The puzzle begins at the link https://www.exodus.io/decred/

We arrive at an image with two clickable links — one on the computer screen and one above the keyboard. The first leads to a video

( http://crypto.haluska.sk/exodus.mp4)

showing several enemy ships (7 in total) attempting to attack the player ship but they all get defeated one by one. Each battleship’s shift in motion and bullet fired collectively represent 8 bits ( 0’s for the shifts and 1’s for the bullets fired).

If we use a complete ASCII table (http://www.theasciicode.com.ar), we can decode all the information and arrive at

0111 1010 – z

1001 0111 - ù

1000 1010 – è

0110 0100 - d

0010 1111 - /

0111 0110 - v

0111 0000 - p

Now this text as you might guess is ciphered. So here we turn to the image of the keyboard which we discovered earlier on the puzzle homepage (https://www.exodus.io/decred/img/80s-Keyboard-Dark.jpg)

This keyboard is a hint to tell you that the ciphered text can be deciphered on an AZERTY keyboard, with a simple shift to the right. We can do this here. (http://www.dcode.fr/keyboard-shift-cipher)

We get the following results

azerty → am-s.co

azerty ↑ s)uc9'm

azerty ← e*_f§b^

azerty ↓ é^,eLfà

As you may notice, the first one seems to be a URL. So if we visit that website, we get to a “Protected Site” page with a password prompt for entry.

If you remembered our ciphered text we discovered from the video file, you can enter it to proceed

zùèd/vp

Once we enter that password, we arrive at a basic Wordpress site with the following post which sets out some basic rules and gives a couple hints as to what direction not to proceed in. In doing so, it also makes it quite obvious that the next part of the challenge will be to penetrate the site in some way, making it sort of a CTF-style challenge.

Rules & Code of Conduct Please follow these rules in order to avoid creating obstacles/pitfalls for yourself and others. * PLEASE, no denial of service / resource exhaustion attacks. It will not lead you to anything helpful for this puzzle. * * Thinking about brute forcing logins/passwords? You need to just >>> …….╱¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯╲

….╱░.░░░░░░░░░░░░░░░░░░░ ╲

.╱░░.░░░░░░░░░░░░░░░░░░░░. .╲

|░░░░█▀▀░▀█▀░█▀█░█▀█░░░░░░░░|

|░░░░▀▀█░░█░░█░█░█▀▀░░░░░░░░|

|░░░░▀▀▀░░▀░░▀▀▀░▀░░░░░░░░░░|

.╲░.░░░░░░░░░░░░░░░░░░░░░░ ╱

….╲░.░░░░.░░░░░░░░░░░░░░░╱

……¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯ This will not help you. Penetrating SSH service is not one of the steps so don’t bother trying.

A player then continues from reading the instructions and may decide to do a port scan of the website with nmap. If so, he’d get the following results.

Prasanths-MBP:~ Administrator$ nmap am-s.co Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-01 14:34 EDT Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 7.85% done; ETC: 14:36 (0:01:10 remaining) Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 12.57% done; ETC: 14:36 (0:01:03 remaining) Nmap scan report for am-s.co (208.77.99.224) Host is up (0.050s latency). rDNS record for 208.77.99.224: server1.adbogie.com Not shown: 981 closed ports PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 25/tcp filtered smtp 53/tcp open domain 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 143/tcp open imap 443/tcp open https 445/tcp filtered microsoft-ds 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s 3306/tcp open mysql 6667/tcp open irc 7000/tcp open afs3-fileserver Nmap done: 1 IP address (1 host up) scanned in 22.03 seconds

It’s interesting to note that ports 21 & 22, FTP & SSH are open, however we know from the blog post that penetrating SSH is not an option but it leaves out FTP. It’s good to remember this information for use further down the puzzle trail. All other ports are basic and don’t give any response. If we progress to do a full nmap scan of the website as the initial one doesn’t scan all the ports, we notice that port 62217 is open and the service is unknown.

PORT STATE SERVICE 62217/tcp open unknown

If we try to connect to the port with a program like netcat, we enter an app running on the port

Prasanths-MBP:~ Administrator$ nc am-s.co 62217 Hello, my friend! The current time is: 14:37:41 XJ NZWZCD LCP XLYJ LD DZXP ZQ JZF XLJ DZZY QTYO, SZHPGPC ESPCP TD L NPCELTY EZBFP ESLE JZF HTWW YPPO EZ RPE ESP CPBFTCPO NSLCLNEPCD EZ QTYTDS ESP CLNP EZ ESP PYO. RZZO WFNV LYO ACPDD ZYHLCO EZ GTNEZCJ!

The text block that we get looks like some sort of cipher, so if we put it through a caesarian shift cipher and run through all the possible shifts, we eventually get to a deciphered message.

Now notice that one word “TOQUE” seems a little out of place. That’s because its scrambled and is an anagram for “QUOTE.” You should also notice that the application running on port 62217 seems to be accepting input. This should lead you to believe that there is some sort of quote or message you need to enter to get to the next step.

Going back to the video we found at the beginning of the puzzle, if you do some further analysis on the audio of that video, you will notice that there is morse code hidden in it.

This morse decodes to:

“WE DO NOT MERELY DESTROY OUR ENEMIES WE CHANGE THEM”

If you google this quote, you will notice the first link that pops up directs to http://www.shmoop.com/1984/power-quotes-5.html which tells you it’s a quote from from 1984 by George Orwell. If you copy the quote from that website that reads “We do not merely destroy our enemies, we change them.” and paste that into your netcat interaction with the app on port 62217, you will get to the next step. It will return the following.

XCQaqlM4biiFF==RRAYKbJ61V5Ni0fH8mXRxjCpSzs suEYCRwBWKO3ms9XANQle7sRojZUD6Dpr8rexZJOtm CxLDBaBk51w0C528b5jfeGpuFNKzmWgexhOfduXoh2 4hb4bhOx7XS5Xs7faWlfzhBx8HF1MpKCrkWyH3NGko XP1l|tEA|e5KzsGRn2=JoTn6uRyy46Y=0bs1gMEh8e VDKa1Y6OKyC9JcfkcqHyICC7qJCTdm0rbcy06ATG2i tEmgBYqQ6Sd8JbpmT6Xht81Tz442HJvhaKzxXnSIqr sFPIbFw4LbFhyoKnnF6VK0YkjP+H3aYL6A7i81HApf ZI88X6tdyH2jLQHXRpu0aW8EFdsCdhYSnhsUNKc7Rg osmh0h74g3I9FRv5NQZj2zg0lzjg2+pXAWjR/MFGRG xqLfwRf7YDmNjNEJPfI3c16bX/I5aLX8bcwlX4h4TC RiqXvWVBEO7fxwUUe5cnB201RY2jFOy8tc2cPU+q94 bv2ocvROsP2LXwbyR1rmomvFCkAbETxfM9F3jDO7J7 WQtQOLYX46xILVJo8iltsAoNpNwlzcX+NlKb8odnEm sepHMEJ9-EAFMuafJ8UzwSeHfPLdYxs3e60k88wjh8| 0ycfyTiA5JYzequT8-Wevc3rFJokdXLbw3gFnqz5yH| EohRzFxB4Rv2RqmCrTAmIhlFVZSgNVAR7sQcOCzVHZ| vKUQqKXWklzXS5mt24kLunvQb4dCvGhoQYfI1EPeSY EOz5SM5JlNOcN4z7C‘Acc9V1I53zaOs1oS03D1FkXo| eyiUuJWgn9Jk9qDwKzobzR7yC9pcAK01lBJAeolZ3b| g3gVrmD9cena6INnyWpuBt8A9kOhC6UEEQqkBEM8VI| lkCifs3hegF6bDJ7AEZvssbZoMHywrfhFapxncbW1b SlSTTcoa17gYPp4e+JEyGumhLjSyibmp6pxtOhhdXt| 0cShlLmneDRYsYqqIhqd5GliFK7VC6wrYMPc9hctet| ywn0mvQJH9pIoOWA0LM4SEaHg9Om2xaArGy2vWrXEA| 40IssqJeuUqD2FuH44MqzETYJkFWmO5IVmTzgPdDLR WbAyLD1oiq7tg4x7obsBYACPUddV1tSiNP+ddswH3Y 66tAjAfmICqbebHizUhsJi71WVxugLYwELC/m1b7ca NbH1W8zm5eXHfyaW1HtfLPRJB6gQ8aHGRfF73LKUz9| ZmpiWfSbCRLfmNNQV6caaxV6qOQ6MdME5zDDhOLioY l81tbUNgcTCodzOPTirlql5vYyUcgKIUAxndwVM1JT wnqma5teMwqrOKO24kPNojQXZcvL9w47wF51F2io9J 3RMY3N4sCMM2M5MpDDyLcZ8Rc6kMyoDh79KTpsefYv v8hrV7LyQvI7wRIp0D4EMB0t4oUCbdDCeTruLUTvXH| ezYDv9ZLRruskKiBhCxrnCGnMCOq2wfO0QD38BmS7B GD0Kjw83re7jcoo9Noow3ftpf6G3XzoGP6yCuvhkUu 3ID5on0KBfi27cHoQ8IK8mwahRd8A==lOL0DwJD0Gk wJUVA1ZiHL0R0gZPBKu3btTDOwI9ytm5dbhmJJQ1vF ZkUNe2CehudTGDhO13l7gNGpf7HFpF0rfKraD2qxX0 sIsNZ2ZiuNinFceVMLGWT2MtiSjilo0vLi5Tn9i2Rr WztE56pqrUYUWmwctiZInBvmqWfTlsKxrkUmFEQbm7 a7ymkg4w4P7q0ld0pHxA15NA48plzhkyt1CW78p4st

The next step required some extensive scanning with wpscan or a similar tool to find a vulnerability in the site, and since not much progress was made, a hint (nice joint) was given during the Decred live stream broadcast on Youtube. “Nice joint” is simply an anagram for “injection” as some soon figured out and that should have led you to believe there was an SQL Injection vulnerability in the website. With a little further scanning, you should have noticed that wp-symposium version 14.11, a plugin for Wordpress, was installed and it is known to have an SQL injection vulnerability - https://www.exploit-db.com/exploits/37824/

Now that you know this, you should move to exploit it either by a custom written script or more preferably a program like sqlmap.

You can begin with a simple command like such to begin the process.

sqlmap -u “http://am-s.co/wp-content/plugins/wp-symposium/get_album_item.php?size=version()%20%3B%20--" —-dbs --level 3

Once you’ve dumped the entire database, you should notice a table with a unique name not part of the normal Wordpress schema

wp_ptfacdeeilnrst

the characters after the underscore as you might notice can be reordered to make “ftpcredentials”

If you proceed to dump the data from this table, you should get the following information

user_name: 4017B940CAE24016AAD3B435B51404EE user_password: BCA2A84FA7A10EF3F06FA49727B0EAC567928360

If you examine further, you should notice that “user_name” field seems to contain a hash. It is hashed with NTLMv1.0 which is no longer considered secure, so if you proceed to un-hash, it will come out to “exodus”

As for the user password, you should notice that all the characters in there can be separated into 8 bit hex values.

e.g.

BC A2 A8 4F A7 A1 0E F3 F0 6F A4 97 27 B0 EA C5 67 92 83 60

Now if we proceed to convert these to decimal numbers and use those values to correspond to the letter place in the text block that we found earlier, we should get the password.

Here’s a little script that one of the puzzle players @blue_sky_catastrophe on the Decred Slack Channel (http://decred.slack.org) wrote to help do this faster.

raw_str = """XCQaqlM4biiFF==RRAYKbJ61V5Ni0fH8mXRxjCpSzs

suEYCRwBWKO3ms9XANQle7sRojZUD6Dpr8rexZJOtm

CxLDBaBk51w0C528b5jfeGpuFNKzmWgexhOfduXoh2

4hb4bhOx7XS5Xs7faWlfzhBx8HF1MpKCrkWyH3NGko

XP1l|tEA|e5KzsGRn2=JoTn6uRyy46Y=0bs1gMEh8e

VDKa1Y6OKyC9JcfkcqHyICC7qJCTdm0rbcy06ATG2i

tEmgBYqQ6Sd8JbpmT6Xht81Tz442HJvhaKzxXnSIqr

sFPIbFw4LbFhyoKnnF6VK0YkjP+H3aYL6A7i81HApf

ZI88X6tdyH2jLQHXRpu0aW8EFdsCdhYSnhsUNKc7Rg

osmh0h74g3I9FRv5NQZj2zg0lzjg2+pXAWjR/MFGRG

xqLfwRf7YDmNjNEJPfI3c16bX/I5aLX8bcwlX4h4TC

RiqXvWVBEO7fxwUUe5cnB201RY2jFOy8tc2cPU+q94

bv2ocvROsP2LXwbyR1rmomvFCkAbETxfM9F3jDO7J7

WQtQOLYX46xILVJo8iltsAoNpNwlzcX+NlKb8odnEm

sepHMEJ9-EAFMuafJ8UzwSeHfPLdYxs3e60k88wjh8|

0ycfyTiA5JYzequT8-Wevc3rFJokdXLbw3gFnqz5yH|

EohRzFxB4Rv2RqmCrTAmIhlFVZSgNVAR7sQcOCzVHZ|

vKUQqKXWklzXS5mt24kLunvQb4dCvGhoQYfI1EPeSY

EOz5SM5JlNOcN4z7C'Acc9V1I53zaOs1oS03D1FkXo|

eyiUuJWgn9Jk9qDwKzobzR7yC9pcAK01lBJAeolZ3b|

g3gVrmD9cena6INnyWpuBt8A9kOhC6UEEQqkBEM8VI|

lkCifs3hegF6bDJ7AEZvssbZoMHywrfhFapxncbW1b

SlSTTcoa17gYPp4e+JEyGumhLjSyibmp6pxtOhhdXt|

0cShlLmneDRYsYqqIhqd5GliFK7VC6wrYMPc9hctet|

ywn0mvQJH9pIoOWA0LM4SEaHg9Om2xaArGy2vWrXEA|

40IssqJeuUqD2FuH44MqzETYJkFWmO5IVmTzgPdDLR

WbAyLD1oiq7tg4x7obsBYACPUddV1tSiNP+ddswH3Y

66tAjAfmICqbebHizUhsJi71WVxugLYwELC/m1b7ca

NbH1W8zm5eXHfyaW1HtfLPRJB6gQ8aHGRfF73LKUz9|

ZmpiWfSbCRLfmNNQV6caaxV6qOQ6MdME5zDDhOLioY

l81tbUNgcTCodzOPTirlql5vYyUcgKIUAxndwVM1JT

wnqma5teMwqrOKO24kPNojQXZcvL9w47wF51F2io9J

3RMY3N4sCMM2M5MpDDyLcZ8Rc6kMyoDh79KTpsefYv

v8hrV7LyQvI7wRIp0D4EMB0t4oUCbdDCeTruLUTvXH|

ezYDv9ZLRruskKiBhCxrnCGnMCOq2wfO0QD38BmS7B

GD0Kjw83re7jcoo9Noow3ftpf6G3XzoGP6yCuvhkUu

3ID5on0KBfi27cHoQ8IK8mwahRd8A==lOL0DwJD0Gk

wJUVA1ZiHL0R0gZPBKu3btTDOwI9ytm5dbhmJJQ1vF

ZkUNe2CehudTGDhO13l7gNGpf7HFpF0rfKraD2qxX0

sIsNZ2ZiuNinFceVMLGWT2MtiSjilo0vLi5Tn9i2Rr

WztE56pqrUYUWmwctiZInBvmqWfTlsKxrkUmFEQbm7

a7ymkg4w4P7q0ld0pHxA15NA48plzhkyt1CW78p4st""" idxs = [int(c, 16) for c in "BC A2 A8 4F A7 A1 0E F3 F0 6F A4 97 27 B0 EA C5 67 92 83 60".split(" ")]

print ''.join([raw_str[i-1] for i in idxs])

This will give you the password “RrNe3C=TqFWhplHubah1” for the FTP account under the username “exodus”

Once you log in via FTP to the website, you should notice that there is one file to download, called “ee03c8d2493cfad0b9c7ab42722dfa5b.svg”

Here’s what it looks like

This graphical puzzle is the last step before we get an encrypted ciphertext which when we decrypt with a certain key, will lead to the concatenated wallet seed that contains the prize.

To solve this, you must first notice that this is a graphical Dijkstra’s algorithm problem, in which each color in the image has a certain numerical weight associated with it (Orange — 5, Cyan — 2, White-10, Blue-4, Yellow-2, Magenta-3; given by the port service program if you tried to enter the FTP password after the quote) and you must try to find the shortest path between two nodes, starting at the green and ending at the red. Now the way we interpret nodes isn’t by the shapes but rather pixel by pixel.

This will require some basic programming which should give a result similar to the following if you do it correctly. It should also give you a total cost of 328.

Well, now what? The next step is to overlay the block of text on top of this image and see where the path leads!

The next step is to closely make your way down the path, line by line (except those that have | after them) and begin to construct the AES 256 bit encrypted ciphertext. The only exception is that the last line of the cipher text will spill over to start at the beginning and end at “==”

If you do it correctly, you should end up with the following ciphertext

bFhyoKnnF6VK0YkjP+H3aYL6A7i81HApfH2jLQHXRpu0aW8EFdsCdhYSnhsUNKc7Rg3I9FRv5NQZj2zg0lzjg2+pXAWjR/MFGRG3c16bX/I5aLX8bcwlX4h4TCnB201RY2jFOy8tc2cPU+q94momvFCkAbETxfM9F3jDO7J7NpNwlzcX+NlKb8odnEmQb4dCvGhoQYfI1EPeSYZoMHywrfhFapxncbW1b5IVmTzgPdDLRSiNP+ddswH3YYwELC/m1b7ca5zDDhOLioYAxndwVM1JTwF51F2io9J79KTpsefYv8BmS7BuvhkUu3ID5on0KBfi27cHoQ8IK8mwahRd8A==

Now if you use the total cost calculation that we got from finding the least cost path for this maze, “three hundred and twenty eight” as the key to decrypt this ciphertext, you will get the wallet seed!

virusguitaristswelterBradburyoffloadinertianecklaceembezzletroubletypewriterdropperGalvestonrockerunicornstairwaymicrowavestaplertravestyAthenssurrenderdrumbeateverydaychatterbusinessmanmusicmonumentsoybeanracketeerZulucompanyZulutruncatednecklace

CREDITS:

These are the handles of the users from the Decred Slack Channel who helped solve critical parts of the puzzle.

@grubana & @narcelio — morse code from the video

@johnnyjorege & @pandac — binary from the video & deciphering the result

@yash — password entry on the website

@johnnyjorege scanning and discovering app on port 62217

@pandac deciphering text from port service

@pandac , @blue_sky_catastrophe inputting quote found from morse earlier

@sham791 —figured out how to dump data from SQLi vulnerability

@blue_sky_catastrophe & @johnnyjorege for getting the FTP password from the block of text

@africanalex — figuring out to start at green, end at red for puzzle image

@sham791 — for discovering the wallet seed