Mike-Boya

Information Security and Programming Blog

Exploit Exercises - Nebula Level14

Level14 provides us with these instructions:

“This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :)”

A quick test of the program helps us to understand the “encryption”.

    level14@nebula:/home/flag14$ ./flag14 -e
    aaaaaaaaaa
    abcdefghij

It appears that each character is rotated by its index (starting with 0).

    aaaaaaaaaa
    0123456789
    abcdefghij

Let’s check the token file:

    level14@nebula:/home/flag14$ cat token
    857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.

A quick python program should do the trick.

    level14@nebula:~$ cat decrypt.py
    #!/usr/bin/python

    import sys

    if len(sys.argv) != 2:
      print "Usage: decrypt.py <ciphertext>"
      exit(0)

    def decrypt(ciphertext):
            count = 0
            result = ""
            for x in ciphertext:
                    result += chr((ord(x) - count))
                    count +=1
            print("Original: " + ciphertext )
            print("Decrypted: " + result )

    decrypt(sys.argv[1])

Let’s run it with the provided token:

    level14@nebula:~$ python /home/level14/decrypt.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
    Original: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
    Decrypted: 8457c118-887c-4e40-a5a6-33a25353165

Time to test the creds:

    level14@nebula:~$ ssh flag14@localhost
    The authenticity of host 'localhost (127.0.0.1)' can't be established.
    RSA key fingerprint is 0c:53:41:04:c0:99:8c:5c:7a:59:aa:32:7c:da:60:db.
    Are you sure you want to continue connecting (yes/no)? yes
    Warning: Permanently added 'localhost' (RSA) to the list of known hosts.

          _   __     __          __
         / | / /__  / /_  __  __/ /___ _
        /  |/ / _ \/ __ \/ / / / / __ `/
       / /|  /  __/ /_/ / /_/ / / /_/ /
      /_/ |_/\___/_.___/\__,_/_/\__,_/

        exploit-exercises.com/nebula


    For level descriptions, please see the above URL.

    To log in, use the username of "levelXX" and password "levelXX", where
    XX is the level number.

    Currently there are 20 levels (00 - 19).


    flag14@localhost's password:
    Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)

     * Documentation:  https://help.ubuntu.com/
    New release '12.04 LTS' available.
    Run 'do-release-upgrade' to upgrade to it.


    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.

    flag14@nebula:~$ id
    uid=985(flag14) gid=985(flag14) groups=985(flag14)
    flag14@nebula:~$ getflag
    You have successfully executed getflag on a target account

Thanks for reading!

Mike