blog.ferling.eu by Benedikt Ferling


 

exploit-exercises.com/nebula -- Level 14

Problem

  1. Using a custom encryption method.

This level has a bit of reverse-engineering. It still gives a tiny introduction into encryption, although this example is trivial.

Exploit

In kryptanalysis one approach is to find a possible weakness and assume that a custom method to break the krypt-algorithm works. Check if the custom method worked for this special key and be happy, or find another method to break.
This encryption algorithm was very simple to crack. Just execute /home/flag14/flag14 -e and type ABCDEFG. The output is ACEGIKM. So:

POSITION n INPUT p OUTPUT e DESCRIPTION
0 A A nothing happend
1 B C added 1 to the ascii char
2 C E added 2 to the ascii char
3 D G added 3 to the ascii char
4 E I added 4 to the ascii char
5 F K added 5 to the ascii char
6 G M added 5 to the ascii char

Let p = p0p1p2… be the plaintext and c = c0c1c2… be the ciphertext. The encryption-function looks like: e(pn) = pn + n

Assuming that e is the encryption-function one can continue. Now, one needs the function f-1, so that f-1(f(pn)) = pn. This is done by: f-1(en) = en - n

So one just substracts n from the n’th char, in order to decrypt the ciphertext. The following is a simple c program that will decrypt the token. Note: There are no boundary conditions! It just works for this token:

1
2
3
4
5
6
7
8
9
#include <stdio.h>

int main(){
    int i = 0;
    char *a = "857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.";
    for(i = 0; i<36; i++)
        printf("%c", a[i]-i);
    return 0;
}

You can then just login as flag14 with that password and execute getflag.

Lesson / How to fix

  1. Do not use a custom encryption method!
    Use state of the art encryption methods!

other levels…

00 01 02 03 04 05 06 07 08 09
10 11 12 13 14 15 16 17 18 19