[EN] TryHackMe — Cicada 3301 Vol. 1 Write-Up

6 min readMay 19, 2020

(May 2020)

Hello guys, it’s Anil Celik, a.k.a. your friendly pwner 0xpr0N3rd from TryHackMe.
This is my second write-up on THM, and it will be for the Stego challenge named Cicada 3301 — https://tryhackme.com/room/cicada3301vol1 (thanks to Cryillic for this room, I loved it ❤)

Ok, so let’s begin:

In the first task, we first need to download the provided files. When we unzip the downloaded file, we see 2 files, named 3301.wav & welcome.jpg:

Unzipping files was Task 1. Let’s ahead to Task 2. In Task 2, we need to inspect the audio file that we have just extracted from the zip file. It tells us to use the Sonic Viewer:

It seems like there is nothing much in here, however, if we apply necessary filters, we can find the thing we want. First, apply Add Spectogram from Layer tab. Then, zoom in into the picture. Lastly, change the color scheme into White on Black and set the Scale as dBV²:

Yep, we got the QR code. Let’s scan it. At this point, you might have troubles with scanning the code from an online tool by uploading it. If you would have trouble, try a QR Code reader from your phone:

Task 2 completed. Let’s go for Task 3. It’s a pastebin link. Let’s go to the link. (In here, go to pastebin from your PC’s browser. In my case, which I still don’t know why, pastebin is blocked to access, (even VPN didn’t work and yes connection was successful) I accessed to page from my phone):

In Task 3, we are asked to decrypt the passphrase. The passphrase is encrypted in Base64 format, so let’s knock the door of CyberChef:

Passphrase

Key:

Lastly, we are asked to find the final passphrase. When we look at the hint on Question 4, It says French Diplomat Cipher. When we google it, we can find the cipher which already were given as hint in Question 5:

So let’s do it (https://www.dcode.fr/vigenere-cipher):

When we encrypt the decrypted passphrase on Question 2 with our Cipher Key, we get:

And this gets our task completed. Proceed to the next one! In Task 4, we are asked to extract the hidden information in welcome.jpg, the picture which we were given at the beginning. To do that, we can use steghide tool. If you don’t know about steghide, here’s a link for you to discover more on it. We extract the hidden data by entering the command: “steghide extract -sf welcome.jpg”. It will ask us a passphrase, and we will enter the passphrase we just found above:

Let’s look at invitation.txt:

Hmm, another link. Before we go on that, let’s enter this link as our answer on Question 2 for Task 4. Now, let’s go to link and then go for Task 5:

Hmm, another image. After downloading this image, I literally tried most of the known steganography tools for extracting the hidden data in this image. I also read the hint, but after a while (thanks to slaviclad for heads up), I found the tool named outguess. Also, when we check the hint, it tells us to “Use the same tool used to extract data in the original Cicada challenges”. You can find outguess on here. After installing the tool, execute it by:

Then, when we check the output, we see:

After completing Task 5 with the answer we just found, let’s go to Task 6. In this task, we need to crack the hash which we got in the output previously. At the top of the output, it says Hash: SHA1. At first, I thought it’s standing for hash’s format but it was not. Afterwards, I realized that it is SHA512. I first tried to crack the hash with john and hashcat but it didn’t work. Then, when I have looked at the hint provided in Question 3, I saw that I needed to use an online tool:

After I got bamboozled by the pastebin restriction again, I found the following output:

The list is going up to 66. At this point, for Question 5, we can use the information which we got previously:

What I understand from here is, for first one, I should go to 1st line and take the 6th character and so on. But, what about the negative values? For that one, of course, we should go backwards in the line. For instance, it asks us the character at -1 in line 23. Which means “3”: