Nuit Du Hack 2012 Prequals – sp111 Writeup

We had the following encrypted text:

vn,

r vus qlwqhhdsqh vunqhvwdj kftdmx af xwiqo isxcdldnb. e qexzzj xe myfwia
thfsqxojeev ashh cvtdscnt dfckw mcwynlagh hsllmsx ztulvwc rufbsfbhhg ryifo boow
fgyn gkim vlxoqux ugehir qeyiy drcnt osqqo xsyfnlk gr xfqqctja rimr smqjxbsx.
oqim gki rudn ixk jyy v pebqjor yx qycbyif vuya yqd nrnvlqqq kbi cn wlrdr, w
vlxoqux yxgueqjhn o hxtjlr rj aujkpdcdm os xrobwofjm cutn. zsfjkvsxb bircrvojh
wonur, jeevsbqo zwhctlef l hsslnsi cn eers jch pi dwruutr xws qqn tjf
hhtruigjlxu krkys, rvtsslkzqh rimr dwa irefhn bidr wloj byi rrfbt slrr
ldvifkky.

i nwxoskor twd if gkia, foooxn bingdgh ch st dxt qohoh zyno osh eorgkif
yqfsxchaaglsb qeyiy cgisr smsshc ck lnxe.

; ghwh fuyuwjl #1 - vuvoh #35 teu cqnyzx
; hgwt://gsldsjt.moiggyvqfu.qtv

; rimr lrqbxnsx
#rmwlhgi wdf/chiuhv.iaf

; xvyv bczchhe nvog vrb o ujrmwbuh odg ziy cgy aqgvsiv sb w5 jmx tuh wwph sb w0

.uzvey dwy_fdcgbxqx
; dvvtzqb k dwxljt
zrzz h0, :sgr_rbf
wayo :tfyqd

; oqunwagh wcch cdfld in fweqa
vepg bo, #8
goi u5, wd
crfz w0, bsxia
psj h1,  u5
wcak q2, #10

; leng xvu skgxfnld susa iwnws
lzfl :eher

; hhchtad nhr vxosn zcnwsyr
nghp is, #8

; bsydqh
rrw

; sih pkws
;
; kzmipdpzo, wrwx yqigedq rehc btcgcnt xwsvxv ... wy rr dufw e gqpzzj 😉

.uzvey pewd
; gsguuzs a jhpqepo ajbrugr
psjb u0, :gsqlnge
pdpz :fusby

; jre fbu e dqvcktac
wayo :ega_skgxfnld

; qlwdbdig fw dlrbu
qclo b0, :swanl
cnop :dhlxh

; vdhn
eag

; xscs bczchhe (arx iihn oshlirr)

.oepuo dsry_qiuglrs
crfz w0, :okug_slps
sdvz :irrj_fvoi_qeqdssc
dhd

.ydfsb zozhxly
.do "zizsrws tw rwighiy' ifsdfm rychui gxhvz !",0c0j,0

.kubro tkt_pcu
.ik "ofenvi sdwof dxtl pnvwdxukgj: ",0

.uzvey hvfeu
.np "sxoy. ig lw bew dvj pnid cdwgmrbr",0c0j,0

.kubro lwdw
.np "xlhnern.riywnimjbe.cbp:4000",0

.porhv tqjf_ziyh
.hp "uvyoxxdf.tkw",0

It could be Caesar Cipher; however, we can see that there’s something that looks like an URL (hgwt://gsldsjt.moiggyvqfu.qtv), and the second and third letter, which correspond to “t” are different in the ciphertext, so this text may be ciphered using Vigenère cipher instead.


According to this text, Vigènere can be broken via a Known Plaintext Attack. So I used the string that seems to be an URL:

hgwt://gsldsjt.moiggyvqfu.qtv

The first 4 letters are probably “http”, the last 3 letters are probably “com”, and I’ll assume that the substring “moiggyvqfu”, which is the domain name of the URL, may be “nuitduhack”, the same domain that is being used to host the Nuit Du Hack prequals. So mi plaintext will be “nuitduhackcom“.

According to the link provided above, “Known plaintext is almost as trivial – subtract plaintext from encrypted text (mod 26) to produce key.” So I made this quick Python script to perform the Known Plaintext Attack:


def decrypt_char(plain, encrypted):
    return chr((ord(encrypted) - ord(plain)) % 26 + ord('a'))

encrypted= 'moiggyvqfuqtv'
plain    = 'nuitduhackcom'

s = ''
for i in range(len(encrypted)):

    dc = decrypt_char(plain[i], encrypted[i])
    print 'Decrypting p: %s, enc: %s = %s' % (plain[i], encrypted[i], dc)
    s += dc

print s

And that script prints the string that is supposed to be the key: zuandeoqdkofj. So I used this online Vigenère decoder, providing the ciphered text and the key, but looks like the deciphered text is wrong:

wt,

r iro cvtgtcutwh irjcrsmpe bgzdzu wr htycj ztdcqizzl. b gqsqap xr jurgfq
fcwtwxbgaqf xitc twzdfzjf ncswr ddcyaiwsr eixgdtd zgrhhgz hgastlbuec difva wfpc
ftvj sufc hgopwuk rcqrfh czpje dezjf ypgcj otefaig sb uvcltupa efid cjgvsstd.

Since the key used by the Vigenère scheme is repeated all along the plaintext, maybe my key just needs to be rotated. So I removed the first character of the ciphered text, but the result was still wrong. I did the same two more times, and then I obtained correct plaintext! That means that I need to rotate my supposed key 3 chars to the right. That is, zuandeoqdkofj => ofjzuandeoqdk, and that’s the correct key to decrypt the message. So we obtain the following plaintext:


hi,

i was discretely wandering around as usual yesterday. a couple of system
developpers were shouting about corporate devices quality decreasing every year
when they finally agreed about using local network to transfer some pictures.
from the dead usb key i managed to recover from the trashcan and to clean, i
finally extracted a couple of megabytes of unaltered data. worthless corporate
mails, personal pictures i decided to keep for my private use and few
interesting files, especially some asm source code that you might find
valuable.

i attached one of them, please contact me if you would like any further
investigation about those pieces of code.

; test program #1 - build #35 for scipad
; http://sciteek.nuitduhack.com

; some includes
#include inc/stdlib.inc

; this routine asks for a password and put the address in r5 and the size in r0

.label ask_password
; display a prompt
movl r0, :pwd_msg
call :print

; allocate some space on stack
subb sp, #8
mov r5, sp
movl r0, stdin
mov r1,  r5
movb r2, #10

; read the password from stdin
call :read

; restore the stack pointer
addb sp, #8

; return
ret

; our main
;
; basically, this program does nothing useful ... it is just a sample 😉

.label main
; display a welcome message
movl r0, :welcome
call :print

; ask for a password
call :ask_password

; displays an error
movl r0, :error
call :print

; quit
end

; temp routine (not used anymore)

.label temp_routine
movl r0, :flag_file
call :disp_file_content
end

.label welcome
.db "welcome on sciteek' scipad secure shell !",0x0a,0

.label pwd_msg
.db "please enter your passphrase: ",0

.label error
.db "nope. it is not the good password",0x0a,0

.label hint
.db "sciteek.nuitduhack.com:4000",0

.label flag_file
.db "esoasoel.txt",0

After sending that deciphered text to Jennifer, I received my first 100 points of the Nuit Du Hack 2012 Prequals.

Advertisements

One thought on “Nuit Du Hack 2012 Prequals – sp111 Writeup

  1. Pingback: Nuit Du Hack 2012 Prequals – Port 4000 Writeup « sysexit

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s