Rating: 5.0

Let's begin with the files we've been given, [Doe a deer.pdf](https://file.io/fXhyPu7eEucb) and tune_700.mp3.

Lets get started by analyzing the files. A quick look at the pdf file reveals that it is a Music Sheet Cipher. Cool. Let's see whether there's a deciphering tool available online. A quick google search for Music Sheet cipher decoding tool takes us to [dcode.fr](https://www.dcode.fr/music-sheet-cipher). I tried decoding it, but the tool gave me gibberish. As it turns out, it wasn't Music Sheet Cipher to begin with. What was it then? Let's go back to our old pal Google and search for Music Sheet Ciphers. The second search from the top leads to [this website](https://wmich.edu/mus-theo/solfa-cipher), which is a Solfa Cipher online encoding tool. Let's try encoding something and check whether the result matches the ciphertext we've been given.

Hmm. It does in a way. Let's play about with it a little and see if we can come up with a ciphertext that's similar to the pdf one. I couldn't do it. However, we're certain it's Solfa Cipher now. Cool. Let's find an online decoder and get the flag. Child's play right? But guess what? There's no online decoding tool for it ;). We will have to decipher it manually.

Back to google, I found [this writeup](https://www.deepcode.ca/index.php/2017/06/10/the-solfa-cipher-nsec17-write-up/) from 2017 which states `Each note is linked to the seven pitches of the solfege, i.e. Do (D), Re (R), Mi (M), Fa (F), Sol (S), La (L) and Si(T).`

![Figure 1](https://i.imgur.com/52MCTOy.png)
Figure 1

The colums represent the pitch, while te rows represent the time units for each note (1, 2, 3 or 4). It's mentioned in the writeup that the key is defined using a clef, a tonic, a mode and a rythmic unit. These 4 elements when combined, generate a key which can be used for both encryption and decryption. We know that the first line of the pdf is the key used for encryption which means we can figure out the settings of the 4 elements. I tried multiple settings on [this website](https://wmich.edu/mus-theo/solfa-cipher/secrets/) to see if I could get the same key as we have. Luckily, with Treble as the Clef, C as the tonic, Major as the Mode, and Eight as the rythmic unit I was able to get the original key back.

![Figure 2](https://i.imgur.com/pEaQL6o.png)
Figure 2

The given key specifies a _1/8_ rhythm, as such an [Eighth](https://en.wikipedia.org/wiki/Eighth_note) note will be worth 1-time unit, a [Quarter](https://en.wikipedia.org/wiki/Quarter_note) note will be worth 2-time units and the [half note](https://en.wikipedia.org/wiki/Half_note) will be worth 4-time units. After studying a little bit of music theory I was able to figure out that a `.` with a music note meant n+1 time units. At this point, I had a good understanding of how the Solfa cipher worked, but I wasn't sure what the z-like looking note signified, so I asked the admin about it, and he answered that it's a buffer character worth a 2-time unit.

Using the Key, we can write out the correct scale with its associated solfege syllables (Do, Re, Mi, Fa, So, La, Ti) and divide up the rhythms into counts of four 8th notes. The first downbeat is always '1'. Let's start mapping the counts onto the pdf. I have tried to explain the mapping process in the following diagram.

![Figure 3](https://i.imgur.com/1StKKZn.png)
Figure 3

Okay, so we're done with the hard part, now we just need to know the alphabet equivalents of all solfege syllables. We can easily find the solfege syllables' alphabets equivalent on google.

![Figure 4](https://i.imgur.com/BmYc4JT.png)
Figure 4

We have got all we need to decrypt the ciphertext. Let's begin the process.

![Figure 5](https://i.imgur.com/QQ924Og.png)
Figure 5

After applying the above process on all of the ciphertext, you'll end up with:

`R,1 M,1 F,3 F,1 T,1 D,3 D,3 R,4 F,3 T,1 F,3 R,1 M,3 M,1 T,4 S,1 M,4 T,1 D,1 D,1 T,1 M,4 T,1 L,3 R,1 T,4 S,1 F,3 R,4 F,3 T,3 F,1 R,1 R,3`

Using the table in Figure 1, we decode it to following plaintext:

`iamsorrymomihavegottogolivemymusic`

We have the plaintext but no idea what to do with it. Let's have a look at the tune_700.mp3 file. Running strings command on it yields a [Google Drive link](https://drive.google.com/uc?export=download&id=1SR0Ztj6QpZlu39q28W0OBBDWJrDMTujB) that yields another pdf.

It's a password-protected PDF document. Perhaps the plaintext we obtained is the pdf's passcode? Let us give it a go. And, voila! We have got the flag.

![Figure 6](https://i.imgur.com/STf5jpT.png)
Figure 6

hax.3xploitOct. 5, 2021, 4:39 p.m.

noice


crypt0aceOct. 5, 2021, 5:43 p.m.

Very well done!


GopherSploitOct. 10, 2021, 6:25 a.m.

<3