RIMO -- MASTER BOOT RECORD (IP)


[Move to Parent]


Table of Contents: Beginning, BBS, Gopher, FTP, POP3 & SMTP, IRC, End


Introduction

Each MBR album comes with a bonus track locked behind a CTF (Capture the Flag) challenge. As of January 16th, 2025, there are a total of five different CTFs. This entry only goes over IP-CTF.


Tags

Image Stegano

Base64

AES-256

Hexadecimal

ASCII Code


BBS

Gopher

FTP

POP3

SMTP

IRC


Retro


Beginning

IP-CTF starts here.


087 101 108 099 111 109 101 032 098 097 099 107 032 097


103 097 105 110 032 119 104 101 114 101 032 105 116 032


097 108 108 032 098 101 103 097 110 013 010 079 112 101


110 032 097 114 101 032 116 104 101 032 112 111 114 116


115 046 032 083 101 114 118 105 099 101 115 032 097 108


108 032 115 116 097 114 116 101 100 046 013 010 075 110


111 099 107 032 097 116 032 101 118 101 114 121 032 100


111 111 114 032 097 110 100 032 103 114 097 098 032 116


104 101 032 109 105 115 115 105 110 103 032 115 116 114


105 110 103 115 013 010 080 117 116 032 116 104 101 109


032 105 110 032 097 032 114 111 119 032 097 110 100 032


099 114 097 099 107 032 116 104 101 032 099 111 100 101


032 116 111 032 119 105 110 013 010 013 010 083 099 097


110 110 105 110 103 032 099 108 111 115 101 032 116 104


101 032 102 105 108 101 115 032 109 097 121 032 114 101


118 101 097 108 032 115 111 109 101 032 116 104 105 110


103 115 013 010 068 097 116 097 032 121 111 117 032 099


097 110 039 116 032 104 101 097 114 046 032 068 097 116


097 032 121 111 117 032 099 097 110 039 116 032 115 101


101 046 013 010 083 099 097 116 116 101 114 101 100 032


097 114 101 032 116 104 101 032 099 108 117 101 115 032


097 108 108 032 097 114 111 117 110 100 032 116 104 101


032 100 105 115 107 013 010 083 111 109 101 032 097 114


101 032 105 110 032 112 108 097 105 110 032 115 105 103


104 116 032 115 111 109 101 032 121 111 117 032 110 101


101 100 032 116 111 032 116 104 105 110 107 013 010 013


010 067 104 101 099 107 032 121 111 117 114 032 109 097


105 108 032 102 111 114 032 109 101 115 115 097 103 101


115 044 032 108 111 103 032 111 110 032 073 082 067 013


010 070 101 101 108 105 110 103 032 111 108 100 032 097


108 114 101 097 100 121 063 032 079 104 032 073 032 098


101 116 032 121 111 117 032 100 105 100 046 013 010 089


111 117 032 119 105 108 108 032 110 101 101 100 032 115


111 109 101 032 116 111 111 108 115 044 032 108 111 111


107 032 097 114 111 117 110 100 032 102 111 114 032 104


097 099 107 115 013 010 084 097 108 107 032 119 105 116


104 032 097 108 108 032 116 104 101 032 100 097 101 109


111 110 115 032 104 105 100 105 110 103 032 105 110 032


116 104 101 032 100 097 114 107 013 010 013 010 078 111


119 032 100 111 110 039 116 032 098 101 032 097 102 114


097 105 100 046 032 073 116 039 115 032 097 032 115 105


109 112 108 101 032 103 097 109 101 046 013 010 065 108


108 032 121 111 117 032 110 101 101 100 032 097 114 101


032 109 101 109 111 114 105 101 115 032 098 117 114 105


101 100 032 105 110 032 121 111 117 114 032 098 114 097


105 110 013 010 070 111 114 032 105 116 039 115 032 105


110 032 116 104 101 032 112 097 115 116 032 119 104 101


114 101 032 121 111 117 032 110 101 101 100 032 116 111


032 115 116 097 114 116 013 010 083 117 114 102 105 110


103 032 108 105 107 101 032 097 032 112 105 114 097 116


101 046 032 073 032 119 105 115 104 032 121 111 117 032


103 111 111 100 032 108 117 099 107 046



DAEMONS


21/TCP/FTP


23/TCP/TELNET/BBS


25/TCP/SMTP


70/TCP/GOPHER


80/TCP/HTTP


110/TCP/POP3


6667/TCP/IRC


Translated (ASCII):

Welcome back again where it all began


Open are the ports. Services all started.


Knock at every door and grab the missing strings


Put them in a row and crack the code to win



Scanning close the files may reveal some things


Data you can't hear. Data you can't see.


Scattered are the clues all around the disk


Some are in plain sight some you need to think



Check your mail for messages, log on IRC


Feeling old already? Oh I bet you did.


You will need some tools, look around for hacks


Talk with all the daemons hiding in the dark



Now don't be afraid. It's a simple game.


All you need are memories buried in your brain


For it's in the past where you need to start


Surfing like a pirate. I wish you good luck.


23/TCP/TELNET/BBS

MBR's BBS can be accessed through Telnet or Syncterm 1.0.


This server's for asking for hints. No hidden strings are found there.


70/TCP/GOPHER

Based on the messages sent by MBR in BBS, the first hidden string is in their Gopher server. Use a Gopher client/proxy such as Lynx.


The server contains a total of three files, but only welcome.txt and image.png is needed.


The first line of welcome.txt indicates that the Base64 string contains the email password used to access POP3 and SMTP. Convert the Base64 string into hex values and paste it as raw data into an empty png file -> SpreadTheCode1337.


WELCOME BACK TO THE EARLY 90'S!

Transcript of image.png:

00110011 00110001 00100000 00110011 00110000 00100000 00110011


00110111 00100000 00110010 00110000 00100000 00110011 00110000


00100000 00110011 00111000 00100000 00110011 00110000 00100000


00110010 00110000 00100000 00110011 00110001 00100000 00110011


00110001 00100000 00110011 00110001 00100000 00110010 00110000


00100000 00110011 00110000 00100000 00110011 00110100 00100000


00110011 00110111 00100000 00110010 00110000 00100000 00110011


00110000 00100000 00110011 00111001 00100000 00110011 00110000


00100000 00110010 00110000 00100000 00110011 00110000 00100000


00110011 00111001 00100000 00110011 00111000 00100000 00110010


00110000 00100000 00110011 00110001 00100000 00110011 00110000


00100000 00110011 00111001 00100000 00110010 00110000 00100000


00110011 00110000 00100000 00110011 00110111 00100000 00110011


00110110 00100000 00110010 00110000 00100000 00110011 00110000


00100000 00110011 00111000 00100000 00110011 00110011 00100000


00110010 00110000 00100000 00110011 00110000 00100000 00110011


00110110 00100000 00110011 00110101 00100000 00110010 00110000


00100000 00110011 00110000 00100000 00110011 00110100 00100000


00110011 00111001 00100000 00110010 00110000 00100000 00110011


00110000 00100000 00110011 00110101 00100000 00110011 00110010


00100000 00110010 00110000 00100000 00110011 00110000 00100000


00110011 00110101 00100000 00110011 00110100 00100000 00110010


00110000 00100000 00110011 00110000 00100000 00110011 00111001


00100000 00110011 00110111 00100000 00110010 00110000 00100000


00110011 00110001 00100000 00110011 00110000 00100000 00110011


00110001 00100000 00110010 00110000 00100000 00110011 00110001


00100000 00110011 00110000 00100000 00110011 00110100


Translating the binary above gives you the first hidden string.


21/TCP/FTP

Recommended to use either WinSCP or FileZilla for downloading FTP files.


FTP server can be accessed using anonymous credentials (Username: anonymous; Password: anonymous).


The file list should look something like this:

AWARDMODULARBIOS.MP3


INVITATION.ZIP


MBR.TXT


MODEM.WAV


NWOSHM.MP4


PC.RAR


RESURRECTION.MP4


SECONDREALITY.MP3


STREAMS.TXT


TRS.MID


WAREZ.ZIP


WWW.BMP


The files that stand out from the rest are WWW.BMP and MODEM.WAV, most likely containing some form of stegnography.


From BBS message board:

Some hints for the FTP files.


Hint1) Beware the cats. They can contain malware.


Hint2) Mona Lisa knows the solution.


Hint3) Don't call that phone number LOL


Hint4) Beware of red herrings!


Hint5) Google it and go for the best!


Hint #2 is further explained in another message:

Good ol Mona Lisa. She knows how to read the code hidden in the texture of reality.


This "Mona Lisa" seems to point towards a particular steganography tool. Based on a quick Google search, Xiao Steganography is most likely what the hint's referring to.


Extracted text from WWW.BMP:

nothingiseverything


Extracted text from MODEM.WAV:

Congratulations!



Here is the second part of the code:



30 38 34 20 30 38 33 20 30 35 34 20 31 30 37 20 31 31 35 20 31 31 33 20 31 30 34 20 31 32 32 20 31 31 36 20 30 35 35 20 30 39 30 20 31 31 38 20 31 31 34 20 30 38 35 20 31 31 33 20 31 30 39


Translating the hexadecimal above gives you the second hidden string.


110/TCP/POP3 & 25/TCP/SMTP

If you haven't found the password, refer to the Gopher section. The username for the credential can be found by connecting to the POP3 server via Telnet to find a welcome message:

01010111 01100101 01101100 01100011 01101111 01101101 01100101 00100000


01110100 01101111 00100000 01110100 01101000 01100101 00100000 01110000


01101111 01110000 00110011 00100000 01110011 01100101 01110010 01110110


01100101 01110010 00101110 00100000 01011001 01101111 01110101 00100000


01100011 01100001 01101110 00100000 01100011 01101000 01100101 01100011


01101011 00100000 01111001 01101111 01110101 01110010 00100000 01101001


01101110 01100010 01101111 01111000 00100000 01100001 01110100 00100000


01110101 01110011 01100101 01110010 01000000 01101101 01100001 01101001


01101100 00101110 01101100 01101111 01100011 01100001 01101100


Translated (Binary):

Welcome to the pop3 server. You can check your inbox at user@mail.local


Starting from now, I recommend you use an Email service such as Outlook or Thunderbird.


Every 30 minutes, an automated message is sent to the inbox, asking you to contact postmaster@mail.local.


POP3 mailing list

Note: Before connecting to the SMTP server, check if your ISP blocked port 25. To circumvent the block, you can connect to your mobile hotspot. Make sure your phone has Wi-Fi disabled during this.


Access the SMTP server using the same credentials used to login to POP3, then send an email to postmaster@mail.local and wait for a reply.


Auto-Reply



The postmaster is currently away from keyboard. Please ask yourself.


Send an email to yourself@mail.local and wait for a reply.


Answer from yourself



Hello! Thanks for asking yourself but apparently you still have no clue! Please contact keygen@mail.local and ask to Send You The Code.


Send an email to keygen@mail.local with "Send Me The Code" as the subject.


53 68 61 72 70 65 6e 69 6e 67 54 68 65 42 6c 61 64 65



01100110 00110010 00110100 00111001 01100010 01100010 01100111 01101001


01110000 01101000 01100010 01010011 01101011 01110110 01110111 01010001


01001010 01101010 01011000 01100011 01110000 00110010 01101101 01110110


01000110 01101011 01011001 01101110 01110010 01010100 00110101 01010111


01100101 01101110 01101010 01110110 01111000 01110101 01010100 01010100


01101100 01010100 01101011 00111101


Translated (Hex; Binary):

SharpeningTheBlade



f249bbgiphbSkvwQJjXcp2mvFkYnrT5WenjvxuTTlTk=


The Base64 string of the third hidden string can be decrypted with the key "SharpeningTheBlade" using AES-256.


6667/TCP/IRC

Install an IRC client such as mIRC or AdiIRC to gain access to the chatroom.


The final hidden string is found in the chatroom's welcome screen.


End

Combine the hidden strings based on their assigned sequence numbers to get a single AES-encoded string. The decryption key can be found within the FTP section.


Once you found the codeword, use that as the key to decrypt the string found in the BONUS page.