ziotcoin is a new experimental hacker themed social token that creates an ecosystem around bug bounty rewards and reports created by Brett Buerhaus (aka ziot) As part of the launch of his new token, he created a special launch puzzle where the prize was two time locked nfts using the new charged nft protocol that contained 33k and 100k $ziot each. The solution to the puzzle has been provided below.
Solved by
The Start- The Terminal
Upon launching the puzzle website at https://launchpuzzle.ziotcoin.app/ you are greeted with a terminal input. However, no matter what you type, the terminal always returns “System Currently Disabled”. Taking a closer look at the background in the upper left corner you will find what you need to enable the terminal hidden in the shadows.
Appending “?e=1” to the end of the weblink will provide a terminal you can now interact with https://launchpuzzle.ziotcoin.app/?e=1. Right off the bat, you can type help to see what are the available commands to you.
Checking the system, you find out the Terminal is Online, but the Cameras are Offline, indicating we need to probably find a way to turn them on. Next, running “ls” command will give a place to start searching.
The home directory is found to be empty, but the garbage shows it has 6 files within it.
Taking a further look at the 6 files in the garbage gives hex dump files, that primarily seem to be garbage as the name implies.
However 2 of these files (003 and 006) upon further inspection have plaintext hidden within them that can be read when viewed in any hex viewer.
Garbage file 003 says- error heapdump login term ….. 0db5c0118bc8a68184a61fcf2[truncated] ….. checksum error md5 … rockyou
Garbage file 006 says-warning file hidden argument ls -hidden
Now that we know of the -hidden command we started looking for directories that return something new. We tried to list the contents of a higher folder using directory traversal /../ and got an error that the payload was removed.
This seemed to be doing a doing a basic regex to find and remove /../
The way around this is to wrap the pattern it is searching for with additional characters to get the correct format after the pattern is removed.
/…/./ becomes /../
After trying additional subdirectories using the command, it will say the directory does not exist, so we knew it had to be a hidden file in either the first or second level directory.
We found a hidden directory .logs with a file. The contents of the file when converted from hex to Ascii says
“[792709095] ZC has connected. <br /> [792711192] AB, TP, CK, LN, PP have disconnected.”
We tried to use these accounts as login usernames but none of them worked. It doesn’t really give us much else to use. We thought ZC might mean ZiotCoin and treated this as flavor text of no use.
Using the rockyou.txt and running md5 against each line to find the truncated md5 hash results it
md5(Me<3volleyball)= 0db5c0118bc8a68184a61fcf28191da8
Using this info, we can now login under the term account which gives us access to some new commands (specifically access to the cameras)
We now have access to the first set of visual puzzles in cameras 001, 002 and 003
Camera 003
Loading up camera 3 reveals a statue with red/yellow lights appearing with 1 of 10 unique symbols. Looking around the room you can also see a map of the world with Papua New Guinea and a picture of a man on the same wall. Some reverse google image searching will reveal this man is from the Oksapmin people of PNG. Some more digging will reveal that the Oksapmin people have a 27 body-counting system
Looking in the source page of Camera 2, you will find the snippet below
<! — a hint? →
<div class=”subtract”>-</div>
Which tells us we should be taking the difference between the Red and Yellow dot values to assign a value to each of the 10 symbols shown.
bell = 14–14 = 0
ninja = 10–9 = 1
eagle = 22–20 = 2
omega = 24–21 = 3
mountain = 15–11 = 4
sword = 15–10 = 5
moon = 12–6 = 6
raven = 17–10 = 7
knight = 20–12 = 8
castle = 15–6 = 9
Camera 002
Loading up camera 2 will reveal a scene with a car surrounded by 8 spotlights. Observing the scene for a while you will notice that the lights illuminate in a circular pattern either lighting up 1 or 2 lights at a time. There is also an occasional single red light and a full circle of green lights. This puzzle is visual morse code where the ring of green lights indicates the beginning of the sequence and a red light breaks up each segment. A single yellow light is a dot, two yellow lights is a dash and when 2 lights are skipped, that is a space. When a red light appears the next segment will always begin from the 12 o’clock position. Transcribing the full sequence results in the morse below.
…_ _/_ _…/_ _ _..//
_ _ _ _./_ _ _ _ ./.._ _ _//
._ _ _ _/…_ _/_ _ _ _ _/…_ _//
_ _ _ _./_…./…_ _//
_ _ _../.._ _ _/._ _ _ _//
._ _ _ _/.._ _ _/…../…._//
._ _ _ _/.._ _ _/…._/.._ _ _//
Which when decoded gives 7 numbers
378 992 1303 963 821 1254 1242
Looking closely at the car will reveal the word “bip” on the hood indicating these are bip39 seed word indices. (2048 words used in the creation of mnemonic seed based crypto wallets, full list here https://github.com/bitcoin/bips/blob/master/bip-0039/english.txt). Mapping the 7 words results in
connect know people joke grief original open
As further verification this is correct, the bottom right corner of the video flashes the string “b894dd847286b6b521ccf7fc33…” which is a partial hash of sha512(connect), the first bip word.
Camera 001
With Camera 3 solved, we can now turn our attention back to Camera 1. In this camera you will notice three screens flashing 1 of the 10 symbols. This sequence is 3444 in length before repeating. You can screen record to collect the data, or look at the source to pull the image sequence.
Terminal R: eoreoreoreoreoreornneeoreoreoreoreoreo…
Terminal G: bozbozbozbozbozbozncbbozbozbozbozbozbo…
Terminal B: beibeibeibeibeibeinmzbeibeibeibeibeibe…
Mapping the symbol values we learned from camera 3 to the string, you will notice every 3rd symbol is 0,1 or 2. Combined with the RGB colored wires, it is realized that this is a data stream of an image broken into its RGB components with each set of 3 images representing 1 pixel.
Terminal R: 237 237 237 237 237 237 112 237 237 237 237 237 237…
Terminal G: 036 036 036 036 036 036 190 036 036 036 036 036 036…
Terminal B: 028 028 028 028 028 028 146 028 028 028 028 028 028…
Taking a look at the source again will reveal this string
<img src=”#” height=”14" width=”82">
Which 14*82=1148 which is how many pixels of info we got from the data stream. So with the pixel info and now the picture size, the final image can be rebuilt.
This results in the command “execPrivEsc39”
User List
Running this new command logs you in as root access. This also comes with a few new commands to run.
Checking the users list gives us the next step of the puzzle.
We now have 7 users and are given an ID in ascending order, an avatar that is their picture and a username. The username just so happens to match up with the icon names from earlier that we had mapped to 0–9 numbers. The numbers used also happen to be the numbers 1–7, indicating this may be used for ordering.
2 Eagle
1 Ninja
7 Raven
6 Moon
4 Mountain
5 Sword
3 Omega
SecretNote
Now that we are under root, we now have access to the home/secretNote directory which gives us the phrase:
CT shift & ^ digest of their crime
Digest of their crime seemed to be an external reference since there was nothing in the puzzle to provide that answer since the only other data we had not used was the hidden log file. Someone referenced the movie Hackers in relation to the garbage file early on, and after a bit of googling it all fit together.
The full title of the movie is Hackers: Their Only Crime Was Curiosity, so the second half is most likely XOR Sha512(curiosity) (or Curiosity/CURIOSITY)
The log file had some initials that had not been used, and after confirming the link to the movie Hackers, the initials made more sense.
ZC (Zero Cool), AB (Acid Burn), TP (The Plague), CK (Cereal Killer), LN (Lord Nikon), PP (Phantom Phreak). This confirmed the movie was strongly tied to the puzzle.
At this point, our best guess was the 7 images somehow paired up with the 7 bip words found in camera 002. We noticed that all the Bip words were part of the song titles on the Hackers: Their Only Crime Was Curiosity: Original Motion Picture Soundtrack, so we had to find how to link them and use the information. The avatar images were linked to the artists (ie. the grip icon was the artist Squeeze) and the bip words were part of the song titles (ie. the bip word know is part of the song title Heaven Knows). The ID value turned out to be the length of the artist’s name to validate it even further that you paired up everything correctly. (ie. 7 was the length of artist Squeeze)
1. “Original Bedroom Rockers” — Kruder & Dorfmeister
2. “Cowgirl” — Underworld
3. “Voodoo People” — The Prodigy
4. “Open Up” — Leftfield (featuring John Lydon)
5. “Phoebus Apollo” — Carl Cox
6. “The Joker” — Josh Abrahams
7. “Halcyon + On + On” — Orbital
8. “Communicate” (Headquake Hazy Cloud Mix) — Plastico
9. “One Love” — The Prodigy
10. “Connected” — Stereo MCs
11. “Eyes, Lips, Body” (Mekon Vocal Mix) — Ramshackle
12. “Good Grief” — Urban Dance Squad
13. “Richest Junkie Still Alive” (Sank Remix) — Machines of Loving Grace
14. “Heaven Knows” — Squeeze
Mapping the songs/artists to avatars/bip words yielded the list below when sorted by track number.
Next we turn our attention to the code command.
This is the beginning of HTML comment code hinting at us to check the source of the webpage and we found a hidden comment in the response.
Which leads us to a new image of the-code.png found here https://launchpuzzle.ziotcoin.app/images/the-code.png
Which is a plain white image except for on the Red Bitplane 0 channel we can find hidden text. This text can be broken up into two parts: 1534 and 87aef…f66a6. Going all the way back to the start and the unused garbage files, you can search for these partial strings to find that they just so happen to exist in the garbage/002 file.
Not only does the 87aef string happen to appear 3 times, but there are exactly 1534 characters between the start of the first 87aef segment and the end of the f66a6 segment.
The next step was to determine how to use this data. It was eventually realized that CT string stands for Columnar Transposition String indicating we needed to use columnar transposition on this string prior to XORing the data. Referring back to what we found with the song list, there just so happened to be a string of 7 numbers from the symbols that could be used for the transposition ordering when sorted by song order. You can use the columnar transposition tool here with the column ordering 3 6 1 4 7 5 2 to get the corrected string of.
fd80618c27a0b3e9a7a4c36ec29287fb12fc39e873995dc75979715fc33f7881d291c1984ad971225972e99669b947eb2ab4f037399274b40cbeecbddc681767f8c175813eb4bfafb3a4d77ac6d392f90be838ae67c949d30938655eda2a2dc7c6c2d58c489865224066bbd07db853fe2eade53a7f8770f218b2ffa98b7d0333e8d523982ae6a7bab7b1c37dd7c79eef1ee82dbb618c5cd44c2c344bcf2d6cd3c384c0885f8c37365431fdc42aac47ad3eb9e9236b8560e61faaebfbc9695172fd80618c27a0b3eea7a4c16ec39587fb1cfc39b6739858c7582e715ec83f78dfd291cc984b8f71220672e99469b947eb2ab4f0376a9274b40cbeb9bddd381766fbc1748a3eb4beafb3a2d77acfd393fa0be93eae669849d30a38650fda2a2dc7c6c2d58c499865744066bbd07de953ff7aade43b7f8772f218ebffa98f7d0365e8d576982ae6a7bbe3b1c27bd7c79eef1ee82dbb678c5dd24c2c654bce2a6cd39184c1de5f8d67365467fdc57dac46fa3eb8b1236b8360e719aaebf8c9695172fd80618c7ba0b2bda7a5916ec3c087fb13fc39bd73980fc7587d715f9f3f78d2d290c6984a8c71225572e9c969b947eb2ab4f0366f9274e50cbeb9bddc691766f1c175803eb4b6afb3f2d77ac4d392f60be86bae67c949d25a386558da2a2dc7c6c2d58c1b98642e4067eed07dbb53fe2bade4307f8721f218bfffa8d07d0367e8d472982ab9a7bbb4b1c37fd7c79eef1ee82dbb638c5cd44c2c374bce286cd3c784c18b5f8c37365565fdc47eac47f23eb8e2236bd160e61daaeaa9c9695172fd80618d27a0b2eea7a4966ec2c787fb19fc39bb73985dc7592a715f9c3f7881d29091984b8071235472e9c569b947eb2ab4f0366e9274e50cbfe6bddc6e1766fdc1748f3eb4e3afb2a9d77bc1d392fa0be83fae669b49d35938650fda2a2dc7c6c2d58d4d9864244066ecd07de853fe27ade4667f8772f218ebffa8de7d0334e8d471982ab5a7bbe2b1c37bd7c79eef1ee82dbb328c5dde4c2c374bcf2b6cd29384c1815f8c37365566fdc528ac47f23eb9b6236a8660e74daaeba4c96951
Which when XORed with sha512(CURIOSITY) gives the following hex string
35 61 20 34 39 20 34 66 20 35 34 20 35 61 20 34 39 20 34 66 20 35 34 20 35 61 20 34 39 20 34 66 20 35 34 20 35 61 20 34 39 20 34 66 20 35 34 20 34 39 20 34 66 20 34 66 20 34 33 20 35 35 20 35 30 20 34 39 20 34 38 20 34 35 20 34 31 20 35 36 20 34 35 20 34 65 20 34 65 20 34 35 20 35 61 20 34 66 20 34 37 20 34 34 20 34 66 20 34 34 20 35 30 20 35 39 20 35 30 20 34 38 20 34 62 20 34 61 20 34 62 20 34 66 20 35 30 20 34 33 20 34 39 20 35 34 20 35 32 20 35 33 20 34 65 20 35 32 20 34 31 20 35 30 20 34 66 20 34 63 20 34 63 20 34 66 20 34 39 20 34 37 20 34 33 20 34 66 20 34 66 20 35 61 20 34 39 20 34 61 20 35 36 20 34 66 20 34 37 20 34 38 20 34 31 20 34 36 20 35 32 20 34 38 20 35 39 20 34 37 20 34 66 20 34 64 20 35 34 20 34 39 20 34 35 20 34 66 20 34 66 20 34 65 20 34 33 20 35 32 20 34 39 20 34 33 20 34 38 20 34 35 20 35 33 20 35 34 20 34 66 20 34 64 20 35 61 20 34 66 20 34 36 20 34 62 20 34 66 20 34 65 20 34 64 20 34 38 20 35 32 20 34 61 20 34 66 20 34 37 20 34 37 20 34 66 20 34 64 20 35 35 20 34 39 20 35 34 20 35 34 20 34 35 20 34 34 20 34 35 20 34 63 20 34 66 20 35 36 20 34 35 20 35 34 20 35 31 20 35 61 20 34 31 20 35 35 20 34 65 20 34 66 20 35 61 20 34 65 20 35 32 20 34 66 20 34 33 20 34 38 20 34 33 20 34 66 20 34 65 20 34 65 20 34 35 20 34 33 20 35 34 20 34 35 20 34 39 20 35 34 20 34 39 20 35 30 20 34 37 20 34 66 20 35 34 20 34 39 20 34 38 20 34 31 20 34 63 20 34 33 20 35 39 20 34 66 20 34 65 20 35 36 20 34 33 20 35 61 20 34 66 20 34 64 20 35 38 20 35 33 20 34 37 20 35 35 20 34 33 20 35 61 20 34 35 20 35 39 20 34 35 20 35 33 20 34 39 20 34 33 20 34 31 20 34 39 20 35 34 20 35 30 20 35 33 20 34 66 20 34 37 20 34 35 20 34 33 20 34 66 20 35 37 20 34 37 20 34 39 20 35 32 20 34 63 20 34 31 20 35 34 20 34 66 20 35 61 20 35 39 20 35 61 20 35 61 20 35 34 20 34 32 20 34 35 20 34 34 20 35 32 20 34 66 20 34 66 20 34 64 20 34 38 20 35 34 20 34 35 20 35 34 20 34 39 20 35 31 20 34 37 20 35 39 20 35 33 20 34 35 20 35 37 20 34 64 20 35 38 20 35 36 20 35 35 20 34 32 20 35 37 20 34 35 20 34 64 20 35 61 20 34 66 20 35 32 20 35 32 20 34 31 20 34 64 20 35 39 20 34 65 20 35 32 20 34 61 20 35 37 20 34 66 20 35 30 20 34 35 20 34 65 20 34 35 20 34 39 20 35 34 20 35 61 20 34 39 20 34 66 20 35 34 20 35 61 20 34 39 20 34 66 20 35 34 20 35 61 20 34 39 20 34 66 20 35 34 20 35 61 20 34 39 20 34 66
Which when converted from hex gives
5a 49 4f 54 5a 49 4f 54 5a 49 4f 54 5a 49 4f 54 49 4f 4f 43 55 50 49 48 45 41 56 45 4e 4e 45 5a 4f 47 44 4f 44 50 59 50 48 4b 4a 4b 4f 50 43 49 54 52 53 4e 52 41 50 4f 4c 4c 4f 49 47 43 4f 4f 5a 49 4a 56 4f 47 48 41 46 52 48 59 47 4f 4d 54 49 45 4f 4f 4e 43 52 49 43 48 45 53 54 4f 4d 5a 4f 46 4b 4f 4e 4d 48 52 4a 4f 47 47 4f 4d 55 49 54 54 45 44 45 4c 4f 56 45 54 51 5a 41 55 4e 4f 5a 4e 52 4f 43 48 43 4f 4e 4e 45 43 54 45 49 54 49 50 47 4f 54 49 48 41 4c 43 59 4f 4e 56 43 5a 4f 4d 58 53 47 55 43 5a 45 59 45 53 49 43 41 49 54 50 53 4f 47 45 43 4f 57 47 49 52 4c 41 54 4f 5a 59 5a 5a 54 42 45 44 52 4f 4f 4d 48 54 45 54 49 51 47 59 53 45 57 4d 58 56 55 42 57 45 4d 5a 4f 52 52 41 4d 59 4e 52 4a 57 4f 50 45 4e 45 49 54 5a 49 4f 54 5a 49 4f 54 5a 49 4f 54 5a 49 4f
And when converted one more time from hex gives
ZIOTZIOTZIOTZIOTIOOCUPIHEAVENNEZOGDODPYPHKJKOPCITRSNRAPOLLOIGCOOZIJVOGHAFRHYGOMTIEOONCRICHESTOMZOFKONMHRJOGGOMUITTEDELOVETQZAUNOZNROCHCONNECTEITIPGOTIHALCYONVCZOMXSGUCZEYESICAITPSOGECOWGIRLATOZYZZTBEDROOMHTETIQGYSEWMXVUBWEMZORRAMYNRJWOPENEITZIOTZIOTZIOTZIO
Which just so happens to be 256 characters and can be converted to a 16x16 text grid as indicated by the first and last characters being ZIOT repeated (and 16 length)
The Wordsearch
Once we have made our grid, we begin to notice some obvious words jump out like HEAVEN and GRIEF. These words are also words from the song titles from the OST we found earlier. Digging further it is noticed that one word from all 14 songs can be found in the grid.
Noticing that none of the words intersected with each and seemed to be uniquely placed led to gathering the data before and after each found word which results in the final solution message.
THE ANSWER IS GIVE ME THE ZIOTCOIN. And entering this final string into the terminal gave the final win message to contact ziot to claim the prize.
We’d like to give a big thanks to ziot for taking the time to build this puzzle and are excited to see what he brings next to the merging of the hacking and crypto worlds.