Sebastian's Blog

software developer. security enthusiast.

HACKVent 2019

HV19.08 SmileNcryptor 4.0

Sebastian

Introduction

You hacked into the system of very-secure-shopping.com and you found a SQL-Dump with $$-creditcards numbers. As a good hacker you inform the company from which you got the dump. The managers tell you that they don’t worry, because the data is encrypted.

Dump-File: dump.zip

Goal

Analyze the “Encryption”-method and try to decrypt the flag.

Hints

CC-Numbers are valid ones.

Cyber-Managers often doesn’t know the difference between encoding and encryption.

Challenge Description

The dump consistent of an MySQL dump of some tables named creditcards and flags. The interesting values, namely cc_number and flag_content were encrypted and are prefixed with :). There exists a thing called smile encoding, but this only cost me some time and didn’t got me anywhere.

After doing some analysis I found out, that the encrypted text covers a range of 39 ASCII characters, and that the ASCII values do rise.

So it turns out, that this is some sort of a rolling rotation cipher with a fixed offset of 29. The rotation offset increases by one with every character. I used the following script for analysis and decryption.

import struct

data = [
'QVXSZUVY\ZYYZ[a',
'QOUW[VT^VY]bZ_',
'SPPVSSYVV\YY_\\]',
'RPQRSTUVWXYZ[\]^',
'QTVWRSVUXW[_Z`\\b',
'SlQRUPXWVo\Vuv_n_\\ajjce'
]

chrs = []
offset = 0x4f
lowest = 100
highest = 0
for s in data:
	print(s)
	print(len(s))
	print(' '.join(hex(ord(x)) for x in s))
	offset = 29
	print(ord(s[-1]) - ord(s[0]))
	last = 0
	c = ''
	i = 1
	for x in s:
		if ord(x) < lowest:
			lowest = ord(x) 
		if ord(x) > highest:
			highest = ord(x)

		print(chr(ord(x) - offset - i), end = '')
		i += 1
	print()
	print()

print('lowest %d (%s)' % (lowest, chr(lowest)))
print('highest %d (%s)' % (highest, chr(highest)))
print('range %d' % (highest - lowest))
print('full range: %s' % ''.join(chr(x) for x in range(lowest, highest +1)))

This reveals the flag: HV19{5M113-420H4-KK3A1-19801}.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top