The long dormant DerbyCon twitter account, @DerbyCon has been awoken!
The ominous video regales us with 10 seconds of seemingly random animations before the upturned horseshoe takes center stage! At 0:24 the video gets really interesting as green cursored terminal session begins to play concluding with a binary string
01111110 00101111 01110011 01100001 01010010 01101010 01001110 01101110 01110100 01101011 01110101 01111000
Using cyberchef, we can translate this binary into ascii to get “~/saRjNntkux” but what does this mean? Well, if you’re familiar with Linux, you might recognize the “~/” as an alias for the home directory (if you’re not familiar with this little shortcut, give it a try, type ‘cd ~/’ in your command line and see where it takes you).
‘home/saRjNntkux’, home… home… https://www.derbycon.com! Browsing to the Derbycon home page greets us with the breadcrumb we need to confirm we’ve found what we were looking for; a simple “~/”!
adding our decoded page we find that we haven’t found the end of the breadcrumbs yet…
5da618e8e4b89c66fe86e32cdafde142
63ad3072dc5472bb44c2c42ede26d90f
9914a0ce04a7b7b6a8e39bec55064b82
5d5194f75e03d194a3b75dd8aad29c2b
aHR0cHM6Ly93d3cuZGVyYnljb24uY29tL2xsaWJxQW1oZkIuemlw
My first thoughts here were Base 64, an encoding standard which redivides data into 6bit words rather than the usual 8bit. CyberChef, once again makes light work of this but the first 4 lines yield nothing. The final line however, points us to another location… “/llibqAmhfB.zip”
This password protected archive seems to contain a single text file but what’s the password? and what are the other base64 strings in the first URL? I decided to feed the zip to Jumbo John and come back to the other encoded strings.
Unfortunately, John wasn’t much help and my thoughts that the other strings were Base 64 were also not entirely correct. They were actually MD5 hashes! Using a free online MD5 rainbow table, reveals 4 simple words… From Darkness Light Rises!
I have to admit I didn’t solve it before @CyDefe clued me in on the MD5 hashes.. Concantenating the words forms the zip password and the loot is a youTube Link to Jack Johnson’s song “Better Together”
That’s the end of the trail, but what does it mean? I think everyone it taking it the same way, the resurrection of DerbyCon! I don’t know about you, but I can’t wait to see what comes next. Until next time! Cheers!