misDIRection
3 minutes to read
We are given a ZIP archive:
$ file misDIRection.zip
misDIRection.zip: Zip archive data, at least v1.0 to extract
We uncompress it and we see this output:
$ unzip -P hackthebox misDIRection.zip
Archive: misDIRection.zip
creating: .secret/
creating: .secret/S/
extracting: .secret/S/1
creating: .secret/V/
extracting: .secret/V/35
creating: .secret/F/
extracting: .secret/F/2
extracting: .secret/F/19
extracting: .secret/F/27
creating: .secret/o/
creating: .secret/H/
creating: .secret/A/
creating: .secret/f/
creating: .secret/r/
creating: .secret/m/
creating: .secret/B/
extracting: .secret/B/23
creating: .secret/a/
creating: .secret/O/
creating: .secret/h/
creating: .secret/t/
creating: .secret/2/
extracting: .secret/2/34
creating: .secret/7/
creating: .secret/R/
extracting: .secret/R/7
extracting: .secret/R/3
creating: .secret/b/
creating: .secret/z/
extracting: .secret/z/18
creating: .secret/j/
extracting: .secret/j/10
extracting: .secret/j/12
creating: .secret/P/
creating: .secret/y/
creating: .secret/d/
extracting: .secret/d/13
creating: .secret/Y/
creating: .secret/q/
creating: .secret/c/
creating: .secret/6/
creating: .secret/8/
creating: .secret/U/
extracting: .secret/U/9
creating: .secret/p/
extracting: .secret/p/32
creating: .secret/W/
creating: .secret/N/
extracting: .secret/N/25
extracting: .secret/N/11
extracting: .secret/N/31
extracting: .secret/N/33
creating: .secret/g/
creating: .secret/n/
creating: .secret/e/
extracting: .secret/e/5
creating: .secret/1/
extracting: .secret/1/30
extracting: .secret/1/22
creating: .secret/s/
extracting: .secret/s/24
creating: .secret/i/
creating: .secret/3/
creating: .secret/I/
creating: .secret/D/
extracting: .secret/D/26
creating: .secret/X/
extracting: .secret/X/29
extracting: .secret/X/21
extracting: .secret/X/17
creating: .secret/Z/
creating: .secret/4/
creating: .secret/k/
creating: .secret/9/
extracting: .secret/9/36
creating: .secret/J/
extracting: .secret/J/8
creating: .secret/C/
extracting: .secret/C/4
creating: .secret/v/
creating: .secret/M/
creating: .secret/0/
extracting: .secret/0/6
creating: .secret/G/
creating: .secret/E/
extracting: .secret/E/14
creating: .secret/Q/
creating: .secret/K/
creating: .secret/5/
extracting: .secret/5/16
creating: .secret/x/
extracting: .secret/x/15
creating: .secret/l/
creating: .secret/u/
extracting: .secret/u/20
extracting: .secret/u/28
creating: .secret/L/
creating: .secret/T/
creating: .secret/w/
Guessing part
Here we can see some directories named as letters or numbers containing files named as numbers. We can guess that the number represents the position of the letter or number in a string, since there are no repeating numbers.
Let’s use some shell scripting to find the string:
$ find .secret -type f
.secret/D/26
.secret/0/6
.secret/V/35
.secret/9/36
.secret/d/13
.secret/E/14
.secret/e/5
.secret/x/15
.secret/2/34
.secret/z/18
.secret/B/23
.secret/N/11
.secret/N/33
.secret/N/25
.secret/N/31
.secret/5/16
.secret/j/12
.secret/j/10
.secret/U/9
.secret/C/4
.secret/1/22
.secret/1/30
.secret/s/24
.secret/F/19
.secret/F/2
.secret/F/27
.secret/R/3
.secret/R/7
.secret/J/8
.secret/S/1
.secret/X/29
.secret/X/21
.secret/X/17
.secret/u/28
.secret/u/20
.secret/p/32
$ find .secret -type f | awk -F / '{ print $3,$2 }'
26 D
6 0
35 V
36 9
13 d
14 E
5 e
15 x
34 2
18 z
23 B
11 N
33 N
25 N
31 N
16 5
12 j
10 j
9 U
4 C
22 1
30 1
24 s
19 F
2 F
27 F
3 R
7 R
8 J
1 S
29 X
21 X
17 X
28 u
20 u
32 p
$ find .secret -type f | awk -F / '{ print $3,$2 }' | sort -n
1 S
2 F
3 R
4 C
5 e
6 0
7 R
8 J
9 U
10 j
11 N
12 j
13 d
14 E
15 x
16 5
17 X
18 z
19 F
20 u
21 X
22 1
23 B
24 s
25 N
26 D
27 F
28 u
29 X
30 1
31 N
32 p
33 N
34 2
35 V
36 9
$ find .secret -type f | awk -F / '{ print $3,$2 }' | sort -n | awk '{ print $2 }'
S
F
R
C
e
0
R
J
U
j
N
j
d
E
x
5
X
z
F
u
X
1
B
s
N
D
F
u
X
1
N
p
N
2
V
9
$ find .secret -type f | awk -F / '{ print $3,$2 }' | sort -n | awk '{ print $2 }' | tr -d \\n
SFRCe0RJUjNjdEx5XzFuX1BsNDFuX1NpN2V9
Flag
The above result looks like Base64-encoded data, so let’s decode it:
$ find .secret -type f | awk -F / '{ print $3,$2 }' | sort -n | awk '{ print $2 }' | tr -d \\n | base64 -d
HTB{DIR3ctLy_1n_Pl41n_Si7e}