[Challenge]: Armageddon Quiz @hack.me

Challenge:  Armageddon Quiz
Author: Ruguri
Website: hack.me
Link: https://hack.me/103185/link-shortening-website-xss.html
Description: This quiz has 3 levels. You need to understand simple crypto and to pay attention for hidden objects or tricks.
It’s simple and programmed with low html detail’s.
I hope you enjoy and please! Do not tell how you passed the level’s.

Solution – Level 1:

The page doesn’t present any input, for this reason, I analyze the source of the page and I find this commented code:

<!This html source has been enconded by xCriptz>
<!First Encode: TmV4dCUyMExldmVsJTIwSXM= (Base64)>
<!Seconde Encode: নমছশ छটচধ ষकমী তफশভ (Hindia4x)>
<!Thirth Encode: sn/hBzCgV2jyWK5FPb6yWK5g8vxF/rSisv/k/rSiPvWyWK5nCzGg81oOsblk (feron74)>

There are three encoded string with its encode algorithm between parentheses. To decode these strings I use Crypo webpage.

TmV4dCUyMExldmVsJTIwSXM= -> Next Level Is

নমছশ छটচধ ষकমী তफশভ -> hackmequiz.html

sn/hBzCgV2jyWK5FPb6yWK5g8vxF/rSisv/k/rSiPvWyWK5nCzGg81oOsblk -> wrong… the next url is wrong.html

The level solution is wrong.html

Solution – Level 2 [Manual]:

The source code of page presents this commented string:

<!Romans History Text>
<!The legionaries were the elite (very best) soldiers. A legionary had to be over 17 years old and a Roman citizen. 
Every new recruit had to be fighting fit - anyone who was weak or too short was rejected.
Legionaries signed up for at least 25 years' service. But if they survived their time, they were rewarded with a gift
of land they could farm. Old soldiers often retired together in military towns, called ‘colonia’.
An auxiliary was a soldier who was not a Roman citizen. He was only paid a third of a legionary’s wage. 
Auxiliaries guarded forts and frontiers but also fought in battles, often in the front lines where it was the most dangerous.>
<!A legion was further divided into groups of 80 men called ‘centuries’. The man in charge of a century was known as a ‘centurion’. 
He carried a short rod, to show his importance. He would also use it to beat any soldier who disobeyed him.
Some soldiers had special skills. They shot bows and arrows, flung stones from slingshots, or could swim rivers to surprise an enemy.
Roman soldiers usually lined up for battle in a tight formation. After a terrifying burst of (nextlvlis:celtic) arrows and artillery, the Roman soldiers 
marched at a slow steady pace towards the enemy. At the last minute, they hurled their javelins and drew their swords, before charging 
into the enemy. Then they used cavalry (soldiers riding horses) to chase anyone who tried to run away.>
<!The End>

By reading the text, I find the string nextlvlis:celtic, so, the next page is celtic.html.

Solution – Level 2 [Nerd Way]:

For first, I save the text inside a text file and I named it with payload.txt name.

Next, I open my loved Bash shell and I write a command to split all word of the text file to make a dictionary file.

tr -cs 'a-zA-Z0-9' '\n' &lt; payload.txt | awk '!element[$0]++' &gt; dictionary.txt

Great! With this Bash Shell code line I get every single world, without repetition, and I redirect the result to dictionary.txt file.

With the dictionary file, I can use Burp Intruder to check the existing pages. Below two screenshot of Burp Intruder configuration:

Below the result:

Solution – Level 3:

The page contains a corrupted image by Huffman Code. This image is a distraction, in fact, the page source code has a hidden string Error :: image :: Corruption. I try every single word by appending .html. The solution is Corruption.html

Solution – Level 4:

This level is so simply, it prensents on center of page an image of Donal Trump, the solution is Trump.html

Solution – Level 5:

This level shows a series of hidden characters:

30 36 30 20 30 36 31 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 30 20 30 36 30 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 31 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 31 20 30 36 30 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 31 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 31 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 31 20 30 36 30 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 31 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 34 30 20 30 36 30 20 30 36 31 20 30 36 31 20 30 36 30 20 30 36 31 20 30 36 30 20 30 36 30 20 30 36 30

By reading the sequence, I recognize that there are a hexadecimal series, then, I change the hex value to char; below the result:

060 061 061 061 060 060 060 060 040 060 061 061 060 061 060 060 061 040 060 061 061 060 061 061 061 060 040 060 061 061 060 060 061 061 061 040 060 061 061 060 060 061 061 060 040 060 061 061 060 061 060 060 061 040 060 061 061 060 061 061 061 060 040 060 061 061 060 061 060 060 061 040 060 061 061 061 060 060 061 061 040 060 061 061 060 061 060 060 060

This is a series of octal values! I trasform it to char, below the result:

01110000 01101001 01101110 01100111 01100110 01101001 01101110 01101001 01110011 01101000

Finally a series of binary values. I trasform it another time to char:

pingfinish

The solution is pingfinish.html