MQAAAA was one of those obscure stego/misc challenges that began in a search for various Binary-to-text encodings (Wiki Page) that are publicly available out there.
Between a mix of intuitive feelings and tests of each encoding, and analysis of letter frequencies, I landed on the first being base64. This seemed too simple, but then looking at the result, I saw the title of the challenge in the obscure output: "MQAAAA"
Base64 Decode:
$ echo 'I0B+Xk1RQUFBQT09CVVtLmJ3RFIrMXRLY0p0SCkJRHRubTZWbFRtaEtETnxyZHtLNDZFZG1DT2JXVThyYmpSSUFBQT09XiN+QA==' | base64 -DOutput:
#@~^MQAAAA== Um.bwDR+1tKcJtH) Dtnm6VlTmhKDN|rd{K46EdmCObWU8rbjRIAAA==^#~@
Okay.... We've got some base64 lookin' stuff... some non base64 lookin' stuff... lots of space, and MQAAAA== decodes to 1. Great.
After being stumped for a while, I went on an assumption that this is another type of encoding or language out there somewhere.
Noticed that the start and end of this result was #@~^ and ^#~@... After looking at php for hours, having the image of deepen it's way into my retinas, I had the thought of pre / post tokens for languages burnt into my current thoughts. So let's search for one.
On SymbolHound (Great site for searching symboles) - I looked for the beginning segment: #@~^
The only Result: It's IT | softwareontwikkeling, webdevelopment, ict oplossingen op maat #@~^FQAAAA==@#@&CCb@#@&zz O@*@#@&TQIAAA==^#~@ HaiHai HaiHai #@~^IgAAAA==@#@&CCbCmk@#@&CmrCmk@#@&JzRR@*@#@&mgUAAA==^#~@ Cute. As you can see, @#@& appears to be a newline (@# http://itsit.nl/klaphek/scrdec.html
This leads to a post entitled: "Breaking the Windows Script Encoder"
The code we're looking at after the Base64 decoding is JSCript. A funky version of ECMAScript used in windows (originally for ActiveX).
I did not read the article the search resulted in. Instead after looking on wikipedia for JScript I found a mention to the numerous online decryption services for JScript. After some searches I didn't find one hosted online, but did find a C script hosted on a site that was currently down, but available on the WaybackMachine - link.
And the C file which encodes & decodes JScript files: http://web.archive.org/web/20140209124110/http://www.virtualconspiracy.com/download/scrdec18.c
After compiling and running that against a new file containing the output of the base64 decoding, we get the flag:
WScript.echo("MMA{the_flag_word_is_obfuscation}")
