TryHackMe: The Impossible Challenge Write-up

InfoSec Write-ups – Medium–

TryHackme: The Impossible Challenge Write-up

Unicode Steganography with Zero-Width Characters

Hi everyone !

Room: The Impossible Challenge

Difficulty: Medium

The name already suggests it is bit tough and time-consuming challenge for me based on cryptography/stenography. So let’s hunt for flag….

When you enter the room it looks all normal and from here trouble begins..

Challenge includes a password-protected zip file named after reviewing the zip file with strings, exiftool, binwalk etc. It contains a text file named flag.txt. So, maybe a guess that our flag is in that flag.txt file only.

I decided to go with JohntheRipper, fcrackzip, online sites to crack the password of given zip file but it’s just a waste of time nothing shows up.

Again i move on to that challenge page for grabbing some hint and noticed the given encoding which lead me to some way.

Download the file, and find the Flag!

qo qt q` r6 ro su pn s_ rn r6 p6 s_ q2 ps qq rs rp ps rt r4 pu pt qn r4 rq pt q` so pu ps r4 sq pu ps q2 su rn on oq o_ pu ps ou r5 pu pt r4 sr rp qt pu rs q2 qt r4 r4 ro su pq o5

Above is the message for us which is strongly encoded. After spending much time finally it decoded. See the snapshot given below

Message is (It’s inside the text, in front of your eyes!)

The hint doesn’t provide any exact information about the flag but mind of mine forced me to check out the source code of given webpage. So i did same scan and skim the code deeply up to 2–3 hrs. Time and hardwork pays off and found something interesting.

Look at the data row in below part of snapshot

I started searching on google about the “/ufeff” and found relevant content on this webpage. The hint came up as “Unicode Zero-Width Characters” more googling about this, introduced me a whole new topic called “Unicode Steganography with Zero-Width Characters” i.e. Text-stenography.

For same i searched on web to decode this online and finally got some helpful site. Link is here

Decoding this whole string {\ufeff‌‌Hmm‌‌‌‌‍‬‌‍‌‌‌‌‍\ufeff‌\ufeff‌‌‌‌‍\ufeff‌\ufeff‌‌‌‌‍\ufeff‍\ufeff‌‌‌‌‍‬\ufeff\ufeff‌‌‌‌‍\ufeff‌‬‌‌‌‌‍‬‍‌‌‌‌‌‌‬‌‌‌‌‌‌‍‬‬‍‌‌‌‌‍\ufeff‌\ufeff‌‌‌‌‌‬‌‌‌‌‌‌‍‬‬‌‌‌‌‌‍‬‌‍‌‌‌‌‍‬‬‌‌‌‌‌‍‬‌‍‌‌‌‌‍‬‍‍‌‌‌‌‍\ufeff‬‬‌‌‌‌‍\ufeff‌‌‌‌‌‌‍\ufeff} . Worthy output showed up

Note– It is recommended that you must use a supported web browser for the online decoder to decode. I also faced some issues regarding this that’s why.

Heading on to our zip file with password we got from above process.

Scooby do wedoo! got our flag.


It is a whole new type of stenography to me and learned that nothing is impossible taking in a positive way “Hmmpossible” XD.

Stay updated, Stay Hunting!

TryHackMe: The Impossible Challenge Write-up was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.

View original article on InfoSec Write-ups – Medium

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s