Cicada-3301 Vol:1

A basic steganography and cryptography challenge room based on the Cicada 3301 challenges.

By: D3crypt360

Follow me on:
Twitter
Github
Instagram

This is my writeup of the TryHackMe Cicada-3301 Vol:1 room.
This was one of the most fun rooms I’ve attempted.

Task1 — Download!

Pretty self explanatory. Download the task files given and unzip the files to begin.

Extracted files

Task2 — Analyze the Audio

Let’s install Sonic Visualizer. If you are on Linux and if you are not using Ubuntu, install the Linux (any 64-bit). once installed run the following commands in the terminal.

$ chmod +x SonicVisualiser-x.x-x86_64.AppImage
$ ./SonicVisualiser-x.x-x86_64.AppImage

It should now open Sonic Visualiser. Once open press File on the top left corner, press open and import the audio file. Once the audio file is imported press Layer on the top left and select Add Spectogram and it should show a QR code with a cicada logo in the middle.

Scan the QR code using a mobile phone or using an online tool. The QR code has a link which redirects to pastebin.

Task 3 — Decode the Passphrase

Text in the pastebin

Both the Passphrase and Key are both Base64 encoded so let’s visit https://base64decode.org/ to decode them.

So far we have solved 2 / 3 answerable questions in Task 3. Next question’s hint says to use French Diplomat Cipher if we google it, we come across vigenere-cipher. We use that to decode the Passphrase, we can use This website to encode it in vigenere-cipher.

And with that Task 3 is finished.

Task 4 — Gather Metadata

Now we go to check on the Welcome.jpg file which came with the zip file we downloaded earlier. The hint says we should use Steghide.

For windows users install Steghide from:

Steghide

For Linux users type in the terminal:

$ sudo apt install steghide

once steghide is installed we can run the image through steghide by typing:

$ steghide extract -sf welcome.jpg

Use the passphrase we encoded earlier as the passcode.
This will extract a invitation.txt file. once we open the file, it contains an imgur link, and this link is the answer to the Task 4 question.

Download the image from the imgur link to continue to step 5

Task 5 — Find Hidden Files

After a lot of struggling and attempting most of the steganography methods I knew. I saw that the hint for the question said to use a tool used in the real Cicada 3001 challange, so I did a little bit of research and found this article which showed a tool called “outguess” which was used to extract text from an image which they though was a dead end. So next we install outguess. Installation steps can be found here https://www.boxentriq.com/code-breaking/outguess

The answer for Task 5 is the tool I mentioned above.

Task 6 — Book cipher

Once outguess is installed. we can run it by running the command

$ outguess 8S8OaQw.jpg -r output

*note "output" can be replaced with any filename you desire

When we open the text file we are greeted with yet another puzzle.

Upon reading the file, it mentions the hash is hashed using SHA1, however when I tried to use SHA1 to decrypt, it would not work so I went on to https://md5hashing.net/hash_type_checker to check the what type of hash it really was.To speed things up I went to https://md5hashing.net/search and searched the hash string and found a link there which gave an already cracked version of this hash.

This is where thing’s gets super interesting so put on your Sherlock Holmes hat.

So from the text we extracted earlier it told us how to navigate this pastebin to find another link. At first glance it looks like a bunch of nonsense but if you read the hint Use positive integers to go forward in the text use negative integers to go backwards in the text. From this we understand that the numbers given below is for us to navigate around the book.

If we take I:19:8 that means Take the 8th letter / number / symbol from the 19th line forward position so in this case it’s i . and If we take I:19:-1 it means take the letter / number / symbol from the 19th line backwards 1 so in this case it’s the number 9. All the spaces between words are to be ignored.

So after we follow the guide we get a shortened url.

Task 7 — The Final Song

The Answer to this question will be the name of the song which you get to see when you go to the shortened link you got from Task 6.

Conclusion

This was one of the fun rooms I’ve played on TryHackMe, It teaches you about steganography and cryptography. I enjoyed this room a lot and recommend this to people who are starting out in cryptography.