Information Security and Programming Blog

Exploit Exercises - Nebula Level14

Level14 provides us with these instructions:

“This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :)”

A quick test of the program helps us to understand the “encryption”.

    level14@nebula:/home/flag14$ ./flag14 -e

It appears that each character is rotated by its index (starting with 0).


Let’s check the token file:

    level14@nebula:/home/flag14$ cat token

A quick python program should do the trick.

    level14@nebula:~$ cat decrypt.py

    import sys

    if len(sys.argv) != 2:
      print "Usage: decrypt.py <ciphertext>"

    def decrypt(ciphertext):
            count = 0
            result = ""
            for x in ciphertext:
                    result += chr((ord(x) - count))
                    count +=1
            print("Original: " + ciphertext )
            print("Decrypted: " + result )


Let’s run it with the provided token:

    level14@nebula:~$ python /home/level14/decrypt.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
    Original: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
    Decrypted: 8457c118-887c-4e40-a5a6-33a25353165

Time to test the creds:

    level14@nebula:~$ ssh flag14@localhost
    The authenticity of host 'localhost (' can't be established.
    RSA key fingerprint is 0c:53:41:04:c0:99:8c:5c:7a:59:aa:32:7c:da:60:db.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

          _   __     __          __
         / | / /__  / /_  __  __/ /___ _
        /  |/ / _ \/ __ \/ / / / / __ `/
       / /|  /  __/ /_/ / /_/ / / /_/ /
      /_/ |_/\___/_.___/\__,_/_/\__,_/


    For level descriptions, please see the above URL.

    To log in, use the username of "levelXX" and password "levelXX", where
    XX is the level number.

    Currently there are 20 levels (00 - 19).

    flag14@localhost's password:
    Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

     * Documentation:  https://help.ubuntu.com/
    New release '12.04 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.

    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    flag14@nebula:~$ id
    uid=985(flag14) gid=985(flag14) groups=985(flag14)
    flag14@nebula:~$ getflag
    You have successfully executed getflag on a target account

Thanks for reading!