Hack The Box / Challenges / Crypto / Call
I actually wasn’t able to complete this challenge, however, after seeing the solution, I could see I was close to it. Sharing here my write up.
Looking at the frequency analysis of this sound file we see that 1633 Hz and 941 Hz are not used. Also, we confirm that it clearly matches the frequency tones used in DTMF.
%Fourier Transform of Sound File
%Load File
file = 'sound.wav';
[y,Fs,bits] = wavread(file);
Nsamps = length(y);
t = (1/Fs)*(1:Nsamps); %Prepare time data for plot
%Do Fourier Transform
y_fft = abs(fft(y)); %Retain Magnitude
y_fft = y_fft(1:Nsamps/2); %Discard Half of Points
f = Fs*(0:Nsamps/2-1)/Nsamps; %Prepare freq data for plot
%Plot Sound File in Time Domain
figure
plot(t, y);
xlabel('Time (s)')
ylabel('Amplitude')
title('fft action')
%Plot Sound File in Frequency Domain
figure
hold on
plot(f, y_fft);
xlim([0 1000])
xlabel('Frequency (Hz)')
ylabel('Amplitude')
title('Frequency Response of Tuning Fork A4')
for x = [1209, 1336, 1477, 1633, 697, 770, 852, 941]
plot([x,x],[-2000,12000],'r');
endfor
Using this online DTMF decoded and another Linux tool to ensure the decoding is correct:
multimon-ng$ ./build/multimon-ng -t wav -a DTMF ../sound.wav
multimon-ng 1.1.8
(C) 1996/1997 by Tom Sailer HB9JNX/AE4WA
(C) 2012-2019 by Elias Oenal
Available demodulators: POCSAG512 POCSAG1200 POCSAG2400 FLEX EAS UFSK1200 CLIPFSK FMSFSK AFSK1200 AFSK2400
AFSK2400_2 AFSK2400_3 HAPN4800 FSK9600 DTMF ZVEI1 ZVEI2 ZVEI3 DZVEI PZVEI EEA EIA CCIR MORSE_CW DUMPCSV
X10 SCOPE
Enabled demodulators: DTMF
DTMF: 2
DTMF: 3
DTMF: 3
DTMF: 1
DTMF: 4
DTMF: 3
DTMF: 4
DTMF: 7
DTMF: 8
DTMF: 3
DTMF: 7
DTMF: 1
DTMF: 1
DTMF: 9
DTMF: 2
DTMF: 3
DTMF: 4
DTMF: 3
DTMF: 1
DTMF: 7
DTMF: 6
DTMF: 7
DTMF: 3
DTMF: 7
DTMF: 2
DTMF: 3
DTMF: 3
DTMF: 1
DTMF: 1
DTMF: 1
DTMF: 7
DTMF: 7
DTMF: 1
DTMF: 4
DTMF: 1
DTMF: 1
DTMF: 3
In the online one, we’ve to provide a wav file. We get the following 37 DTMF tones:
2 3 3 1 4 3 4 7 8 3 7 1 1 9 2 3 4 3 1 7 6 7 3 7 2 3 3 1 1 1 7 7 1 4 1 1 3
2331434783711923431767372331117714113
Converting to hex doesn’t reveal much (15 byte-codes):
00000000: 1c10 49c1 0264 3b09 b060 f648 1f81 ac ..I..d;..`.H...
One fact is that we don’t find the code 5 and 0 used in this sequence. Other fact is that if we listen to the audio file, we see that the keys are pressed in a sequence and there is a pause between pairs of keys except in one case. If we use that time interval information between the key presses, results in the following sequence:
23 31 43 47 83 71 19 23 43 17 67 37 23 31 11 7 71 41 13
21 28 39 43 75
# ? + / S G ?
If consider an alphabet of 2*26 + 10
characters (62) that’s still not containing all these codes. The maximum code value
is 83.
Trying to assign an unique character for each code leads to:
23 31 43 47 83 71 19 23 43 17 67 37 23 31 11 7 71 41 13
A B C D E F G A C H I J A B K L F M O
Then trying to crack considering mono-alphabetic but got nowhere.
Looking further at the numbers, I tried (from an hint) a number sequence solver (alteredqualia.com) and something was intriguing: the number differences are all even.
8 12 4 36 -12 -52 4 20 -26 50 -30 -14 8 -20 -4 64 -30 -28
Looking further, we see that these are all prime numbers. Now, maybe the prime number index in a list of prime numbers could map to words? that’s the first thing that crosses my mind.
23 31 43 47 83 71 19 23 43 17 67 37 23 31 11 7 71 41 13
9 11 14 15 23 20 67 9 14 7 19 12 9 11 5 17 20 13 6
This results in: IKNOWTOINGSLIKEQTMF
23 31 43 47 83 71 19 23 43 17 67 37 23 31 11 7 71 41 13
9 11 14 15 23 20 67 9 14 7 19 12 9 11 5 17 20 13 6
I K N O W T O I N G S L I K E Q T M F
Tried that and small variations like: IKNOWTOSINGLIKEDTMF but none seem to work. I’m missing something. It is strange that INGS instead of SING is showing.
From the description we know the flag format is: HTB{PASSWORD}. However, I tried: HTB{IKNOWTOSINGLIKEDTMF}
but it’s not working. Also tried HTB{IKNOWTOINGSLIKEQTMF}
The solution was it was a prime number cipher… leading to IKNOWTHINGSLIKEDTMF
flag…