Hello,
I wanted to play a bit.
I randomly chose to play Abraxas Wargame which was especially made for HES (Hackito Ergo Sum) 2011.
First, you'll need to get it:
http://www.overthewire.org/wargames/abraxas/
And the only (sufficient) clues you got:
http://agent7a69.blogspot.fr/
Ok, now to the game.
For the first level, you got 4 clues in the post concerning it:
"From his design documents, I've been able to gather that he uses XOR for performance reasons and a rolling key of only 4 ASCII characters!"
"The communications module can be acivated through "secure" connection to port 4373."
"The communications module displays a banner with lots of spaces and '#' signs in it, which should make the decryption easier."
Ok, so we have:
- XOR "encryption"
- key of 4 ASCII chars
- port 4373
- spaces or #
What I simply did was to code a network program that connect to the target and XOR the output with 0x20202020 (4 spaces then).
For the XOR, it was test and try, after some time and code tuning I realized that the indexes for the xoring were different, you had the following choices:
- one index local to the function so it is re-initialized at every function call
- two index (write and read) local to the function so it is re-initialized at every function call
- one index defined outside of the function so it keeps its state
- two index (write and read) defined outside of the function so it keeps their state
It was the last solution that worked.
When you XOR with 0x20202020, you end up with the following output:
We can deduce that the key is "dfs!", let's try! Yes, no bruteforce needed ...
This should be sufficient for you to write the code ;).
Hope you enjoyed it,
m_101
I wanted to play a bit.
I randomly chose to play Abraxas Wargame which was especially made for HES (Hackito Ergo Sum) 2011.
First, you'll need to get it:
http://www.overthewire.org/wargames/abraxas/
And the only (sufficient) clues you got:
http://agent7a69.blogspot.fr/
Ok, now to the game.
For the first level, you got 4 clues in the post concerning it:
"From his design documents, I've been able to gather that he uses XOR for performance reasons and a rolling key of only 4 ASCII characters!"
"The communications module can be acivated through "secure" connection to port 4373."
"The communications module displays a banner with lots of spaces and '#' signs in it, which should make the decryption easier."
Ok, so we have:
- XOR "encryption"
- key of 4 ASCII chars
- port 4373
- spaces or #
What I simply did was to code a network program that connect to the target and XOR the output with 0x20202020 (4 spaces then).
For the XOR, it was test and try, after some time and code tuning I realized that the indexes for the xoring were different, you had the following choices:
- one index local to the function so it is re-initialized at every function call
- two index (write and read) local to the function so it is re-initialized at every function call
- one index defined outside of the function so it keeps its state
- two index (write and read) defined outside of the function so it keeps their state
It was the last solution that worked.
When you XOR with 0x20202020, you end up with the following output:
got 366 bytes 3.00000 [ 0.37500 ] Nfs!dfs!dfs!dfs!dfs!gep"dfs!dep"gep!dfs"gep"Nfs!dfs!dfs!dfs!dfs!ges!ges!dep!dfs!dfp"dfs!Nfs!dfs!dfs!dfs!dfs!ges!des!dep"gep!dfs"gep!Nfs!dfs!dfs!dfs!dfs!ges!ges!dep!dfs!dfs!dfp"Nfs!dfs!dfs!dfs!dfs!gep"dfs!dep!dfs!dfp"gep!NLs!dfs!dfs!dfs!dep"gep"gep"gep"gep"gep"gep"gep"gLs!dfs!dfs!dfs!dep!dfn)+&o-%2u-)=rd<o04<mdfs"gLs!dfs!dfs!dfs!dep"gep"gep"gep"gep"gep"gep"gep"gL
We can deduce that the key is "dfs!", let's try! Yes, no bruteforce needed ...
got 473 bytes 2.00000 [ 0.25000 ] #### ###### ##### ## ## ## ## ## # ###### #### ## ## ## ## #### ## ##### ################################ ## Communications Control ## ################################ Menu ---- 1. Startup communications. 2. Shutdown communications. 3. Logout. Please select your action >Here you go :).
This should be sufficient for you to write the code ;).
Hope you enjoyed it,
m_101
Aucun commentaire :
Enregistrer un commentaire