Jump to content

Hail Satan SAO 19

From YawgNetWiki

This is my write-up for the Hail Satan SAO 2019 challenge presented by Sqearlsalazar

Start

[edit]

The Sigil

[edit]
  • Morse Code
    • -.-- . .- .-. ...-- ----- ----- ----- .-.. --- --- -.- - --- - .... .
    • YEAR3000LOOKTOTHE
  • Alienese (AL1 Futurama)
    • LOOKINT

Baphomet

[edit]
  • Latin
    • accessum per mutuae cognitionis
    • "Access through shared knowledge"
  • DCLVXI
    • Misprint as C and L are swapped
    • Roman Numeral "666"
  • Alienese (AL1 Futurama)
    • HEMIRROR
  • @HS8NTheVoid $video

$video

[edit]

Video

  • Morse Code played on the video
    • .-. --- - ....-
    • ROT4
  • Text on screen:
RG  (3:17-3:20) 3 frames
9v  (5:20-6:01) 11 frames
d2  (10:09-10:23) 14 frames
SX  (13:03-13-17) 14 frames
Mn  (17:13-18:15) 32 frames
p5  (25:27-26:04) 7 frames
=  (30:15-32:07) 52 frames
  • RG9vd2SXMnp5=
    • There are two problems with this text for Base64 decoding
    • Firstly, the = sign is too much for a valid data array
    • Secondly, SX need to be lowercase. It could be that the video was hard to gauge case on, but B64 is case sensitive
  • Doowk12zy
    • Now we apply the Morse Code piece of ROT4
    • "Hssao12dc"

Hssao12dc

[edit]

Hssao12dc is a domain!

The main page doesn't have much going on except the first image but there doesn't seem to be much going on with it. Time to pull from the SAOs:

lookinthemirror

[edit]

LOOKINTHEMIRROR from the Alienese turned out to be a new page and challenge.

  • Stego time!
    • Using Gimp and some Grain Extraction, we find A useless link.
    • But higher levels of grain extraction along with mirroring the image gives a clue
   rorrimehtnikool
  • Additionally, there is a file in the image
    • Using steghide we find "twistedpath"
   cat twistedpath
   thecourtofthejesterofdarkness

rorrimehtnikool

[edit]

A URL of course with another video!

  • More morse code
    • ... .. -..-
    • SIX
  • A classic satanic obfuscation of playing something in reverse has someone speaking:
   "Resistance is futile, submit your souls to the dark lord, bask in his hatred and torment for all eternity. browse to your path, the gates of peril"
    • This was not terribly hard to figure out though it did admittedly take me some time.
    • The Gates of Peril
    • Additionally, during the morse code bit, words flash on the screen that make more sense reversed:
   "The Jester is a fool add this to his number to enter peril"


Jester of Darkness

[edit]

A quick detour to the other URL mentioned from prior: This URL with another image!

  • This one can be done by simply cat-ing or open the image up in nano/notepad
    • At the end of the image file in ASCII:
    • "gossipfromthejesterofdarkness"
  • Yet Another URL
    • This one is simply a text hint and not an actual challenge.
You will never enter the gates unless you appending data to your attempts.

It's believed the angel Evil whispered this data in Baphomet's ear, but in an archaic form.

Convert the data and append it to your attempts if you ever wish to read the ancient texts.

The Gates of Peril

[edit]

The Gates of Peril starts off pretty easy but gets tough quick.

  • Using ROT-21 on the text we find a file for the ancient texts

Ancient Texts

[edit]

Zip File with a password.

  • To open this, I reviewed the hints from all previous puzzles
  • The Gates of Peril
    • "Cycles must be sacrificed"
    • Brute forcing with John confirmed!
    • "seek promise in your rock"
    • Definitely a reference to the well known rockyou.txt dictionary
  • The Jester's Gossip
    • Includes some key phrases: Archaic Form, Convert, Append
    • This hints at the 666 roman numeral from the SAO
    • We will need to append this to our password for the zip file
  • rorrimehtnikool
    • From the Morse Code segments we have:
    • SIX
    • "The Jester is a fool add this to his number to enter peril"
    • So we will need to add 6 to our 666 when we append this. Or 672

JTR the Zip

[edit]
  • I made a custom John rule or two since I wasn't sure whether we were doing 6666 or 672. Additionally, due to the misprint on the SAO I wasn't 100% certain it was going to actually be 666 or if it was going to be something different. So I added:
   Az"[0-9][0-9][0-9]"
   Az"[0-9][0-9][0-9][0-9]"

To a custom ruleset for John and ran it against the zip file using rockyou as my dictionary. I eventually achieved success with 

   fuckyou672

PCAP file

[edit]

I started by looking removing a lot of stuff that tends to not be helpful in pcap files:

  • Filter
    • !(arp or icmp or dns or tls or tcp.port==443)
  • This cut a lot of junk out and led to a very interesting tcp stream at 4317
    • An unencrypted email from belial to zagan
    • Provides a CLIENT_RANDOM string
   CLIENT_RANDOM 0B99673F6544001D9A7D760AFE3439747A9D6FA52AFA8EFF8C9D66698B10F8D8 A6387F8A5FB74A73663DA0BF7CBDE526237FB78C99B588411EE68FE6EDDA8A6CF3C683C03CF3A1E06EB8784BB8D4AB05
  • Dropping this string into a text file and adding it to Wireshark
    • (Pre)-Master-Secret log
  • Now we can look at TLS and TCP/443 streams!
    • Stream at 4060 shows a GET Request of interest to us with the final URL

References

[edit]
Retrieved from "https://yawg.net/index.php?title=Hail_Satan_SAO_19&oldid=54"