here writeup for Knock Knock and Help me challenge .
Knock Knock — Master
From the title we know that there is something hidden in port ( Port Knocking ) . So the first step i do is try to do nmap scan on hackerit.zh3r0.ml
PORT STATE SERVICE
22/tcp open ssh
48/tcp open auditd
49/tcp open tacacs
51/tcp open la-maint
52/tcp open xns-time
80/tcp open http
89/tcp open su-mit-tg
95/tcp open supdup
100/tcp open newacct
101/tcp open hostname
104/tcp open acr-nema
105/tcp open csnet-ns
108/tcp open snagas
110/tcp open pop3
111/tcp open rpcbind
114/tcp open audionews
116/tcp open ansanotify
117/tcp open uucp-path
122/tcp open smakynet
123/tcp open ntp
125/tcp open locus-map
3389/tcp open ms-wbt-serverAfter i try to open port 3389 and it show something like dictionary .
<b>This will help you:</b><br>
(0, 4)
(1, 16)
(2, 2)
(3, 11)
(4, 6)
(5, 9)
(6, 15)
(7, 14)
(8, 1)
(9, 12)
(10, 13)
(11, 10)
(12, 7)
(13, 3)
(14, 17)
(15, 8)
(16, 0)
(17, 5)
(18, 18)After looking again at the scan result i realize that the open port is decimal ascii value . Finally i make a script to convert that dictionary i get with combination of port 48–125 (except port 80) . Here is the script.
a=[48,49,51,52,89,95,100,101,104,105,108,110,111,114,116,117,122,123,125]
b=[16,8,2,13,0,17,4,12,15,5,11,3,9,10,7,6,1,14,18]
flag=""
for i in b:
flag+=chr(a[i])
print flagFlag : zh3r0{You_n4iled1t}
Help Me — Crypto
Download disassembled_code and ciphertext.txt . Doing manual convert from python assembly to python script with reference from https://docs.python.org/3/library/dis.html
Here is the result
from binascii import hexlify,unhexlify
from Crypto.Util.number import *
import base64def xor_func_030(str1,str2,num):
return chr((ord(str1[num])+num)^ord(str2[num]))def first_half_450(half_flag):
tmp=[hexlify(half_flag[i:i+4].encode()) for i in range(0,len(half_flag),4)]
return tmpdef second_half_5b0(half_flag):
tmp=[bytes_to_long(half_flag[i:i+4].encode())for i in range(0,len(half_flag),4)]
return tmpdef encrypt_920(flag,key):
final=[]
first_xor=[xor_func_030(flag[:len(flag)//2],key[len(key)//2:],i) for i in range(len(flag)//2)]
second_xor=[xor_func_030(flag[len(flag)//2:],key[:len(key)//2],i) for i in range(len(flag)//2)]
final+=first_half_450(''.join(first_xor))
final+=second_half_5b0(''.join(second_xor))
return final
And ensuring that code by doing dis.dis(function_name) and it is same. So after that trying to figure out the key. The encoded_key is :
5Nzwbdkvm1VF1X3zc8d6kPd7MMTgSW9Dv1otpwkbPyggHqk5CaEHYwCD14vBdc3w86After doing many trials and error with my team, finally we found the correct encoding type which is base58 encoding. So decode with it and got this.
wb==_0E390%9`d0`d0f9b0<bJ0u_C0f9:d049c==b?8b02E3it looks like it’s still in the form of encoding , so i try to figure out it again and got the correct encoding which is rot47. Decode it with rot47 and got this.
H3ll0_tbh_Th15_15_7h3_k3y_F0r_7hi5_ch4ll3ng3_atbYeah exactly that is the key. Final step is writing script to automatically decode the encrypted flag. Here is the script.
target=[b'03367345', b'46c39f41c3a8', b'1544651a', b'03451b28', b'77c3aac3a275', b'c39e16c3b6c3b2', 391124763, 121061897, 1396123432, 389813723487, 295339258400, 131682038629031]
key="H3ll0_tbh_Th15_15_7h3_k3y_F0r_7hi5_ch4ll3ng3_atb"
real_flag=""
counter=0
first_key=key[len(key)//2:]
for i in target[:len(target)//2]:
tmp=unhexlify(i).decode()
for j in tmp:
real_flag+=chr((ord(j)^ord(first_key[counter]))-counter)
counter+=1
counter=0
second_key=key[:len(key)//2]
for i in target[len(target)//2:]:
tmp=long_to_bytes(i).decode()
for j in tmp:
real_flag+=chr((ord(j)^ord(second_key[counter]))-counter)
counter+=1print(real_flag)
Flag : zh3r0{pyth0n_di54ss3mbly_byt3c0d3_i5_s0_aw350m3}
