Solving the "APuzzleForYou" newsletter puzzle (that one with the 6-colored image)
megatron0000 (15)

Disclaimer

Well, I wonder if this is really a tutorial... I haven't truly discovered the secret message -.-
It seems this challenge cannot be solved alone... the rest of the post explains why

Colors ? You mean characters

To start off, the challenge had this little image:

As you know, an image is represented as a list of pixels, each pixel being a point on the image.

Each pixel has 3 values: one for the amount of red color present in that point, another for the amount of green, and the last one for the amount of blue (so called RGB system).

For example, black is {0,0,0} - that is, no color at all - while pure red is {255, 0, 0} and white is {255, 255, 255}. Incidentally, each "color amount" ranges from 0 (minimum) to 255 (maximum), and that is why pure vibrant red is the way I said it is (a pixel like {120, 0, 0} is a not-so-bright red).

Well, the image we want has lots of pixels, but you can visually see that there are only 6 distinct colors. Extracting these colors, they are, in the RGB system (from left to right in the image):

{104, 109, 109}, {46, 116, 117}, {114, 98, 105}, {111, 46, 114}, {101, 112, 108}, {46, 99, 111}

Well, this has everything to do with alphanumeric characters ! As you know, a letter is just a number... in other words, a computer represents a letter by using a number (for example, letter "a" is 97, "b" is 98, ..).

Actually, not only letters, but every character is associated to a number (the hyphen "-" is 45, for instance). It gets somewhat confusing when the character is a digit... like, the digit "0" is represented by the number 48, "1" by 49, etc.

Note: if you are asking yourself why "a" is 97 and not another number, this is the ASCII character set (which defines which number corresponds to which character).

Now we can decode the message contained in the image (if we know ASCII, of course):

1041091094611611711498105111461141011121084699111
hmm.turbio.repl.co

Looks like a URL, so I accessed it...

Well, on to the URL

This is what my browser displayed when I accessed http://hmm.turbio.repl.co/:

const express = require('express');
const path = require('path')

const app = express();

const flag = process.env.FLAG;

app.get('/', (req, res) => {
  res.sendFile(path.resolve('index.js'));
});

app.get('/secret', (req, res) => {
	const username = req.headers['x-replit-user-name'];
	if (!username) {
		res.send(`I don't know who you are :(`)
		return;
	}

	const index = username
		.split('')
		.reduce((a, v) => a + v.charCodeAt(), 0)
	
	res.send(`hey ${username}, ${flag[index % flag.length]}`)
});

app.listen(3000);

Hum, looks like a webserver written in Node.js. I accessed the / route, so it returned me the contents of the index.js file of the server.

But you see there is a route for /secret... so, accessing it (http://hmm.turbio.repl.co/secret), I got:

hey megatron0000, i

Well, not surprising, since the logic that defined this result is contained in the code of the server I just showed.

If you speak javascript, you will have noticed that the server is just summing up every character of your username (remember ? every character is associated to a number, so you can "add characters") and using the result to display only one character of the string variable flag of the server (visible in the server code above). My username got me that letter i on the end of my message hey megatron0000, i

What is the flag ?

So, I want to know what is the full string flag so badly that you see this tutorial here >_<

The thing is, since each unique repl.it username yields a single character of the flag (mine was the letter i), the only way to know what all the characters of the flag are is to just have a lot of repl.it users access the same URL I did.

If you are curious, access it and tell everyone which letter you got... hopefully eventually we will have all the letters

big edit: Trying to forge a request to that URL with a custom x-replit-user-name header (the request header through which the server knows your username) does not work ¬¬' Probably this header is created by the repl.it servers themselves based on your session data, so they know if you are who you affirm you are

You are viewing a single comment. View All
a5rocks (535)

Oof I can't believe I missed a puzzle... By the way, most of these might make more sense in the context of the repl.it discord (https://repl.it/discord). And no, that's not a hint since I haven't even started, but "turbio" is a person on the discord server (and you can see the beginning of a discriminator). (This is for you @leson238 )

leson238 (1)

@a5rocks I found out discord last week when playing LoL (I mentioned in the repls https://repl.it/@leson238/Puzzle-Secret-Flag) and try to pm turbio to tell him that I found it. But I cannot reach him and he won't reply to my @ in the public channel, so it seemed that the scavenger hunt ends here. I was hoping that he somehow turn his discord account to be a bot that will reply special things when we saying the code like "open sesame" xD