Asides

Wargames.MY December 2018 – aes-ecb-magic

We’re given the source of the encryption program and notice that the padding block size is hidden

And it’s using character “A” (0x41) as the padding.

The Flag is added to the input before encryption and there doesn’t seem to be any other leading or trailing text to the input besides the flag.

While we might not be able to retrieve the key but we can still retrieve the flag.

First we must figure out the block size.

We can start by incrementing the input size by 1 each time until a new block is generated

We see a new block of ciphertext generated upon entering the 10thCharacter and again at the 26thcharacter

Subtracting the two gives us our block length, in this case 26-10 = 16 bytes.
Considering we start off with three blocks, this gives us a little hint about the size of the flag.
3 blocks is 49 bytes, after removing our padding the flag is 39 characters.

Because of the nature of ECB, we know that identical blocks of plaintext will give us identical blocks of ciphertext and we can use this to our advantage.

To test our theory, we start off by inputting padding of one character less than the block length.
In this case that is 15 A’s.

The 16thcharacter slot should have been occupied by the first character of the flag when it was encrypted. So no we try different characters in that position until we receive an identical first block of ciphertext.

When we try ‘g’ the ciphertext is clearly different, but what happens when we try ‘w’

Bingo!.. It’s a match, and that’s the first character of our flag. We can proceed similarly to find the next character and so forth.

Once you’ve used up your padding, you can add more and use the existing characters of the flag you’ve discovered and continue on, except you’ll be comparing the next block of ciphertext. Until you reach the end.

That question mark gives us hope that it’s nearing the end of the flag a few guesses later.

Flag: wgmy{–ecb_1s_n0t_th4t_s3cure_right?–}

Now you should be able to do this in a way more elegant fashion using a padbuster script. But we did what needed to be done to get the flag… even if that meant doing it manually 😛

POC:

First block of the flag

 

References:

https://zachgrace.com/posts/attacking-ecb/

Wargames.MY December 2018 – Business Proposal

Dear Business person ; This letter was specially selected to be sent to you . If you no longer wish to receive our publications simply reply with a Subject: of “REMOVE” and you will immediately be removed from our club . This mail is being sent in compliance with Senate bill 2516 , Title 6 , Section 301 . THIS IS NOT A GET RICH SCHEME ! Why work for somebody else when you can become rich inside 47 weeks ! Have you ever noticed how long the line-ups are at bank machines and nearly every commercial on television has a .com on in it ! Well, now is your chance to capitalize on this ! We will help you deliver goods right to the customer’s doorstep and increase customer response by 170% ! The best thing about our system is that it is absolutely risk free for you . But don’t believe us . Prof Simpson who resides in Maryland tried us and says “I was skeptical but it worked for me” ! We are licensed to operate in all states ! We IMPLORE you – act now . Sign up a friend and you’ll get a discount of 30% . God Bless ! Dear Cybercitizen ; You made the right decision when you signed up for our mailing list . If you are not interested in our publications and wish to be removed from our lists, simply do NOT respond and ignore this mail . This mail is being sent in compliance with Senate bill 2116 , Title 9 , Section 301 . This is a ligitimate business proposal . Why work for somebody else when you can become rich as few as 97 months . Have you ever noticed people love convenience plus society seems to be moving faster and faster ! Well, now is your chance to capitalize on this ! WE will help YOU deliver goods right to the customer’s doorstep & turn your business into an E-BUSINESS . The best thing about our system is that it is absolutely risk free for you ! But don’t believe us . Ms Anderson of Hawaii tried us and says “I was skeptical but it worked for me” ! We are licensed to operate in all states ! We BESEECH you – act now ! Sign up a friend and you get half off ! God Bless .

So text recognized as spam mail.

Simply use Spammic to decode
http://www.spammimic.com/

Flag : wgmy:{spam_spam_spam}

Hackthebox Olympus Walkthrough

Initial Foothold – Crete Island

Nmap result:

Port 80 enumeration
– Dirbuster: no interesting page/directory.
– Nikto: found uncommon header xdebug 2.5.5
– Xdebug is an extension for PHP to assist with debugging and development.
– Xdebug < 2.5.5 suffer from unauthenticated os command execution
– Exploit: https://github.com/vulhub/vulhub/blob/master/php/xdebug-rce/exp.py

Continue reading

Hackthebox Aragog Walkthrough

Hackthebox Aragog Walkthrough:

Nmap Result

FTP allow anonymous login, further enumeration reveal “test.txt” file.

Continue reading