We receive this beautiful image to start with.

I opened the image with my favorite hex editor, 010Editor, and I could see there is a large blob at the end of the image after the FF D9 ending of the jpg.

I extracted the blob and divided the sections that were separated by tags. There was a coppertunnel, goldtunnel, silvertunnel, and a crystal tunnel. Each section looked like base64, but the padding was at the beginning with the =. I used 010Editor’s built in Ascii reverse script to reverse the text and then 010Editor’s decode base64 script. It looked like I had backwards base64 again, so I repeated this step several times until I got a PK zip header. I did this procedure for each tunnel getting to the file before the zip file and then I used python to write the final file.

from base64 import b64decode

ci = open(coppertunnel.txt, rb).read()
co = open(copperout.zip, w)
co.write(b64decode(ci))

si = open(silvertunnel.txt, rb).read()
so = open(silverout.zip, w)
so.write(b64decode(ci))

gi = open(goldtunnel.txt, rb).read()
go = open(goldout.zip, w)
go.write(b64decode(ci))

cri = open(crystaltunnel.txt, rb).read()
cro = open(crystalout.zip, w)
cro.write(b64decode(ci))

I unzipped the files and saw that I had 4 parts of a Par archive.

treasure.vol306+306 2.par2
treasure.vol306+306 3.par2
treasure.vol306+306 4.par2
treasure.vol306+306.par2

I did some Googling and found MultiPar to work with the files. I was able to use the Repair function to restore a chest.zip file.

Chest.zip was an encrypted zip file, so I started to look for the password in the original image. I tried steghide and it outputted bards_song, which was a text file with excellent instructions that would have been helpful earlier on, and the password for the zip file.

steghide.exe extract -sf labyrinth_entrance.jpg
Enter passphrase:
wrote extracted data to “bards_song”.

Over the hills and through the grass
By dawn of light in the mountain pass
The goblins treasure awaits the steadfast
Walking in REVerse, the eye opens as you go past
A smell leads you onward, luring you to follow
At the end of each tunnel, a PARt of treasure in the hollow
Combine them to find a door hidden by rhyme
Opened once with the words “aintnobodygottime”

I was then able to unzip the chest.zip, which gave me a MachO called jareths_maze. I ran it in a VM and I was greeted with this horrifying ascii art.

I couldn’t let the clowns win, so I had to open the file in IDA. I decompiled main and there were more clowns, but the message was different.

Then I saw this demoralizing string of function names and I started to get a little freaked out.

The program printed the ascii art after going through these functions. I knew that the beginning message wasn’t correct and the ending message wasn’t correct. Each function was overwriting a character in the message and the a group of functions was being overwritten by what the b group of functions was writing.

I used IDA to jump into each function and grab the ordinal of the character that the message was supposed to be with the a functions and then I used python to convert the ordinal to the character to obtain the key.

PAN{D4nKkry5t4l}