jerome-vai · July 4, 2016 17:02
diff --git a/ndh2k16_hellofriend.txt b/ndh2k16_hellofriend.txt
 # foremost hellofriend.jpg 
 => check file structure, we found a zip
 # cd output/zip/
 # file 00000226.zip 
 => try to unzip it
 # unzip 00000226.zip
 => it ask a password, but a file named WhoAmI.png can be extracted, and with some guessing find "fsociety"
 => several files extracted : 
  inflating: WhoAmI.png              
   creating: Hello_friend/
   creating: Hello_friend/0/
 [00000226.zip] Hello_friend/0/64.png password: 
  inflating: Hello_friend/0/64.png   
   creating: Hello_friend/1/
  inflating: Hello_friend/1/61.png   
   creating: Hello_friend/2/
  inflating: Hello_friend/2/72.png   
   creating: Hello_friend/3/
  inflating: Hello_friend/3/6b.png   
   creating: Hello_friend/4/
  inflating: Hello_friend/4/63.png   
   creating: Hello_friend/5/
  inflating: Hello_friend/5/30.png   
   creating: Hello_friend/6/
  inflating: Hello_friend/6/64.png   
   creating: Hello_friend/7/
  inflating: Hello_friend/7/65.png   
   creating: Hello_friend/8/
  inflating: Hello_friend/8/IsItReal.jpg  ( => troll)
   creating: Hello_friend/9/
  inflating: Hello_friend/9/3xploits.jpg  
  
 => check "Hello_friend/9/3xploits.jpg" 
 # cd  Hello_friend/9/
 # foremost 3xploits.jpg 
 => find another zip but protect with password (again) so check other file
 => we find filename 64 61 72 6b 63 30 64 65 seems to be HEX code and we find "darkc0de"
 => darkc0de it's a famous wordlist, so download it
 => launch a dictionary attack on zip
 # fcrackzip -D -p darkc0de.lst -u 00000363.zip 


 PASSWORD FOUND!!!!: pw == How do you like me now?
 # unzip -P 'How do you like me now?' 00000363.zip 
 Archive:  00000363.zip
  inflating: d3bug.png               

 => Open d3bug.png file and get flag
	# foremost hellofriend.jpg
	=> check file structure, we found a zip
	# cd output/zip/
	# file 00000226.zip
	=> try to unzip it
	# unzip 00000226.zip
	=> it ask a password, but a file named WhoAmI.png can be extracted, and with some guessing find "fsociety"
	=> several files extracted :
	inflating: WhoAmI.png
	creating: Hello_friend/
	creating: Hello_friend/0/
	[00000226.zip] Hello_friend/0/64.png password:
	inflating: Hello_friend/0/64.png
	creating: Hello_friend/1/
	inflating: Hello_friend/1/61.png
	creating: Hello_friend/2/
	inflating: Hello_friend/2/72.png
	creating: Hello_friend/3/
	inflating: Hello_friend/3/6b.png
	creating: Hello_friend/4/
	inflating: Hello_friend/4/63.png
	creating: Hello_friend/5/
	inflating: Hello_friend/5/30.png
	creating: Hello_friend/6/
	inflating: Hello_friend/6/64.png
	creating: Hello_friend/7/
	inflating: Hello_friend/7/65.png
	creating: Hello_friend/8/
	inflating: Hello_friend/8/IsItReal.jpg ( => troll)
	creating: Hello_friend/9/
	inflating: Hello_friend/9/3xploits.jpg

	=> check "Hello_friend/9/3xploits.jpg"
	# cd Hello_friend/9/
	# foremost 3xploits.jpg
	=> find another zip but protect with password (again) so check other file
	=> we find filename 64 61 72 6b 63 30 64 65 seems to be HEX code and we find "darkc0de"
	=> darkc0de it's a famous wordlist, so download it
	=> launch a dictionary attack on zip
	# fcrackzip -D -p darkc0de.lst -u 00000363.zip


	PASSWORD FOUND!!!!: pw == How do you like me now?
	# unzip -P 'How do you like me now?' 00000363.zip
	Archive: 00000363.zip
	inflating: d3bug.png

	=> Open d3bug.png file and get flag