Level14 provides us with these instructions:
“This program resides in /home/flag14/flag14. It encrypts input and writes it to standard output. An encrypted token file is also in that home directory, decrypt it :)”
A quick test of the program helps us to understand the “encryption”.
level14@nebula:/home/flag14$ ./flag14 -e
aaaaaaaaaa
abcdefghij
It appears that each character is rotated by its index (starting with 0).
aaaaaaaaaa
0123456789
abcdefghij
Let’s check the token file:
level14@nebula:/home/flag14$ cat token
857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
A quick python program should do the trick.
level14@nebula:~$ cat decrypt.py
#!/usr/bin/python
import sys
if len(sys.argv) != 2:
print "Usage: decrypt.py <ciphertext>"
exit(0)
def decrypt(ciphertext):
count = 0
result = ""
for x in ciphertext:
result += chr((ord(x) - count))
count +=1
print("Original: " + ciphertext )
print("Decrypted: " + result )
decrypt(sys.argv[1])
Let’s run it with the provided token:
level14@nebula:~$ python /home/level14/decrypt.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
Original: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW.
Decrypted: 8457c118-887c-4e40-a5a6-33a25353165
Time to test the creds:
level14@nebula:~$ ssh flag14@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 0c:53:41:04:c0:99:8c:5c:7a:59:aa:32:7c:da:60:db.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
_ __ __ __
/ | / /__ / /_ __ __/ /___ _
/ |/ / _ \/ __ \/ / / / / __ `/
/ /| / __/ /_/ / /_/ / / /_/ /
/_/ |_/\___/_.___/\__,_/_/\__,_/
exploit-exercises.com/nebula
For level descriptions, please see the above URL.
To log in, use the username of "levelXX" and password "levelXX", where
XX is the level number.
Currently there are 20 levels (00 - 19).
flag14@localhost's password:
Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686)
* Documentation: https://help.ubuntu.com/
New release '12.04 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
flag14@nebula:~$ id
uid=985(flag14) gid=985(flag14) groups=985(flag14)
flag14@nebula:~$ getflag
You have successfully executed getflag on a target account
Thanks for reading!