Exploit-Education Nebula Level 14

1 minute read

Exploit Education Level 14

Challenge

This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :)

To do this level, log in as the level14 account with the password level14. Files for this level can be found in /home/flag14.

Solution

I started by analyzing the program using ghidra, but the the code output was confusing. So I started fuzzing the program. After throwing a bunch of input, I noticed some kind of repeating pattern in the encrypted output. So I made a test file to better understand the encryption.

level14@nebula:~$ cat test
ABCDEFGHIJKLMNIPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
level14@nebula:~$ ./flaf14 -e <test  >> out

The output is in out. Lets compare the files side by side using hd

level14@nebula:~$ hd test
00000000  41 42 43 44 45 46 47 48  49 4a 4b 4c 4d 4e 49 50  |ABCDEFGHIJKLMNIP|
00000010  51 52 53 54 55 56 57 58  59 5a 61 62 63 64 65 66  |QRSTUVWXYZabcdef|
00000020  67 68 69 6a 6b 6c 6d 6e  6f 70 71 72 73 74 75 76  |ghijklmnopqrstuv|
00000030  77 78 79 7a 30 31 32 33  34 35 36 37 38 39 0a 0a  |wxyz0123456789..|

level14@nebula:~$ hd out
00000000  41 43 45 47 49 4b 4d 4f  51 53 55 57 59 5b 57 5f  |ACEGIKMOQSUWY[W_|
00000010  61 63 65 67 69 6b 6d 6f  71 73 7b 7d 7f 81 83 85  |acegikmoqs{}....|
00000020  87 89 8b 8d 8f 91 93 95  97 99 9b 9d 9f a1 a3 a5  |................|
00000030  a7 a9 ab ad 64 66 68 6a  6c 6e 70 72 74 76 48 49  |....dfhjlnprtvHI|

So what the encryption does is shift every byte by an increasing offset. The first byte has offset of zero and then one and it keeps on increasing by one. Thats a crappy encryption and pretty easy to crack.
I wrote a simple python script to decrypt the token file.

offset=0
out=open("output","wb")
with open ("/home/flag14/token" ,"r") as f:
    while True:
        ch=f.read(1)
        if "\n" in ch:
            out.close()
            print ("Decrypted")
            break
        char=chr(ord(ch)-offset)
        out.write(char)
        offset+=1

Lets try running it.

level14@nebula:~$ python py
Decrypted
level14@nebula:~$ cat output
8457c118-887c-4e40-a5a6-33a25353165
level14@nebula:~$ su -l flag14
Password:
flag14@nebula:~$ getflag
You have successfully executed getflag on a target account

Solved!

You may also enjoy

Blind RCE and DNS Exfilteration

6 minute read

Description: I was doing a security testing against a web server running WebLogic. A potential RCE due to CVE-2019-2725 was reported and I was verifying it. I was following the PoC given here.

Hack The Box - Forest Writeup

8 minute read

Description: Forest is a easy level box that can be really helpful to practice some AD related attacks. Although rated as easy, it was a medium box for me considering that all attack vectors where pretty new to me.