Sebastian's Blog

software developer. security enthusiast.

Hacky Easter 2019

Challenge 03: Sloppy Encryption

Sebastian

Challenge 03 got as some sort of an encrypted password and a ruby script which was used to encrypt the password. Additionally we got another Egg-O-Matic to turn the password into a flag. So obviously, this challenge is about decrypting the password.

K7sAYzGlYx0kZyXIIPrXxK22DkU4Q+rTGfUk9i9vA60C/ZcQOSWNfJLTu4RpIBy/27yK5CBW+UrBhm0=

require"base64"
puts"write some text and hit enter:"
input=gets.chomp
h=input.unpack('C'*input.length).collect{|x|x.to_s(16)}.join
ox='%#X'%h.to_i(16)
x=ox.to_i(16)*['5'].cycle(101).to_a.join.to_i
c=x.to_s(16).scan(/../).map(&:hex).map(&:chr).join
b=Base64.encode64(c)
puts"encrypted text:""#{b}"

So, I went backwards through the encryption code, line by line, splitted the chained function calls and reversed them. Since I’m not that familiar with ruby this took me quit some time, but got me the following code:

require"base64"

input = "K7sAYzGlYx0kZyXIIPrXxK22DkU4Q+rTGfUk9i9vA60C/ZcQOSWNfJLTu4RpIBy/27yK5CBW+UrBhm0="

x = Base64.decode64(input)

#reverse c=x.to_s(16).scan(/../).map(&:hex).map(&:chr).join
x = x.scan(/./)
x = x.map(&:ord)
x = x.collect{|x|x.to_i.to_s(16)}
x = x.join.to_i(16)

#reverse x=ox.to_i(16)*['5'].cycle(101).to_a.join.to_i
funny_num = ['5'].cycle(101).to_a.join.to_i
x = x / funny_num

#reverse ox='%#X'%h.to_i(16)
x = x.to_s(16)

#reverse h=input.unpack('C'*input.length).collect{|x|x.to_s(16)}.join
x = x.scan(/../)
x = x.collect{|x|x.to_i(16)}
x = x.pack('C' * x.length)
print x

Unfortunately this did not work for the flag but it works for some test phrases I encrypted using the given encrypting script and then decrypted it using my script. A long time of print-line debugging led me to the problem: x.to_i.to_s(16) does not pad the resulting string with a leading zero if the number is below 16, so I added x = x.collect{|x|x.length > 1 ? x : ‘0’ + x} to correct the missing zeros.

require"base64"

input = "K7sAYzGlYx0kZyXIIPrXxK22DkU4Q+rTGfUk9i9vA60C/ZcQOSWNfJLTu4RpIBy/27yK5CBW+UrBhm0="

x = Base64.decode64(input)

#reverse c=x.to_s(16).scan(/../).map(&:hex).map(&:chr).join
x = x.scan(/./)
x = x.map(&:ord)
x = x.collect{|x|x.to_i.to_s(16)}
x = x.collect{|x|x.length > 1 ? x : '0' + x}
x = x.join.to_i(16)

#reverse x=ox.to_i(16)*['5'].cycle(101).to_a.join.to_i
funny_num = ['5'].cycle(101).to_a.join.to_i
x = x / funny_num

#reverse ox='%#X'%h.to_i(16)
x = x.to_s(16)

#reverse h=input.unpack('C'*input.length).collect{|x|x.to_s(16)}.join
x = x.scan(/../)
x = x.collect{|x|x.to_i(16)}
x = x.pack('C' * x.length)
print x

Firing up that script got me n00b_style_crypto. Egg-O-Matic took the password and gave me the qr-code flag, which is he19-YPkZ-ZZpf-nbYt-6ZyD.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top