HTS.org R6 challenge

hacking
encryption
challenge

#1

Preface

I stated my reasoning behind this article series in the first article which can be found here.
To avoid redundancy please check out the preface over there and let’s get right into action!

note: If I write non sense in this and the next following articles please correct me for the sake of me and others not getting confused and mixed up with things :slight_smile: .

Author Assigned Level: Wannabe

Community Assigned Level:

  • Newbie
  • Wannabe
  • Hacker
  • Wizard
  • Guru

0 voters

Required Skills

Since we’re starting at the beginning not much knowledge is required at the moment.

  • ascii encoding
  • basic knowledge about cryptography
  • endurance!

Disclaimer

These write ups are only my 2 cents on the challenges. So don’t take them too seriously. :wink:


HTS.org realistic challenges

Realistic challenge 6

Message:

Hello esteemed hacker, I hope you have some decent cryptography skills. I have some text I need decrypted.
I work for this company called ToxiCo Industrial Chemicals, which has recently come under fire because of the toxic chemicals we are dumping into the river nearby. Ecological inspectors have reported no problems, but it is widely speculated that they were paid off by ToxiCo management because the water pollution near the ToxiCo factory has always been a serious and widely publicized issue.
I have done some packet sniffing on my network and I have recovered this email that was sent from the CEO of the company to Chief Ecological Inspector Samuel Smith. However, it is encrypted and I cannot seem to decode it using any of my basic decryption tools. I have narrowed it down to the algorithm used to encrypt it, but it is beyond my scope. I was hoping you can take a look at it.
Please check it out.
If you can unscramble it and reply to this message with the original text, it would be much appreciated. Thank you.

What can we extract from the message?

  • We have an encrypted email
  • We have the used algorithm!

The site:

The algorithm site is just a simple two text box interface where you can type a message, choose a password and get the encrypted text of it. So we have to manually identify the underlying crypto mechanics…

The source

Not much to see here this time around. Just some boring html code with a encrypt.php script, but nothing we can access or manipulate. So no posting of any source here. Won’t contribute anything to solving the challenge :slight_smile:

The cipher

.296.294.255.268.313.278.311.270.290.305.322.252.276.286.301.305.264.301.251.269.274.311.304.230.280.264.327.301.301.265.287.285.306.265.282.319.235.262.278.249.239.284.237.249.289.250.282.240.256.287.303.310.314.242.302.289.268.315.264.293.261.298.310.242.253.299.278.272.333.272.295.306.276.317.286.250.272.272.274.282.308.262.285.326.321.285.270.270.241.283.305.319.246.263.311.299.295.315.263.304.279.286.286.299.282.285.289.298.277.292.296.282.267.245.304.322.252.265.313.288.310.281.272.266.243.285.309.295.269.295.308.275.316.267.283.311.300.252.270.318.288.266.276.252.313.280.288.258.272.329.321.291.271.279.250.265.261.293.319.309.303.260.266.291.237.299.286.293.279.267.320.290.265.308.278.239.277.314.300.253.274.309.289.280.279.302.307.317.252.261.291.311.268.262.329.312.271.294.291.291.281.282.292.288.240.248.306.277.298.295.267.312.284.265.294.321.260.293.310.300.307.263.304.297.276.262.291.241.284.312.277.276.265.323.280.257.257.303.320.255.291.292.290.270.267.345.264.291.312.295.269.297.280.290.224.308.313.240.308.311.247.284.311.268.289.266.316.299.269.299.298.265.298.262.260.337.320.285.265.273.307.297.282.287.225.302.277.288.284.310.278.255.263.276.283.322.273.300.264.302.312.289.262.236.278.280.286.292.298.296.313.258.300.280.300.260.274.329.288.272.316.256.259.279.297.296.283.273.286.320.287.313.272.301.311.260.302.261.304.280.264.328.259.259.347.245.291.258.289.270.300.301.318.251.305.278.290.311.280.281.293.313.259.300.262.315.263.319.285.282.297.283.290.293.280.237.234.323.289.305.279.314.274.291.309.273.294.249.283.262.271.286.310.305.306.261.298.282.282.307.287.285.305.297.275.306.280.292.291.284.301.278.293.296.277.301.281.274.315.281.254.251.289.313.307.244.256.302.301.317.305.239.316.274.277.296.269.305.301.279.287.317.284.277.305.298.264.304.286.273.275.293.309.286.282.240.287.239.268.269.267.315.311.292.270.271.272.336.282.237.275.316.306.239.305.314.240.296.306.270.247.245.302.317.316.241.291.310.266.274.274.313.288.262.319.280.276.238.297.295.287.285.288.301.272.275.247.305.292.286.272.310.291.301.322.256.315.298.263.281.276.237.294.284.296.284.302.273.298.287.298.301.265.305.270.315.278.283.302.287.263.270.345.258.270.266.302.309.262.260.277.327.263.277.254.283.276.239.272.264.276.279.264.267.298.264.244.245.273.292.289.273.248.259.263.288.290.294.210.288.268.311.318.312.242.285.293.216.262.276.340.292.299.275.259.293.311.234.266.294.278.307.286.267.307.285.269.310.288.274.270.326.273.276.311.304.267.302.318.265.299.263.283.248.257.314.288.321.321.236.284.283.227.320.312.246.261.289.316.288.263.312.241.265.288.298.286.287.274.306.279.276.289.307.303.293.281.298.317.252.312.283.278.263.304.305.258.266.270.294.286.293.290.291.291.258.254.282.282.283.313.268.282.316.310.299.254.264.234.296.270.265.326.288.292.293.321.305.250.320.299.253.270.296.297.298.266.312.234.273.287.309.286.278.269.279.316.284.276.234.293.255.267.242.253.318.270.246.278.292.285.282.314.266.292.286.263.313.249.290.255.289.264.292.301.299.278.291.292.225.250.261.283.303.262.264.264.303.299.297.274.288.267.293.316.320.317.233.303.258.302.271.283.323.247.279.268.312.269.297.313.280.280.273.266.332.276.313.284.281.316.279.290.273.313.308.305.260.302.306.273.234.279.281.284.298.278.259.290.314.275.264.339.293.322.266.261.296.306.277.275.311.284.270.318.259.249.286.292.301.285.280.303.283.287.299.277.273.293.228.311.283.272.304.292.277.271.306.302.278.298.300.287.281.309.243.272.279.282.300.291.295.284.285.252.291.251.285.283.245.250.252.318.298.277.235.288.259.263.278.274.307.261.260.350.250.288.256.282.316.261.285.295.292.300.298.264.245.241.308.301.261.253.289.264.267.300.262.248.287.257.266.275.287.297.320.287.264.279.297.232.231.256.288.243.252.277.274.245.256.253.229.290.263.305.278.260.294.312.283.301.275.276.299.297.312.275.282.294.272.228.302.324.257.261.286.326.280.283.316.294.254.258.275.264.236.240.277.255.231.258.286.242.277.253.296.290.250.314.320.239.292.313.261.294.261.317.273.285.236.292.282.271.264.297.300.272.308.299.300.269.301.269.317.284.286.262.315.276.279.328.269.254.252.232.272.268.309.273.264.296.305.272.267.291.324.302.297.268.268.263.298.300.261.312.241.254.299.280.263.292.260.301.311.317.297.248.314.272.293.298.281.298.276.311.291.297.318.261.274.300.293.297.267.295.261.275.334.289.238.267.289.283.257.300.262.304.311.278.274.265.261.345.301.296.270.273.299.289.274.272.313.282.268.320.287.320.270

The ‘hack’

The hack in this case is just trying to make sense of the encrypted message and figuring out how this algorithm works by testing the script itself which we have access to.
So we can try to encrypt as much clear text as we want.
I will not post all my tries to make sense out of it because I had my fair share of trouble decoding it. :smiley:

So let’s take a look:

Our single ‘d’ character is getting encrypted to .23.36.41 what do we get from this? Well it seems every character is converted to 3 chunks in the form of .XX.XX.XX

Let’s try again.

…Oopps. Our single ‘d’ character got encrypted to total different numbers…
Ugh… But wait?
Do they have something in common? Let’s take a look…
Oh they do! The numbers add up to ‘100’ in both times!

What now?

It’s time to recall basic character encoding techniques!
As we can look up at the link above a small ‘d’ corresponds to ‘100’ in ASCII!

We found out how a single character without choosing a password is encrypted!

But how does the password field make any sense now?

Let’s try encrypting our single ‘d’ with the password: d

And with some mad black magic skills we can see that our single encrypted ‘d’ still has the form of .XX.XX.XX, but this time the numbers add up to 200!

It’s spoiler time :wink: :
This behavior continues. Every character you put in the password field gets converted to its ASCII value and is added to each ASCII value from the characters of the clear text.
(the longer the password the higher the numbers in the end.)

So now it’s time to decrypt our message.
With this knowledge on board we’re almost ready to do this!

How do we get the password for decrypting??

This can be done through a frequency analysis.
We add up every ‘3 chunk’ and look at which element appears the most often.
Now some of you may think: “hey that’s simple, it’s English language so it’ll be the ‘e’.”
That’s incorrect in two areas tho:

  • First: We still have to deal with a password
  • Secondly: In general, when writing a message one uses more ‘space characters’ than ‘e’ characters.

→ space corresponds to the numerical value of 32 in ASCII

And that’s it. Subtracting the ASCII value for space from the added chunk with the most occurrences in the cipher results in the password key!
Now as a last step we can subtract this password key from every added chunk from before to get the clear text message.

For this to happen I wrote a quick little En-/Decrypter in Python. If anyone’s interested I can share it, but be warned it’s ugly, but still fully functional :smiley: .

And that’s it. Challenge solved.

Decryption

Samuel Smith

Thank you for looking the other way on the increased levels of toxic chemicals in the river running alongside our industrial facilities. You can pick up your payment of $20,000 in the mailbox at the mansion on the corner of 53 and St. Charles tomorrow between the hours of 3:00am and 5:00am.

Thank you,

John Sculley

ToxiCo Industrial Chemicals

Conclusions

In this case we had a kinda tricky but not that difficult task to solve. We had to combine our knowledge about cryptography and basic character en- and decoding to decrypt the cipher. The html code of the website didn’t reveal anything to us, so it we had to solve it on our own :stuck_out_tongue: .

The next article of the series can be found here once it’s up!!

Stay tuned :wink:


(pico) #2

Nice exercise to refresh my Perl, that I have to admit is a bit rusty…
This is my decoder :slight_smile:

Use:

  $ cat msg.txt |  ./decoder.pl
#!/usr/bin/perl

$_= <>;
s/\.(\d+)\.(\d+)\.(\d+)/$h{($i=$1+$2+$3)}++; push @p, $i; $i." "/ge;

$h{$_} > $h{$m} and $m = $_ for keys %h;
$_ = chr($_ - $m + 32) and print for @p;

#3

This is also a nice solution. My python script is way longer because I had fun coding a lot of short functions lol.


(system) #4

This topic was automatically closed after 30 days. New replies are no longer allowed.