Artificial truth

archives | latest | homepage | atom/rss/twitter

The more you see, the less you believe.

Nuit du Hack 2014 Quals - Onions rings (misc 150)
Sun 06 April 2014 — download

Since I was the Tor use/promoter and has a Tor sticker on my laptop, I was the one in charge of this challenge.

A new black market has appeared and has been targeted by the FBI. After checking for suspicious posts on stackoverflow and finding nothing, they give up and are offering a bounty to anyone who can get information on the server that is hosting the hidden service.

The url was http://mq72g4732yorslzf.onion/

It's a Tor hidden service, for a black market.


We were authorised to change our avatar, either by providing, an image from our computer, or from an url. The image is then encoded in base64, and displayed by the mean of data:image/gif:base64,...


I tried to include http://mq72g4732yorslzf.onion/flag.php, or index.php, or config.php, or ...

Then I realised that the admin may have been lazy, and didn't set up the server to resolve Tor domains. I included, and tadaaaaa:


This is what the unbase64 file looks like:


Flag: 0hSh1t1r4n0ut0fn00dl35