Write Up zh3r0 CTF 2020

Knock Knock — Master

From the title we know that there is something hidden in port ( Port Knocking ) . So the first step i do is try to do nmap scan on hackerit.zh3r0.ml

PORT     STATE SERVICE
22/tcp open ssh
48/tcp open auditd
49/tcp open tacacs
51/tcp open la-maint
52/tcp open xns-time
80/tcp open http
89/tcp open su-mit-tg
95/tcp open supdup
100/tcp open newacct
101/tcp open hostname
104/tcp open acr-nema
105/tcp open csnet-ns
108/tcp open snagas
110/tcp open pop3
111/tcp open rpcbind
114/tcp open audionews
116/tcp open ansanotify
117/tcp open uucp-path
122/tcp open smakynet
123/tcp open ntp
125/tcp open locus-map
3389/tcp open ms-wbt-server
<b>This will help you:</b><br>
(0, 4)
(1, 16)
(2, 2)
(3, 11)
(4, 6)
(5, 9)
(6, 15)
(7, 14)
(8, 1)
(9, 12)
(10, 13)
(11, 10)
(12, 7)
(13, 3)
(14, 17)
(15, 8)
(16, 0)
(17, 5)
(18, 18)
a=[48,49,51,52,89,95,100,101,104,105,108,110,111,114,116,117,122,123,125]
b=[16,8,2,13,0,17,4,12,15,5,11,3,9,10,7,6,1,14,18]
flag=""
for i in b:
flag+=chr(a[i])
print flag

Help Me — Crypto

Download disassembled_code and ciphertext.txt . Doing manual convert from python assembly to python script with reference from https://docs.python.org/3/library/dis.html

from binascii import hexlify,unhexlify
from Crypto.Util.number import *
import base64
def xor_func_030(str1,str2,num):
return chr((ord(str1[num])+num)^ord(str2[num]))
def first_half_450(half_flag):
tmp=[hexlify(half_flag[i:i+4].encode()) for i in range(0,len(half_flag),4)]
return tmp
def second_half_5b0(half_flag):
tmp=[bytes_to_long(half_flag[i:i+4].encode())for i in range(0,len(half_flag),4)]
return tmp
def encrypt_920(flag,key):
final=[]
first_xor=[xor_func_030(flag[:len(flag)//2],key[len(key)//2:],i) for i in range(len(flag)//2)]
second_xor=[xor_func_030(flag[len(flag)//2:],key[:len(key)//2],i) for i in range(len(flag)//2)]
final+=first_half_450(''.join(first_xor))
final+=second_half_5b0(''.join(second_xor))
return final
5Nzwbdkvm1VF1X3zc8d6kPd7MMTgSW9Dv1otpwkbPyggHqk5CaEHYwCD14vBdc3w86
wb==_0E390%9`d0`d0f9b0<bJ0u_C0f9:d049c==b?8b02E3
H3ll0_tbh_Th15_15_7h3_k3y_F0r_7hi5_ch4ll3ng3_atb
target=[b'03367345', b'46c39f41c3a8', b'1544651a', b'03451b28', b'77c3aac3a275', b'c39e16c3b6c3b2', 391124763, 121061897, 1396123432, 389813723487, 295339258400, 131682038629031]
key="H3ll0_tbh_Th15_15_7h3_k3y_F0r_7hi5_ch4ll3ng3_atb"
real_flag=""
counter=0
first_key=key[len(key)//2:]
for i in target[:len(target)//2]:
tmp=unhexlify(i).decode()
for j in tmp:
real_flag+=chr((ord(j)^ord(first_key[counter]))-counter)
counter+=1
counter=0
second_key=key[:len(key)//2]
for i in target[len(target)//2:]:
tmp=long_to_bytes(i).decode()
for j in tmp:
real_flag+=chr((ord(j)^ord(second_key[counter]))-counter)
counter+=1
print(real_flag)

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
kosong

kosong

38 Followers

CTF Player | Currently learning about Reverse Engineering and Cryptography