Atlan Safe P1

We found a safe from Atlantis. Sang Nila Utama’s crown must be inside it. Can you crack the safe?

For this fun challenge, we were given THREE files.

Atlan.7z
AtlanSafe.7z
image.gif

As we were exploring the files, we found out that BOTH of the 7zip files are password protected! 😢

So we figured that the image.gif is something of interest! The .gif file showed a many QR-code in each frame. We then used an online GIF Splitter tool to extract the gif from each frame!

After extracting each frame, and ran a zbar command to scan the QR-Code and saved it as qrcode.txt

zbarimg frame* > qrcode.txt

We used our phone to scan the QR-Code and we received the password!

Password: 230K-YUI9-3XDE-R97Z-5X3D-L4E8

We used this password to unlock, extract Atlan.7z and we were given a Atlan.kdbx file.

We did a little bit of Googling and we found out that it is a Keepass file! After downloading Keepass, we tried opening the file, but it prompts us for a Master Key!!!

We soon realised that we have to brute force Atlan.kdbx. Before doing so, we need to get the hash of the file! So, we ran a keepass2john on Atlan.kdbx to get the hash.

keepass2john Atlan.kdbx > hash.txt

After getting the hash, we ran John The Ripper (JTR) against a rockyou.txt wordlist which contains 14 million passwords!

john --wordlist=rockyou.txt --format=keepass hash.txt

We realised that it is taking too long to brute-force the password (ETA 5 hours), we ran a reverse cat command, which is tac, for JTR to read from the bottom of the wordlist instead of from the top!

tac rockyou.txt > rev_rockyou.txt

john --wordlist=rev_rockyou.txt --format=keepass hash.txt

Additional Information: It is recommended to run JTR or Hashcat on a PC instead of a laptop.

Et voila! After about 10 minutes in, we managed to crack the password! 🎉

Password: b503290174

We used this password to unlock Atlan.kdbx! 😋

We see a bunch of saved usernames and passwords, we decided to use the password saved as safe to unlock & extract the second protected file AtlanSafe.7z.

Password: 7oZJttTgfkmAfpVTLNdd

After doing so, we received a file named ATLAN Safe.exe.

And... IT'S PROTECTED AGAIN!!! 😢

We tried all the passwords that were stored in the Atlan.kdbx but to no avail!

We figured that since this is an .exe file, we have to do a little bit of Reverse Engineering and run it on dnSpy, a debugger and .NET assembly editor.

After opening the file in dnSpy, we saw three interesting class names;

LoginPass
LoginUser
Pin

We took a look at Pin and we saw that the btnExec_Click function is checking for the pin 7689. Afterwards, we used this Pin to unlock the ATLAN Safe.exe

Lo and behold! It works! But wait... it is asking us for a Username! So, we looked at dnSpy again and take a look at the classes.

Under LoginUser class, we see that the program is expecting the username rvizx9.

Afterwards, the program asks for the password to that username.

And so we did the same thing, we took a look at LoginPass.

But this time, things are a little different! On line 45, the program is converting the plain text password into a MD5 hash and it is checking against the hard-coded MD5 hash.

We realised that we have to crack this MD5 hash and reverse it to its original string. With the help of CrackStation, we managed to crack the hash!

Password: !#udamnHACKER#!

After entering the password, we were directed to the flag, BUT you have to click the text <TOP-SECRET> to get the flag. 🤫

Flag: STANDCON22{cr4ck3d_th3_sup3r_s3cur3d_4tl4n_s4f3_0x34PEIOVKO23XZRVPJQLER}

Challenge Files

3KB

Atlan.7z