Starting with http://youwontfind.me/

We get an excellent html web page with gifs and a marquee of “Can you find me?”

Running a Whois of the domain we find the owner of the site email address.

https://www.whois.com/whois/youwontfind.me

sarah.williams.1986@yandex.com

If we do a standard web search for this email address we won’t get anything useful.

Search social media for that same email address, and we get a search hit for one account on Facebook

https://www.facebook.com/TheSarahWilliams1986

Going to that profile page and searching for clues I found these fun Facebook red herrings:

If you base64 decode the text:

PT1RZWgxMFhsNVdhaHhXUnZrMmFwZDNMbkozYnVFV2FrVkdjcHRXYTM1aWJsOXlMNk1IYzBSSGEK

You get:

==Qeh10Xl5WahxWRvk2apd3LnJ3buEWakVGcptWa35ibl9yL6MHc0RHa

Which looks like Base64 encoded data that is backwards. (== are only used at the end of standard Base64 encodings)

Base64 decoding the reversed text

aHR0cHM6Ly9lbi53aWtpcGVkaWEub3JnL3dpa2kvRWxhaW5lX01heQ==

Gives you a web link: https://en.wikipedia.org/wiki/Elaine_May

Turns out Elaine worked as a co-writer for the Labyrinth movie.

There are a few other base64 red herrings that all lead to trivia about the movie labyrinth.

On the Facebook profile we see posts about learning Python via codecademy and cross posts to Tumblr about Encryption:

https://sarahwilliams1986.tumblr.com/

On Facebook profile under About -> Overview and About -> Contact and Basic Info, we find a twitter account: https://twitter.com/1986_SWilliams where we find the same cross-posts about encryption.

On the Twitter page, we see a link to Sarah’s LinkedIn account.

https://www.linkedin.com/in/sarahw1986/

Sarah has interests in Acting, Python, and Cryptography per her LinkedIn account.

With these clues we can assume that the PAN{} key is hidden somewhere using encryption and there is probably a python script to decrypt it.

Looking at Sarah’s employment history she states that she is a Self-Employed Coder and has posted a media link on Stack Exchange under the username “babytoby”.

https://stackexchange.com/users/10581007/babytoby

Searching through the Stack Exchange profile under “activity” we see that “babytoby” has posted a question about a python script not working:

http://stackoverflow.com/questions/43807871/python-script-isnt-working

The account “babytoby” has posted some encryption code that is currently broken, but taking the advice of some of the replies and a little debugging, we can get the code into a workable state.

The script requires a string to encrypt, an 8-character key and outputs an uppercase hexadecimal string.

Checking the original html source of youwontfind.me there is a comment that contains all uppercase hexadecimal ASCII

<642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C1A065E42022C2032>

We’ll try to decrypt the text between the comment tags.

Analyzing the code on stack exchange we can see the code XORing the 8 bytes of the key against the input string. The output is immediately reversed before being returned to the user.

Since we know that the challenge keys are prefixed with “PAN{“ let’s try and XOR that against the reversed comment data.

(0x32) XOR P = b

(0x20) XOR A = a

(0x2C) XOR N = b

(0x02) XOR { = y

I think we’re on the right track so let’s use the stackoverflow username “babytoby” as the password.

Trying out the cleaned-up script I used a test string of “PAN{AAAAAAAAAAA}” and a key of “babytoby”

Which gave me the hash: “4F616D43746F627938232E35|02|2C|20|32” which match the last 4 bytes of the website comment.

Going through the encrypt script on stackoverflow I started picking out variable names that looked unique and began searching Google for them to see if there were any other posts or solutions about this code.

One variable “new_ct” had several hits that were promising:

The 4^th^ search hit directed me to some CTF solutions from last year.

http://researchcenter.paloaltonetworks.com/2016/09/labyrenth-capture-the-flag-ctf-threat-track-solutions/

Searching for “new_ct” on this page took me to some code that looked like the broken code on stack overflow. Not only was it the same encrypt function, but there’s a decrypt function as well. CTF_Threat_48

Modifying the code to use our comment hash we can get this information back.

This looks promising, there is a “}” at the end of the string next to the “@@@” padding we saw in the original encryption code. That tells me this code is decrypting it to the form we need.

It appears that the decrypt code truncates the first 8 bytes of the key with “????????”. That’s okay because we already guessed the original password.

Since the original hash is in reverse order, let’s just XOR the last 8 bytes of the hash with “babytoby” to give us the first 8 chars of the decrypted version.

642C740D0C297E3A5E1B4D6A70346C24175D56485F7F2B3C0E1F1C6D716F3C2013095B405B2C2F385D491C62763930231A560E13507879390B414E36216B327C|1A|06|5E|42|02|2C|20|32

(0x32) XOR b = P (0x42) XOR t = 6

(0x20) XOR a = A (0x5e) XOR o = 1

(0x2C) XOR b = N (0x06) XOR b = d

(0x02) XOR y = { (0x1A) XOR y = c

Combining that with the key we already decoded we can submit our answer key:

PAN{61dcf45c4ba9286f2edf9f7e2d0def096b903541600624c299a731b8520bdedf}