0

Me and my group are currently trying to decrypt certain messages for a big school project but we just cant figure it out! the idea is that someone "hacked" our raspberry pi and left tons of breadcrumbs that we have to resolve but we get stuck on this piece of text:

V2VsY29tZQ== VGxSTVRRPT0= VWtWTk5FOUVSVEJSZWxFd1RWVlpNRkpxWkVWUmExWkRUVVJWTTFGNlp6Vk9NRmw2VVZSS1IxRnFUWFpQVlVwRlRXdE5lbEV3UlhoUmFrMHhVbFJuZVUxclZrTlBSR3N4VG5wU1JrNTZhekZTVlZsM1RucG5QUT09 V1RCak1XUXlVbGxUVjJScVlsVTFkbGx1YkVKbFJURkZVVmRrV2sweFJqUlVWVkpDWkZadmVXUkhORDA9 Vmtab2QxVnJOVVpOV0VaWVYwWmFUMXBXVW01bFJsSllZMFphVGsxRVZsVlVhMmgzVkZkV2NrMVVWbFZOUmtwRFdsWldOR05XVGxsWGF6VnNZa1ZaTVZaR1ZrNU5SVEZ5WlVSYVdrMHpRbEJaVjNSV1pXeFNTR05GTld0aGVsWkdWMjV3UjFSWFJuTmlSRXBWVm14S2VWUlVRVEZXVmtaWlZtczVhRlpIWXpVPQ== Vm10U1IxVXhUblJXYmtwT1ZteGFVMVl3V21GVlJsWlpZMGMxYkZac1NucFdWM2hMVkRGYVZXSkZWbFZoTW1oNlZrWmtWMk15UlhwaFJsWm9UVlZ3V0Zkc1dsZE9SMDVYVTJ4c1dHRjZWbk5aVkVvelRXeGFSMkZJWkZaaVZrcFhWRlpTVDFWV1drVlJWR3M5 Vm0xMFlXSXlVWGxVYmtwT1ZteHdVVlpzV21GaU1WSlZVbTFHVmxKc1dsaFdWbWhyVlVaV1ZVMUVhejA9 Vm0weE1GVXhSWGhXV0doVVlteEtXRmxVUm5kVlJscDBaVWRHYVUxV1NsWlZiVEZIVm14S2MyTkdjRnBOUjAweFZrUkdTMk14VG5GU2JIQk9VbXhXTkZaclpEUlpWbHBZVTJ0YVYySkdXbTlVVnpGdlRsWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0= Vm0wd2VFMUhSWGROVldSWFYwZG9XVmx0ZUV0V01WbDNXa1pPVmxac2NEQmFWV1JIVmpGYWMySkVUbGROYWtaSVZteFZlRmRXUm5OaFJtUlhUVEpvVFZkV1VrSmxSbGw0Vkc1S2FsSnVRazlWYlhoMlpXeGFjbHBJY0d4U2EzQllWVEo0VjFaSFNrZGpTRUpXWVd0d2RscFdXbUZqYkdSMFpFWk9UbUY2VmpWV1JscGhWakZWZVZOclpGaGlSMmhXVm01d1YxUXhjRVZTYlVaVFRWaENTbGt3VlRWV01rVjZVV3h3VjFZemFIWmFSRVp6VmpGT2RWTnNVbWxTTVVwdlZtMXdUMkl4VFhoVmJGcFlZbFZhVkZscmFFTlRiR1J5VjJ4a2FGWnJjRmRaTUZwVFZqRmFWMk5HVG1GU1JWcEVWbGQ0UTFaVk1VVk5SREE5

the first sentence is "welcome" from base64 but if you try to decode any random part of the rest it doesn't give you anything.

Can someone help us? thanks!

Bhargav Rao
  • 50,140
  • 28
  • 121
  • 140
Thomas
  • 85
  • 1
  • 8
  • 1
    It seems to be repeatedly base64-encoded, with a mix of other encodings thrown in. I can't figure out the second one, but the third one is `rot13`'d and seems to mean *something*: `cache epub 100 pg100.txt`. – Bytewave Apr 19 '17 at 14:43
  • 2
    While I don't think this is totally relevant for SO< I do find it an interesting challenge. :) – Bytewave Apr 19 '17 at 14:43
  • Do you think the encoding are seperated by the "="? – Thomas Apr 19 '17 at 14:45
  • Thank you very much by the way! – Thomas Apr 19 '17 at 14:46
  • 1
    It seems to be separated by newline. The `=`s are part of base64. – Bytewave Apr 19 '17 at 14:46
  • 1
    The `=` is the padding for base64. The second one is "NTLM" if you run it through a base 64 decoder twice. – wheeler Apr 19 '17 at 14:47
  • **#4:** `34826.3/52575.3/32802.2/3420.6/73617.3/485.6/19750.6/` – Bytewave Apr 19 '17 at 14:53
  • SO sort of mixed up the newlines, but we tried every rot on all of the text, but none of the rot's seem to make sense... I'm even amazed that you managed to find that haha! – Thomas Apr 19 '17 at 14:55
  • #4 is just repeatedly passed through a base64 encoding. – wheeler Apr 19 '17 at 14:56
  • @Bytewave how did you figure out #3? **nvm** I was copying too much, which was breaking the encoding. – wheeler Apr 19 '17 at 14:56
  • @wheeler Guessed it was rot13 based on how gibberish it looked once it was off the base64. – Bytewave Apr 19 '17 at 14:58
  • @Bytewave I think you mean that's the **4th** one, as it looks like the whitespace is the separation between the different "clues". The first two are on the same line and the third one is `VWtWTk5FOUVSVEJSZWxFd1RWVlpNRkpxWkVWUmExWkRUVVJWTTFGNlp6Vk9NRmw2VVZSS1IxRnFUWFpQVlVwRlRXdE5lbEV3UlhoUmFrMHhVbFJuZVUxclZrTlBSR3N4VG5wU1JrNTZhekZTVlZsM1RucG5QUT09 ` – wheeler Apr 19 '17 at 14:59
  • Ah, yes, you're right. I need to copy all this into a text document to work on it better at some point. – Bytewave Apr 19 '17 at 15:01
  • @Thomas do you think you could format this a little better to differentiate the different "clues"? – wheeler Apr 19 '17 at 15:02
  • We are currently trying to decode it with 4 people with rot, base64, jpeg but everything seems to be the same frustrating outcome *sigh* – Thomas Apr 19 '17 at 15:04
  • I put it in a pastebin, separated by whitespace. Quick and dirty job, should help though. https://pastebin.com/bDfaYR5G – Bytewave Apr 19 '17 at 15:07
  • here is a link to the file as we found it hidden somewhere bit.ly/2oLCGK4 – Thomas Apr 19 '17 at 15:09
  • While this may be a nice puzzle, I'm voting to close this. As noted [here](https://meta.stackexchange.com/questions/134806/puzzles-hidden-answers), SO isn't a place for code puzzles. – ventiseis Apr 19 '17 at 20:00
  • **Moderator Note:** Please do not vandalize your posts. Once you've posted a question, you have licensed the content to the Stack Overflow community at large (under the CC-by-SA license). If you would like to disassociate this post from your account, see [What is the proper route for a disassociation request?](http://meta.stackoverflow.com/questions/323395/what-is-the-proper-rout‌​e-for-a-dissociation-request) – Bhargav Rao Apr 20 '17 at 07:03

1 Answers1

4

Formatted the question a little better:

  1. V2VsY29tZQ==

  2. VGxSTVRRPT0=

  3. VWtWTk5FOUVSVEJSZWxFd1RWVlpNRkpxWkVWUmExWkRUVVJWTTFGNlp6Vk9NRmw2VVZSS1IxRnFUWFpQVlVwRlRXdE5lbEV3UlhoUmFrMHhVbFJuZVUxclZrTlBSR3N4VG5wU1JrNTZhekZTVlZsM1RucG5QUT09

  4. V1RCak1XUXlVbGxUVjJScVlsVTFkbGx1YkVKbFJURkZVVmRrV2sweFJqUlVWVkpDWkZadmVXUkhORDA9

  5. Vmtab2QxVnJOVVpOV0VaWVYwWmFUMXBXVW01bFJsSllZMFphVGsxRVZsVlVhMmgzVkZkV2NrMVVWbFZOUmtwRFdsWldOR05XVGxsWGF6VnNZa1ZaTVZaR1ZrNU5SVEZ5WlVSYVdrMHpRbEJaVjNSV1pXeFNTR05GTld0aGVsWkdWMjV3UjFSWFJuTmlSRXBWVm14S2VWUlVRVEZXVmtaWlZtczVhRlpIWXpVPQ==

  6. Vm10U1IxVXhUblJXYmtwT1ZteGFVMVl3V21GVlJsWlpZMGMxYkZac1NucFdWM2hMVkRGYVZXSkZWbFZoTW1oNlZrWmtWMk15UlhwaFJsWm9UVlZ3V0Zkc1dsZE9SMDVYVTJ4c1dHRjZWbk5aVkVvelRXeGFSMkZJWkZaaVZrcFhWRlpTVDFWV1drVlJWR3M5

  7. Vm0xMFlXSXlVWGxVYmtwT1ZteHdVVlpzV21GaU1WSlZVbTFHVmxKc1dsaFdWbWhyVlVaV1ZVMUVhejA9

  8. Vm0weE1GVXhSWGhXV0doVVlteEtXRmxVUm5kVlJscDBaVWRHYVUxV1NsWlZiVEZIVm14S2MyTkdjRnBOUjAweFZrUkdTMk14VG5GU2JIQk9VbXhXTkZaclpEUlpWbHBZVTJ0YVYySkdXbTlVVnpGdlRsWmFWbGRyV2xCV2EwcFRWVVpSZDFCUlBUMD0=

  9. Vm0wd2VFMUhSWGROVldSWFYwZG9XVmx0ZUV0V01WbDNXa1pPVmxac2NEQmFWV1JIVmpGYWMySkVUbGROYWtaSVZteFZlRmRXUm5OaFJtUlhUVEpvVFZkV1VrSmxSbGw0Vkc1S2FsSnVRazlWYlhoMlpXeGFjbHBJY0d4U2EzQllWVEo0VjFaSFNrZGpTRUpXWVd0d2RscFdXbUZqYkdSMFpFWk9UbUY2VmpWV1JscGhWakZWZVZOclpGaGlSMmhXVm01d1YxUXhjRVZTYlVaVFRWaENTbGt3VlRWV01rVjZVV3h3VjFZemFIWmFSRVp6VmpGT2RWTnNVbWxTTVVwdlZtMXdUMkl4VFhoVmJGcFlZbFZhVkZscmFFTlRiR1J5VjJ4a2FGWnJjRmRaTUZwVFZqRmFWMk5HVG1GU1JWcEVWbGQ0UTFaVk1VVk5SREE5

This is what I have so far (answer followed by steps to decode):

  1. Welcome (base64)

  2. NTLM (2x base64)

  3. DC8814C441F4F7DBEB057C897F3A2FB3/9BD2C3CA1B35E822EB89574E795EF078 (3x base64)

  4. cache epub 100 pg100.txt (4x base64 -> rot13)

  5. 34826.3/52575.3/32802.2/3420.6/73617.3/485.6/19750.6/ (5x base64)

  6. 92310.4/65498.2/65452.1/32334.3 (6x base64)

  7. 39589.4 (7x base64)

  8. 81159.5/17358.2 (8x base64)

  9. 45092.3.4/27310.3.2/68909.1.3 (9x base64)

Just some working thoughts:

  • #3 seems like it could be decoded further, perhaps it's two hex representations of ASCII or decimal separated by a /.
  • The numbers seems like either math or coordinates or something separated by /s.

Update:

  • #4 Appears to be a reference to a txt version of a book, specifically The Project Gutenberg EBook of The Complete Works of William Shakespeare. If you take #4 and google it, you should be able to find it. This leads me to believe that the rest of the numbers are encoded as line#.word#/line#.word#/...

  • As indicated by Thomas, the first part of line 3 refers to a word in this text file. Open it, perform a search for the first part of line 3, and next to it is the word Caesar, which is referring to the rot13 cipher being used in the following clue.

  • Those numbers are actually hashes of NTLM passwords. The solution for line 3 is caesar/thirteen does in fact refer to the rot13 simple cipher, which is used in the following clue.

Update 2:

Ok, if my theory above is true, then the lines 5 through 8 are:

  1. If/you/have/made/it/this/far

  2. then/We/congratulate/you

  3. regards

  4. team/Hydra

Line 9 was a little harder, as the last digit probably refers to the letter number in the word, so it could be translated as:

  1. P/w/C

Final update:

PwC probably refers to PricewaterhouseCoopers, which is a multinational consulting company. If you search team hydra pwc, you get some results that indicate an office of PwC in Hydra, Algeria.

Or, team hydra could refer to the Android hacking group.

Anything further is speculative.

Bhargav Rao
  • 50,140
  • 28
  • 121
  • 140
wheeler
  • 2,823
  • 3
  • 27
  • 43
  • this is brilliant! – Thomas Apr 19 '17 at 15:37
  • Now off to a mission on working out what this is... – Thomas Apr 19 '17 at 15:38
  • #4 refers to a ebook, specifically `The Project Gutenberg EBook of The Complete Works of William Shakespeare` – wheeler Apr 19 '17 at 15:43
  • The rest of them seem like lines/word numbers in the book. – wheeler Apr 19 '17 at 15:43
  • Caesar probably refers to `rot13`, its a [simple cipher](https://en.wikipedia.org/wiki/ROT13) whose concept was first used in ancient Rome – wheeler Apr 19 '17 at 15:52
  • @Thomas Specifically, how did you determine that? – wheeler Apr 19 '17 at 15:53
  • you are a genius!!! – Thomas Apr 19 '17 at 16:13
  • we are really grateful, just one more piece and its done! – Thomas Apr 19 '17 at 16:14
  • @Thomas NTLM passwords can be easily cracked. You can put both hashes in this website and they decode to caeser and thirteen. https://hashkiller.co.uk/ntlm-decrypter.aspx – phatfingers Apr 19 '17 at 16:15
  • Edited the answer to add some speculation around the meaning of the message. – wheeler Apr 19 '17 at 16:17
  • hello wheeler! would you mind putting your replies private or hidden for the next two days? this was asked by our lector since other groups have to either find their own solution or perform likewise steps, Thanks! and again, thank you so much! you were of great great help! – Thomas Apr 19 '17 at 18:12
  • @Thomas Sure, but you will need to remind me otherwise I will forget. Furthermore, if this answer is satisfactory, please mark it as accepted. – wheeler Apr 19 '17 at 18:30