Info
  • Name: Adventures Of Kencypher
  • OS: Linux
  • Difficulty: Beginner Friendly
  • Points: 720
  • Link: TryHackMe
  • Description: challanges on web, crypto, stego and OSINT

 

 

 

Task 1 - Green Day Was My First Rock OSINT

 

To gather OSINT on the author Waleed Amjad , a quick search for “Kencypher” on Google yields his LinkedIn, Medium, and Youtube profiles, providing all the necessary information.

 

OSINT - 1

 

Find Kencypher Linkedin Profile Whats Username?

Answer: Waleed

 


 

OSINT - 2

 

Which University Kencypher Studies?

Answer: Muhammad Nawaz Shareef University of Agriculture, Multan

 


OSINT - 3

 

What Is Name Of First Blog Written By Kencypher?

Answer: Time Is A Myth

 


OSINT - 4

 

How Many Blogs Has He Published So Far?

Answer: 14

 


OSINT - 5

 

Did The XSS Rat Interviewed Kencypher?

Answer: Yes

 


 

OSINT - 6

 

Kencypher Has Youtube Channel What Is Title Of His First Video?

Answer: Introduction Of TryHackMe and Channel In Urdu

 

 

 


Task 2 - Jurassic Crypto

 

Crypto - 1

WVZOQ2EySXpaSFZpUnpsb1drZFdhMGxJU21oaVUwSXpZVWRXZFVsSGEyZGtNa1o2U1VSWlBRPT0= it is a nested base64 code I used Cyberchef to decode it

base64

 


Answer: i downloaded ram when i was 6


 

Crypto - 2

a61ae0b2c69dacd329d4c216da959665c9d94b5935a47368af02c102e922e209

Well Its Something About BestFriend Perhaps Its A Key

the hint suggested “RC2 Key Was Given In Question” so I again used Cyberchef rc2 decrypt with key “BestFriend” to decrypt it

rc2

 

 


Answer: First Best Friend Was Abdullah


 

Crypto - 3

$G678 %?KC y?7 +C8?J7J9E q2 !3G2 +?AFG2C the hint suggested “Rotatory 47 And Rotatory 13 Combined To Form A Duo” so I first used rot-47 then rot-13

Untitled

 

 


Answer: First Game Was Metalslug On Coin Machine


 

Crypto - 4

-- -.--
..-. .- ...- --- ..- .-. .. - .
- --- -.--
.-- .- ...
-.-- --- -.-- ---

again used Cyberchef and converted from morse

morse

 

 


Answer: MY FAVOURITE TOY WAS YOYO


 

Crypto - 5

++++++++++[>+>+++>+++++++>++++++++++««-]»>++++++++.>+++++.——.++++++++.+++.————-.++++++++++++.——–.«++.>—–.>++++++++++++++.«.>++++++++++++++.++++++++++.>——-..+++++++++++++.

for this one I did not knew what it is so I used Cipher Identifier which suggested it is an encryption called brainfuck

Untitled

so I used Brainfuck Interpreter to decode it

Untitled

 

 


Answer: Nickname Is Wally


 

Crypto - 6

Well This Is Big Program With Key “cartoon”

00100011 01101001 01101110 01100011 01101100 01110101 01100100 01100101 00100000 00111100 01101001 01101111 01110011 01110100 01110010 01100101 01100001 01101101 00111110 00001010 00100011 01101001 01101110 01100011 01101100 01110101 01100100 01100101 00100000 00111100 01110011 01110100 01110010 01101001 01101110 01100111 00111110 00001010 00100011 01101001 01101110 01100011 01101100 01110101 01100100 01100101 00100000 00111100 01100001 01101100 01100111 01101111 01110010 01101001 01110100 01101000 01101101 00111110 00001010 00001010 01110101 01110011 01101001 01101110 01100111 00100000 01101110 01100001 01101101 01100101 01110011 01110000 01100001 01100011 01100101 00100000 01110011 01110100 01100100 00111011 00001010 00001010 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 00101000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101101 01110011 01100111 00101100 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101011 01100101 01111001 00101001 00100000 01111011 00001010 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01101101 01110011 01100111 00100000 00111101 00100000 00100010 00100010 00111011 00001010 00100000 00100000 00100000 00100000 01101001 01101110 01110100 00100000 01101010 00100000 00111101 00100000 00110000 00111011 00001010 00100000 00100000 00100000 00100000 01100110 01101111 01110010 00100000 00101000 01101001 01101110 01110100 00100000 01101001 00100000 00111101 00100000 00110000 00111011 00100000 01101001 00100000 00111100 00100000 01101101 01110011 01100111 00101110 01101100 01100101 01101110 01100111 01110100 01101000 00101000 00101001 00111011 00100000 01101001 00101011 00101011 00101001 00100000 01111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01101101 01110011 01100111 00100000 00101011 00111101 00100000 01101101 01110011 01100111 01011011 01101001 01011101 00100000 01011110 00100000 01101011 01100101 01111001 01011011 01101010 01011101 00111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01101010 00100000 00111101 00100000 00101000 01101010 00100000 00101011 00100000 00110001 00101001 00100000 00100101 00100000 01101011 01100101 01111001 00101110 01101100 01100101 01101110 01100111 01110100 01101000 00101000 00101001 00111011 00001010 00100000 00100000 00100000 00100000 01111101 00001010 00100000 00100000 00100000 00100000 01110010 01100101 01110100 01110101 01110010 01101110 00100000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01101101 01110011 01100111 00111011 00001010 01111101 00001010 00001010 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 00101000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101101 01110011 01100111 00101100 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101011 01100101 01111001 00101001 00100000 01111011 00001010 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01101101 01110011 01100111 00100000 00111101 00100000 00100010 00100010 00111011 00001010 00100000 00100000 00100000 00100000 01101001 01101110 01110100 00100000 01101010 00100000 00111101 00100000 00110000 00111011 00001010 00100000 00100000 00100000 00100000 01100110 01101111 01110010 00100000 00101000 01101001 01101110 01110100 00100000 01101001 00100000 00111101 00100000 00110000 00111011 00100000 01101001 00100000 00111100 00100000 01101101 01110011 01100111 00101110 01101100 01100101 01101110 01100111 01110100 01101000 00101000 00101001 00111011 00100000 01101001 00101011 00101011 00101001 00100000 01111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01101101 01110011 01100111 00100000 00101011 00111101 00100000 01101101 01110011 01100111 01011011 01101001 01011101 00100000 01011110 00100000 01101011 01100101 01111001 01011011 01101010 01011101 00111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01101010 00100000 00111101 00100000 00101000 01101010 00100000 00101011 00100000 00110001 00101001 00100000 00100101 00100000 01101011 01100101 01111001 00101110 01101100 01100101 01101110 01100111 01110100 01101000 00101000 00101001 00111011 00001010 00100000 00100000 00100000 00100000 01111101 00001010 00100000 00100000 00100000 00100000 01110010 01100101 01110100 01110101 01110010 01101110 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01101101 01110011 01100111 00111011 00001010 01111101 00001010 00001010 01101001 01101110 01110100 00100000 01101101 01100001 01101001 01101110 00101000 00101001 00100000 01111011 00001010 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01110000 01110010 01101111 01101101 01110000 01110100 00100000 00111101 00100000 00100010 01011100 01111000 00110100 01100100 01011100 01111000 00110111 00111001 01011100 01111000 00110010 00110000 01011100 01111000 00110100 00110110 01011100 01111000 00110110 00110001 01011100 01111000 00110111 00110110 01011100 01111000 00110010 00110000 01011100 01111000 00110100 00110011 01011100 01111000 00110110 00110001 01011100 01111000 00110111 00110010 01011100 01111000 00110111 00110100 01011100 01111000 00110110 01100110 01011100 01111000 00110110 01100110 01011100 01111000 00110110 01100101 01011100 01111000 00110010 00110000 01011100 01111000 00110100 00111001 01011100 01111000 00110111 00110011 01011100 01111000 00110010 00110000 01011100 01111000 00110100 00110010 01011100 01111000 00110110 00110101 01011100 01111000 00110110 01100101 01011100 01111000 00110010 00110000 01011100 01111000 00110011 00110001 01011100 01111000 00110011 00110000 00100010 00111011 00001010 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101011 01100101 01111001 00100000 00111101 00100000 00100010 01100011 01100001 01110010 01110100 01101111 01101111 01101110 00100010 00111011 00001010 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01110000 01110010 01101111 01101101 01110000 01110100 00100000 00111101 00100000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 00101000 01110000 01110010 01101111 01101101 01110000 01110100 00101100 00100000 01101011 01100101 01111001 00101001 00111011 00001010 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01101001 01101110 01110000 01110101 01110100 01011111 01101011 01100101 01111001 00111011 00001010 00100000 00100000 00100000 00100000 01100011 01101111 01110101 01110100 00100000 00111100 00111100 00100000 00100010 01000101 01101110 01110100 01100101 01110010 00100000 01110100 01101000 01100101 00100000 01101011 01100101 01111001 00111010 00100000 00100010 00111011 00001010 00100000 00100000 00100000 00100000 01100011 01101001 01101110 00100000 00111110 00111110 00100000 01101001 01101110 01110000 01110101 01110100 01011111 01101011 01100101 01111001 00111011 00001010 00100000 00100000 00100000 00100000 01110100 01110010 01100001 01101110 01110011 01100110 01101111 01110010 01101101 00101000 01101001 01101110 01110000 01110101 01110100 01011111 01101011 01100101 01111001 00101110 01100010 01100101 01100111 01101001 01101110 00101000 00101001 00101100 00100000 01101001 01101110 01110000 01110101 01110100 01011111 01101011 01100101 01111001 00101110 01100101 01101110 01100100 00101000 00101001 00101100 00100000 01101001 01101110 01110000 01110101 01110100 01011111 01101011 01100101 01111001 00101110 01100010 01100101 01100111 01101001 01101110 00101000 00101001 00101100 00100000 00111010 00111010 01110100 01101111 01101100 01101111 01110111 01100101 01110010 00101001 00111011 00001010 00100000 00100000 00100000 00100000 01101001 01100110 00100000 00101000 01101001 01101110 01110000 01110101 01110100 01011111 01101011 01100101 01111001 00100000 00111101 00111101 00100000 01101011 01100101 01111001 00101001 00100000 01111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01110011 01110100 01110010 01101001 01101110 01100111 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01110000 01110010 01101111 01101101 01110000 01110100 00100000 00111101 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 00101000 01100101 01101110 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01110000 01110010 01101111 01101101 01110000 01110100 00101100 00100000 01101011 01100101 01111001 00101001 00111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01100011 01101111 01110101 01110100 00100000 00111100 00111100 00100000 01100100 01100101 01100011 01110010 01111001 01110000 01110100 01100101 01100100 01011111 01110000 01110010 01101111 01101101 01110000 01110100 00100000 00111100 00111100 00100000 01100101 01101110 01100100 01101100 00111011 00001010 00100000 00100000 00100000 00100000 01111101 00001010 00100000 00100000 00100000 00100000 01100101 01101100 01110011 01100101 00100000 01111011 00001010 00100000 00100000 00100000 00100000 00100000 00100000 00100000 00100000 01100011 01101111 01110101 01110100 00100000 00111100 00111100 00100000 00100010 01000111 01100101 01110100 00100000 01110100 01101000 01100101 00100000 01101000 01100101 01101100 01101100 00100000 01101111 01110101 01110100 01110100 01100001 00100000 01101000 01100101 01110010 01100101 00100001 00100010 00100000 00111100 00111100 00100000 01100101 01101110 01100100 01101100 00111011 00001010 00100000 00100000 00100000 00100000 01111101 00001010 00100000 00100000 00100000 00100000 01110010 01100101 01110100 01110101 01110010 01101110 00100000 00110000 00111011 00001010 01111101 00001010

 

Converted from binary using Cyberchef

 

Output C program

#include <iostream>
#include <string>
#include <algorithm>

using namespace std;

string encrypt(string msg, string key) {
    string encrypted_msg = "";
    int j = 0;
    for (int i = 0; i < msg.length(); i++) {
        encrypted_msg += msg[i] ^ key[j];
        j = (j + 1) % key.length();
    }
    return encrypted_msg;
}

string decrypt(string msg, string key) {
    string decrypted_msg = "";
    int j = 0;
    for (int i = 0; i < msg.length(); i++) {
        decrypted_msg += msg[i] ^ key[j];
        j = (j + 1) % key.length();
    }
    return decrypted_msg;
}

int main() {
    string prompt = "\x4d\x79\x20\x46\x61\x76\x20\x43\x61\x72\x74\x6f\x6f\x6e\x20\x49\x73\x20\x42\x65\x6e\x20\x31\x30";
    string key = "cartoon";
    string encrypted_prompt = encrypt(prompt, key);
    string input_key;
    cout << "Enter the key: ";
    cin >> input_key;
    transform(input_key.begin(), input_key.end(), input_key.begin(), ::tolower);
    if (input_key == key) {
        string decrypted_prompt = decrypt(encrypted_prompt, key);
        cout << decrypted_prompt << endl;
    }
    else {
        cout << "Get the hell outta here!" << endl;
    }
    return 0;
}

 

We were given a lengthy binary string which, upon conversion, produced a C program. After compiling and running the program, it prompted us for a key, which we found in the description to be “cartoon”. Upon providing the correct key, the program outputted the following message: “My Fav Cartoon Is Ben 10”.

 

 


Answer: My Fav Cartoon Is Ben 10


 

 

Task 3 - GTA Steg

GTA Was My First Game. It Was GTA Sandreas. “Ahh Shit Here We Go Again”. I Have Some Images From This Memory Sequence. Gather All The Fragments. download challenge files here

gta

 

 

Steg - 1

 

Who Is Character In Image1.jpg?

The Character In Image is the Main Antagonist Of This Game named Big Smoke

 


Answer: Big Smoke


 

Steg - 2

 

What Is Content Of Grains.txt?

the grains.txt is embedded in the gym.jpg file we can extract the hidden data using steghide

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher/gta]
└─$ steghide extract -sf gym.jpg      
Enter passphrase: 
wrote extracted data to "grains.txt".

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher/gta]
└─$ cat grains.txt 
People Are Temporary Grains Are Eternal

 


Answer: People Are Temporary Grains Are Eternal


 

Steg - 3

 

What Is Content Of America.txt?

Passphrase Is Name Of Final Mission Of This Game

again the data can be extracted with steghide. this time The Passphrase Is Name Of Final Mission Of This Game which is End of the Line

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher/gta]
└─$ steghide extract -sf guns.jpg 
Enter passphrase: 
wrote extracted data to "america.txt".

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher/gta]
└─$ cat america.txt 
Same Place I Buy My Pants Homes This Is America

 


Answer: Same Place I Buy My Pants Homes This Is America


 

Steg - 4

 

Look Inside Gang.jpg

I looked into it using string command and found this

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher/gta]
└─$ cat gang.jpg
Exif
0210
"PUo520a
U\d\}GG
/=*Y
nu7V
337]
0Dh.
:)ii;
LlpsQ99
Welcome To Sanandreas Im CJ From Groove Street

 


Answer: Welcome To Sanandreas Im CJ From Groove Street


 

Steg - 5

 

What Is Object In police.tar.gz?

by looking the filetype using file command I found out that it is a jpg not a tar

so I just changed the extension and opened it

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher/gta]
└─$ file police.tar.gz 
police.tar.gz: JPEG image data, JFIF standard 1.01, aspect ratio

mv police.tar.gz police.jpg

 


Answer: Helicopter


 

 

 

Task 4 - Collage Fuzz

A custom wordlist was given for this task, so I decided to perform subdirectory enumeration using Durb and was able to discover three interesting pages.

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher]
└─$ dirb http://10.10.24.112/ wordlist.txt 

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sat Apr  8 15:45:06 2023
URL_BASE: http://10.10.24.112/
WORDLIST_FILES: wordlist.txt

-----------------

GENERATED WORDS: 33
---- Scanning URL: http://10.10.24.112/ ----
==> DIRECTORY: http://10.10.24.112/nishat/
==> DIRECTORY: http://10.10.24.112/singing/                       
==> DIRECTORY: http://10.10.24.112/guns/   
 
END_TIME: Sat Apr  8 15:46:00 2023
DOWNLOADED: 132 - FOUND: 0

 

 

Whats The Song On One Of Web Pages?

on subdirectory /singing found this

Untitled

 


the song playing on the page was minority from band green day


 

What Is Decoded Morse Code?

on subdirectory /nishat found this in the page source.

Untitled

Untitled

 


the morse code translated to : THE FINAL COUNT DOWN


 

What Is Hidden Text?

on subdirectory /guns found the answer in h1 of page

Untitled

 


Answer : ROCK YOU LIKE A HURRICANE


 

 

 

Task 5 - You Give Love A Bad Name (Web)

lightsaber123

Dont Let Go Of This String It Will Help You. Im Afraid I Cannot Guide You Any Further You Have To Proceed Without Me.

Good Luck

 

Nmap Scan

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher]
└─$ nmap -A 10.10.120.178
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-08 15:00 EDT
Nmap scan report for 10.10.120.178 (10.10.120.178)
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6cc11cdbcd40579843a894400083cd18 (RSA)
|   256 35decdf59c546f9ad272df63e1fcbc04 (ECDSA)
|_  256 f032f5d727adcd4777e6e8baa275f2a3 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: OuterSpace 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed.
Nmap done: 1 IP address (1 host up) scanned in 36.60 seconds

 

 

User Flag

from nmap scan we know ssh is open and the user flag is called yoda flag so yoda must be a user. now for the password I tried brute forcing with hydra but got no success. then I saw something in the description lightsaber123 I tried it as a password and success! got the user flag

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher]
└─$ ssh [email protected]
[email protected]'s password: 

Last login: Thu Aug  4 11:36:40 2022
[email protected]:~$ 
[email protected]:~$ ls
flag.txt  +sudo.txt

[email protected]:~$ cat flag.txt
MNS{C1MB3R}

 

 


Yoda flag: MNS{C1MB3R}


 

Root Flag

there was another file +sudo.txt

[email protected]:~$ cat +sudo.txt 
e8885ce0fe2668e5e7ac322f2574d259
this is sudo password LMAO JUST KIDDING
BUT IT IS IM NOT KIDDING
ITS MASKED

the string was an md4 hash so I cracked it with John and found the password for the root horizon I used su to switch to root and got the flag

┌──(kali㉿iasad)-[~/CTFs/tryhackme/kencipher]
└─$ john hash.txt --format=Raw-md4 --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD4 [MD4 128/128 AVX 4x3])
Warning: no OpenMP support for this hash type, consider --fork=4
Press 'q' or Ctrl-C to abort, almost any other key for status
horizon          (?)     
1g 0:00:00:00 DONE (2023-04-08 17:48) 100.0g/s
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
[email protected]:~$ su
Password: 
[email protected]:/home/yoda# cd
[email protected]:~# ls
flag.txt  snap
[email protected]:~# cat flag.txt 
MNS{R0OT_B43ACH3D_OOPS}

 

 


Root Flag: MNS{R0OT_B43ACH3D_OOPS}


 

Web Flag

now for the web flag I looked in /var/www/html where I found some interesting folders. i checked all but found the flag in /space/ride/pocket/index.html

Untitled

 

 


Web Flag: MNS{w3b_h4cked}


 

Conclusion

I hope you found my writeup informative and please feel free to share your thoughts in the comments. Special thanks to kencypher69 for creating these fantastic challenges.