{"id":20666842,"url":"https://github.com/arkamar/hackvent2019","last_synced_at":"2026-04-20T12:09:00.845Z","repository":{"id":83480828,"uuid":"225061331","full_name":"arkamar/hackvent2019","owner":"arkamar","description":"The HackVENT 2019 solutions and writeup","archived":false,"fork":false,"pushed_at":"2019-12-18T16:12:40.000Z","size":2873,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-03-17T15:09:11.634Z","etag":null,"topics":["hackvent","hackvent2019","writeup"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/arkamar.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-11-30T19:39:41.000Z","updated_at":"2020-01-02T21:37:21.000Z","dependencies_parsed_at":"2023-07-09T23:01:51.815Z","dependency_job_id":null,"html_url":"https://github.com/arkamar/hackvent2019","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/arkamar/hackvent2019","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkamar%2Fhackvent2019","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkamar%2Fhackvent2019/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkamar%2Fhackvent2019/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkamar%2Fhackvent2019/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/arkamar","download_url":"https://codeload.github.com/arkamar/hackvent2019/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/arkamar%2Fhackvent2019/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32046460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-20T11:35:06.609Z","status":"ssl_error","status_checked_at":"2026-04-20T11:34:48.899Z","response_time":94,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hackvent","hackvent2019","writeup"],"created_at":"2024-11-16T19:41:59.725Z","updated_at":"2026-04-20T12:09:00.829Z","avatar_url":"https://github.com/arkamar.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Hackvent 2019\n\n- 01 [`HV19{just-4-PREview!}`](#day-1)\n- 02 [`HV19{Cr4ck_Th3_B411!}`](#day-2)\n- 03 [`HV19{h01d-th3-d00r-4204-ld4Y}`](#day-3)\n- 04 [`HV19{R3memb3r, rem3mber - the 24th 0f December}`](#day-4)\n- 05 [`HV19{D1fficult_to_g3t_a_SPT_R3ader}`](#day-5)\n- 06 [`HV19{BACONCIPHERISSIMPLEBUTCOOL}`](#day-6)\n- 07 [`HV19{1m_als0_w0rk1ng_0n_a_r3m0t3_c0ntr0l}`](#day-7)\n- 08 [`HV19{5M113-420H4-KK3A1-19801}`](#day-8)\n- 09 [`HV19{Cha0tic_yet-0rdered}`](#day-9)\n- 10 [`HV19{Sh3ll_0bfuscat10n_1s_fut1l3}`](#day-10)\n- 11 [`HV19{th3_cha1n_1s_0nly_as_str0ng_as_th3_w3ak3st_l1nk}`](#day-11)\n- 13 [`HV19{get_th3_chocolateZ}`](#day-13)\n- 14 [`HV19{s@@jSfx4gPcvtiwxPCagrtQ@,y^p-za-oPQ^a-z\\x20\\n^\u0026\u0026s[(.)(..)][\\2\\1]g;s%4(...)%\"p$1t\"%ee}`](#day-14)\n\n- H1 [`HV19{1stHiddenFound}`](#hidden-1)\n- H2 [`HV19{Dont_confuse_0_and_O}`](#hidden-2)\n- H3 [`HV19{an0ther_DAILY_fl4g}`](#hidden-3)\n\n## Day 1\n\n\u003e I got this little image, but it looks like the best part got censored on the\n\u003e way. Even the tiny preview icon looks clearer than this! Maybe they missed\n\u003e something that would let you restore the original content?\n\n![ball](01/f182d5f0-1d10-4f0f-a0c1-7cba0981b6da.jpg)\n\nThere is an another image inside from 332th byte. ![thumb](01/thumb.jpg)\n\n## Day 2\n\n\u003e Today we give away decorations for your Christmas tree. But be careful and do not break it.\n\nThe [Triangulation.stl](02/Triangulation.stl) is stereolithography format for 3D model.\nThere is a QR code in the middle of the ball.\n![flag](02/flag.png)\n\n## Day 3\n\nI used https://tio.run/#hodor to interpret the [script](03/script.hd).\n\n## Day 4\n\n\u003e Santa released a new password policy (more than 40 characters, upper, lower,\n\u003e digit, special).\n\u003e\n\u003e The elves can't remember such long passwords, so they found a way to continue to\n\u003e use their old (bad) password:\n\u003e\n\u003e merry christmas geeks\n\nRun windows, install [AutoHotKey](https://www.autohotkey.com/), run the script [HV19-PPC.ahk](04/HV19-PPC.ahk), open notepad, write slowly `merry christmas geeks` and it will be replaced with the flag.\n\n## Day 5\n\n\u003e To handle the huge load of parcels Santa introduced this year a parcel tracking\n\u003e system. He didn't like the black and white barcode, so he invented a more\n\u003e solemn barcode. Unfortunately the common barcode readers can't read it anymore,\n\u003e it only works with the pimped models santa owns. Can you read the barcode\n\n![code](05/157de28f-2190-4c6d-a1dc-02ce9e385b5c.png)\n\nI wrote small [program](05/dump.c) to dump hex colors from the first line of the image and processed it with following pipeline\n```sh\n\u003c 157de28f-2190-4c6d-a1dc-02ce9e385b5c.png png2ff | ./dump | uniq | grep -vF 'ffff ffff' | cut -c11-12 | h2b\n```\nThe flag is in the middle of other letters.\n```\nX8YIOF0ZP4S8HV19{D1fficult_to_g3t_a_SPT_R3ader}S1090OMZE0E3NFP6E\n            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n```\n\n## Day 6\n\n\u003e *F*ra*n*cis Baco*n* *w*a*s* *a*n E*ng*lish ph*i*l*os*o*p*her a*n*d *s*tat*e*sm*a*n w*h*o se*rve*d *a*s At*t*or*n*ey Gen*e*ral and as *L*or*d* *Ch*an*ce*l*l*or of *En*g*l*an*d*. Hi*s* *w*orks ar*e* c*red*it*e*d w*ith* d*e*ve*lo*pi*ng* *t*h*e* sci*e*nt*i*fic me*t*hod and re*m*ai*ned* in*fl*u*en*ti*al* th*rou*gh *t*he s*cien*tific *r*ev*o*l*u*ti*o*n.\n\u003e *B*a*co*n h*as* *b*e*e*n ca*l*led *th*e *f*ath*e*r o*f* emp*iric*i*s*m. *Hi*s *wor*ks ar*g*ued for th*e* po*ssi*bi*li*t*y* of s*c*ie*n*tifi*c* *kno*wl*edg*e b*a*se*d* onl*y* u*p*on i*n*du*c*t*i*ve *r*ea*s*onin*g* *a*nd c*aref*u*l* o*bs*er*v*ation o*f* *e*v*e*nt*s* in *na*tur*e*. Mo*st* *i*mp*ort*an*t*l*y*, *he* a*rgue*d sc*i*en*c*e co*uld* *b*e *a*c*hi*eved by us*e* of a *s*ce*p*t*ical* a*nd* me*t*hod*i*ca*l* *a*pp*roa*ch wh*er*eby *s*cientist*s* ai*m* t*o* avo*i*d m*i*sl*ead*in*g* themsel*ve*s. *A*lth*oug*h *h*is *p*ra*c*tic*a*l i*d*e*a*s ab*out* *s*u*ch* *a* *m*et*h*od, *t*he B*a*con*i*an meth*o*d, d*i*d no*t* have *a* l*o*n*g*-*la*s*t*ing *i*nfluen*c*e, *th*e *g*e*ne*ral *i*dea *of* *t*he imp*o*rta*n*ce and pos*s*i*b*il*it*y o*f* a s*c*ept*i*cal methodology makes Bacon the father of the scientific method. This method was a new rhetorical and theoretical framework for science, the practical details of which are still central in debates about science and methodology.\n\nThis is [the Baconian cipher](http://www.wondersandmarvels.com/2012/12/shakespeares-secrets-a-hidden-cipher-in-literatures-greatest-works.html).\nThe original cypher text is in file [`text.html`](06/text.html). I wrote a small lex/yacc parser (see [`decode_lex.py`](06/decode_lex.py) and [`decode.py`](06/decode.py)) to transfer it to binary representation and [`solve.py`](06/solve.py) decrypts the cipher.\n\n```\nSANTALIKESHISBACONBUTALSOTHISBACONTHEPASSWORDISHVXBACONCIPHERISSIMPLEBUTCOOLXREPLACEXWITHBRACKETSANDUSEUPPERCASE\n```\nWith extra spaces:\n```\nSANTA LIKES HIS BACON BUT ALSO THIS BACON THE PASSWORD IS HV X BACON CIPHER IS SIMPLE BUT COOL X REPLACE X WITH BRACKETS AND USE UPPERCASE\n```\n\n## Day 7\n\nThe [video](07/3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4) with 8 blinking LEDs represents byte stream.\nAfter conversion to png\n```sh\nffmpeg -i 3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4 out%04d.png\n```\nand a lot of manual work we got the flag.\nThe final solution is generated by [this](07/solve.py) simple python script.\n\n## Day 8\n\n\u003e Introduction\n\u003e\n\u003e You hacked into the system of very-secure-shopping.com and you found a\n\u003e [SQL-Dump](08/dump.sql) with $$-creditcards numbers. As a good hacker you inform the company\n\u003e from which you got the dump. The managers tell you that they don't worry,\n\u003e because the data is encrypted.\n\u003e\n\u003e Goal\n\u003e\n\u003e Analyze the \"Encryption\"-method and try to decrypt the flag.\n\u003e\n\u003e Hints\n\u003e\n\u003e - CC-Numbers are real/valid ones.\n\u003e - Cyber-Managers often doesn't know the difference between encoding and encryption.\n\nWhen I saw the [dump](08/dump.sql), I noticed the sequence for **Severus Snape**: `:)RPQRSTUVWXYZ[\\]^`.\nCredit cards use [Luhn algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm) for validation and I decided to search valid number for following pattern `*111111111111111` (Actually I searched lots of them, but this one was the correct one) and found `4111111111111111`.\nI did following calculations\n```python\nord('R') - 4 = 78\nord('P') - 1 = 79\nord('Q') - 1 = 80\nord('R') - 1 = 81\nord('S') - 1 = 82\n```\nthat lead me to a following algorithm.\n```python\ns = 'RPQRSTUVWXYZ[\\]^'\no = ''\nfor i in range(len(s)):\n\to += str(ord(s[i]) - 78 - i)\n```\nIt works for all credit card numbers, but it does not generate correct flag.\nWell, here I have to thank you to @MartinDrab because he helped me to realize that I am searching index to the ascii table.\n```python\ndef decode(s):\n    s = s[2:]\n    o = ''\n    for i in range(len(s)):\n        o += chr(ord(s[i]) - 30 - i)\n    return o\n```\nComplete script is [here](08/solve.py).\n\n## Day 9\n\n\u003e ### Santas Quick Response 3.0\n\u003e\n\u003e Visiting the following railway station has left lasting memories.\n\u003e\n\u003e ![img](09/railway.jpg)\n\u003e\n\u003e Santas brand new gifts distribution system is heavily inspired by it. Here is\n\u003e your personal gift, can you extract the destination path of it?\n\u003e\n\u003e ![img](09/qr.png)\n\u003e\n\u003e Hints\n\u003e - it starts with a single pixel\n\u003e - centering is hard\n\nI found [this article](https://www.wikiwand.com/en/Rule_30) when searching the railway image which describes [Rule 30](https://en.wikipedia.org/wiki/Rule_30).\nIt is necessary to generate mask with Rule 30 (I wrote [this](09/solve.py) python script) and `xor` it with broken QR code.\n\n![img](09/qr.png) `XOR` ![mask](09/mask.png) `=` ![out](09/out.png)\n\n## Day 10\n\n\u003e ### Guess what\n\u003e\n\u003e The flag is right, of course\n\nTL;DR: Run the `guess` binary and look to the `/proc/\u003cPID\u003e/cmdline`.\n\nThe binary constructs environment variable based on the PID of the process and re-execs itself via bash.\nIn the second exec it detects the variable, deciphers the shell scripts and execs it.\n\n```sh\n#!/bin/bash\n\nread -p \"Your input: \" input\n\nif [ $input = \"HV19{Sh3ll_0bfuscat10n_1s_fut1l3}\" ]\nthen\n  echo \"success\"\nelse\n  echo \"nooooh. try harder!\"\nfi\n```\n\n## Day 11\n\n\u003e ### Frolicsome Santa Jokes API\n\u003e\n\u003e The elves created an API where you get random jokes about santa.\n\u003e\n\u003e Go and try it here: http://whale.hacking-lab.com:10101\n\nAPI encodes information to the `token`.\nThis [script](11/solve.sh) access platinum part with the flag.\n\n## Day 12\n\n\u003e ### back to basic\n\u003e\n\u003e Santa used his time machine to get a present from the past. get your rusty\n\u003e tools out of your cellar and solve this one!\n\n## Day 13\n\n\u003e ### TrieMe\n\u003e\n\u003e Switzerland's national security is at risk. As you try to infiltrate a secret\n\u003e spy facility to save the nation you stumble upon an interesting looking login\n\u003e portal.\n\u003e\n\u003e Can you break it and retrieve the critical information?\n\u003e\n\u003e #### Resources\n\u003e\n\u003e - Facility: http://whale.hacking-lab.com:8888/trieme/\n\nThis challenge is is about `PatriciaTrie` [bug](https://issues.apache.org/jira/browse/COLLECTIONS-714).\n\n```java\npublic void testNullTerminatedKey2() {\n\tPatriciaTrie\u003cInteger\u003e trie = new PatriciaTrie\u003c\u003e();\n\ttrie.put(\"x\", 0);\n\tAssert.assertTrue(trie.containsKey(\"x\")); // ok\n\ttrie.put(\"x\\u0000\", 1);\n\tAssert.assertTrue(trie.containsKey(\"x\\u0000\")); // ok\n\tAssert.assertTrue(trie.containsKey(\"x\")); // fail\n}\n```\n\nFirst call [`./solve.sh`](13/solve.sh) script, coppy the `javax.faces.ViewState` value and past it as a first parameter to the `solve.sh` script again and append it with `auth_token_4835989\\u0000`.\n```sh\n./solve.sh '-8502787694603742044:-3890048074146143282' 'auth_token_4835989\\u0000'\n```\n\n## Day 14\n\n\u003e ### Achtung das Flag\n\u003e\n\u003e Let's play another little game this year. Once again, I promise it is hardly obfuscated.\n\u003e\n\u003e ```perl\n\u003e use Tk;use MIME::Base64;chomp(($a,$a,$b,$c,$f,$u,$z,$y,$r,$r,$u)=\u003cDATA\u003e);sub M{$M=shift;##\n\u003e @m=keys %::;(grep{(unpack(\"%32W*\",$_).length($_))eq$M}@m)[0]};$zvYPxUpXMSsw=0x1337C0DE;###\n\u003e /_help_me_/;$PMMtQJOcHm8eFQfdsdNAS20=sub{$zvYPxUpXMSsw=($zvYPxUpXMSsw*16807)\u00260xFFFFFFFF;};\n\u003e ($a1Ivn0ECw49I5I0oE0='07\u00263-\"11*/(')=~y$!-=$`-~$;($Sk61A7pO='K\u0026:P3\u002644')=~y$!-=$`-~$;m/Mm/g;\n\u003e ($sk6i47pO='K\u0026:R\u0026-\u0026\"4\u0026')=~y$!-=$`-~$;;;;$d28Vt03MEbdY0=sub{pack('n',$fff[$S9cXJIGB0BWce++]\n\u003e ^($PMMtQJOcHm8eFQfdsdNAS20-\u003e()\u00260xDEAD));};'42';($vgOjwRk4wIo7_=MainWindow-\u003enew)-\u003etitle($r)\n\u003e ;($vMnyQdAkfgIIik=$vgOjwRk4wIo7_-\u003eCanvas(\"-$a\"=\u003e640,\"-$b\"=\u003e480,\"-$u\"=\u003e$f))-\u003epack;@p=(42,42\n\u003e );$cqI=$vMnyQdAkfgIIik-\u003ecreateLine(@p,@p,\"-$y\"=\u003e$c,\"-$a\"=\u003e3);;;$S9cXJIGB0BWce=0;$_2kY10=0;\n\u003e $_8NZQooI5K4b=0;$Sk6lA7p0=0;$MMM__;$_=M(120812).'/'.M(191323).M(133418).M(98813).M(121913)\n\u003e .M(134214).M(101213).'/'.M(97312).M(6328).M(2853).'+'.M(4386);s|_||gi;@fff=map{unpack('n',\n\u003e $::{M(122413)}-\u003e($_))}m:...:g;($T=sub{$vMnyQdAkfgIIik-\u003edelete($t);$t=$vMnyQdAkfgIIik-\u003e#FOO\n\u003e createText($PMMtQJOcHm8eFQfdsdNAS20-\u003e()%600+20,$PMMtQJOcHm8eFQfdsdNAS20-\u003e()%440+20,#Perl!!\n\u003e \"-text\"=\u003e$d28Vt03MEbdY0-\u003e(),\"-$y\"=\u003e$z);})-\u003e();$HACK;$i=$vMnyQdAkfgIIik-\u003erepeat(25,sub{$_=(\n\u003e $_8NZQooI5K4b+=0.1*$Sk6lA7p0);;$p[0]+=3.0*cos;$p[1]-=3*sin;;($p[0]\u003e1\u0026\u0026$p[1]\u003e1\u0026\u0026$p[0]\u003c639\u0026\u0026\n\u003e $p[1]\u003c479)||$i-\u003ecancel();00;$q=($vMnyQdAkfgIIik-\u003efind($a1Ivn0ECw49I5I0oE0,$p[0]-1,$p[1]-1,\n\u003e $p[0]+1,$p[1]+1)||[])-\u003e[0];$q==$t\u0026\u0026$T-\u003e();$vMnyQdAkfgIIik-\u003einsert($cqI,'end',\\@p);($q==###\n\u003e $cqI||$S9cXJIGB0BWce\u003e44)\u0026\u0026$i-\u003ecancel();});$KE=5;$vgOjwRk4wIo7_-\u003ebind(\"\u003c$Sk61A7pO-n\u003e\"=\u003esub{\n\u003e $Sk6lA7p0=1;});$vgOjwRk4wIo7_-\u003ebind(\"\u003c$Sk61A7pO-m\u003e\"=\u003esub{$Sk6lA7p0=-1;});$vgOjwRk4wIo7_#%\"\n\u003e -\u003ebind(\"\u003c$sk6i47pO-n\u003e\"=\u003esub{$Sk6lA7p0=0 if$Sk6lA7p0\u003e0;});$vgOjwRk4wIo7_-\u003ebind(\"\u003c$sk6i47pO\"\n\u003e .\"-m\u003e\"=\u003esub{$Sk6lA7p0=0 if $Sk6lA7p0\u003c0;});$::{M(7998)}-\u003e();$M_decrypt=sub{'HACKVENT2019'};\n\u003e __DATA__\n\u003e The cake is a lie!\n\u003e width\n\u003e height\n\u003e orange\n\u003e black\n\u003e green\n\u003e cyan\n\u003e fill\n\u003e Only perl can parse Perl!\n\u003e Achtung das Flag! --\u003e Use N and M\n\u003e background\n\u003e M'); DROP TABLE flags; -- \n\u003e Run me in Perl!\n\u003e __DATA__\n\u003e ```\n\nThe `@fff` variable holds the encrypted flag.\nThis [scripts](14/solve.py) decrypts it.\n\n## Hidden 1\n\nThe first hidden flag is hidden in copy to clipboard of the [Day 6](#day-6).\n\n```\nBorn: January 22\t     \t \t   \t   \t \t       \t     \t  \t  \nDied: April 9   \t  \t \t    \t  \t      \t   \t\t  \t  \nMother: Lady Anne   \t\t \t   \t   \t      \t  \t      \t  \nFather: Sir Nicholas\t \t      \t\t    \t    \t  \t  \t      \t      \nSecrets: unknown      \t \t  \t \t    \t    \t   \t       \t  \n```\nThe spaces behind text are spaces, tabs and newlines hiding the flag in the message vie `stegsnow` command.\n```sh\npython decode.py \u003e msg\nstegsnow -C msg\n```\n\n## Hidden 2\n\nThe video name `3DULK2N7DcpXFg8qGo9Z9qEQqvaEDpUCBB1v.mp4` from [Day 7](#day-7) encodes hidden flag with [Base 58](https://en.wikipedia.org/wiki/Base58).\n\n## Hidden 3\n\nFollowing script dumps the flag\n```sh\nwhile sleep 3600\ndo\n\tnc whale.hacking-lab.com 17\ndone\n```\n\n## notes\n\n- https://ranking.academy.hacking-lab.com/\n- https://hv19.idocker.hacking-lab.com/\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farkamar%2Fhackvent2019","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Farkamar%2Fhackvent2019","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Farkamar%2Fhackvent2019/lists"}