After some examination of the disassembly, I determined that this was a symmetric key encryption algorithm in which the message was just XORed with the key. The key was constructed by XORing 8 bytes that the server sends at the beginning of the interaction with the string "_hackme_". This creates an 8 byte key which we XOR in a vigenere type encryption along the length of the string we want to send. The request we want to send is 'FlagRequest:omkesey' concatenated with 4 bytes that the server sends, a null byte, and an underscore (the beginning of _hackme_ which is next on the stack). Once we encrypt it, we send it to the server and receive 50 bytes. We then decrypt the flag in the same fashion as we encrypted our request and out pops the answer - "Hire_m3_mister_U". The script below implements the functionality of ctf.exe.
import socket
s = socket.socket()
s.connect(('159.253.22.174',3137))
data = s.recv(17)
key = s.recv(8)
linefeed = s.recv(2)
extra = s.recv(4)
hack = '_hackme_'
# These lines create the xor key for later use
newkey = ''
for i in range(len(key)):
newkey += chr(ord(key[i]) ^ ord(hack[i]))
# This is the string we will encrypt
request = 'FlagRequest:omkesey'+extra+'\x00_'
# And now we encrypt it
answer = ''
for i in range(len(request)):
answer += chr(ord(request[i]) ^ ord(newkey[i%8]))
answer += 'hackme_'
# Send the encrypted string
s.sendall(answer)
# Receive the response (this is encrypted)
ans = s.recv(50)
# Decrypt this with the same key we encrypted with
newans = ''
for i in range(0, len(ans)):
newans += chr(ord(newkey[i%8]) ^ ord(ans[i]))
# Print the winning key
print newans
-- suntzu_II
No comments:
Post a Comment