am using a python script to recursively decode the flag.txt content.

import base64

file = "/root/htb/blackhole/flag.txt"  # change your abs path or filename here.

def isbase64(b64_str: bytes) -> bool:
    Check if object byte is base64 or not.
    :param b64_str: base64 string byte
    :return: true or false
        return base64.b64encode(base64.b64decode(b64_str)) == b64_str
    except Exception:
        return False

with open(file, "r") as f:
    data = f.read()

data_byte = data.strip().encode("utf-8")
while isbase64(data_byte):
    data_byte = base64.b64decode(data_byte)

After I run my python script the following string is produced.
Efqbtqz Iuxxumy Tmiwuzs ime mz Qzsxuet ftqadqfuomx btkeuouef, oaeyaxasuef, mzp mgftad, ita ime pudqofad ar dqeqmdot mf ftq Oqzfdq rad Ftqadqfuomx Oaeyaxask mf ftq Gzuhqdeufk ar Omyndupsq mf ftq fuyq ar tue pqmft. Tq ime ftq Xgomeumz Bdarqeead ar Ymftqymfuoe mf ftq Gzuhqdeufk ar Omyndupsq nqfiqqz 1979 mzp 2009. Tmiwuzs motuqhqp oayyqdoumx egooqee iuft eqhqdmx iadwe ar babgxmd eouqzoq uz ituot tq pueogeeqe tue aiz ftqaduqe mzp oaeyaxask uz sqzqdmx. Tue naaw M Nduqr Tuefadk ar Fuyq mbbqmdqp az ftq Ndufuet Egzpmk Fuyqe nqef-eqxxqd xuef rad m dqoadp-ndqmwuzs 237 iqqwe. Tmiwuzs ime m rqxxai ar ftq Dakmx Eaouqfk, m xurqfuyq yqynqd ar ftq Bazfuruomx Mompqyk ar Eouqzoqe, mzp m dqoubuqzf ar ftq Bdqeupqzfumx Yqpmx ar Rdqqpay, ftq tustqef ouhuxumz mimdp uz ftq Gzufqp Efmfqe. Uz 2002, Tmiwuzs ime dmzwqp zgynqd 25 uz ftq NNO\’e baxx ar ftq 100 Sdqmfqef Ndufaze.

There is a flag inside but it is not HTB{flag} format, so this string is a ciphertext.

Caesar cipher

I recommend to use Caesar Cipher Calculator which has all the ROT, the results will be distributed amongst the ROT.

From the calculation result it is found that ROT14 has the HTB flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s