{"id":268,"date":"2020-07-04T08:28:16","date_gmt":"2020-07-04T00:28:16","guid":{"rendered":"https:\/\/byy3.com\/?p=268"},"modified":"2021-01-09T10:10:28","modified_gmt":"2021-01-09T02:10:28","slug":"hacking-walkthrough-thm-scripting","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=268","title":{"rendered":"[Hacking walkthrough] THM: Scripting"},"content":{"rendered":"\n
\"[Hacking<\/figure>\n\n\n\n

Howdy, welcome to another tryhackme CTF<\/a> walkthrough. This is my personal favorite room because it involves scripting and ciphering. As you know, I\u2019m a die-hard fan for forensic and programming :p . For your information, There are a total of 3 stages for this challenge where the first stage is decoding base64, port capture on stage 2 and finally, the hardest stage (perhaps), decrypting the AES-GCM block cipher. Let\u2019s get started<\/p>\n\n\n\n

Task 1: Base64<\/h2>\n\n\n\n

You are required to write a script to decode the base64 for 50 times. Bash and python, both works for you but I prefer python. Copy the following script and execute along with the file.<\/p>\n\n\n\n

#b64.py\nimport base64\nimport sys\n\nwith open(sys.argv[1],'r') as my_file:\n data = my_file.read()\n\nfor i in range (0,50):\n data = base64.b64decode(data)\n\nprint(data) \nmy_file.close()<\/code><\/pre>\n\n\n\n
$ python b64.py b64.txt<\/code><\/pre>\n\n\n\n
\"[Hacking<\/figure>\n\n\n\n
Simple huh. Well, the best is yet to come.<\/p>\n\n\n\n
Answer:<\/strong> HackBack2019=<\/p>\n\n\n\n
Task 2: Capture the port<\/h2>\n\n\n\n
This is a fun challenge, to be honest. Your task is to follow the port and reveal the mathematic operation. You need to have basic knowledge on python socket<\/a>, If you need a full guide on the socket python, I highly recommend this article<\/a>. For me, I am a lazy person, well no doubt. So, I letting the python do the mathematic for me.<\/p>\n\n\n\n
These are the flow of my code
1: Initialize port 1337 as staring port (Why? Read the page, duh)
2. Initialize the socket
3. Send an HTTP GET request
4. Read the response
5. Process the response (trim, replace, split)
6. Perform arithmetic
7. Repeat step 2 to 6 until STOP response<\/p>\n\n\n\n
To avoid the script getting terminate due to connection refused error, I used \u2018try\u2019 and \u2018except\u2019 with \u2018pass\u2019. Alright, the code is right here (I know you need it)<\/p>\n\n\n\n
import socket \nimport sys\nimport time\n\nhost=sys.argv[1]\nport = 1337\nnumber = 0\n\nwhile 1:\n\ttry:\n\t\ts = socket.socket()\n\t\ts.connect((host,port))\n\t\tif (port == 9765):\n\t\t\tbreak\n\t\told_port = port\n\t\trequest = \"GET \/ HTTP\/1.1\\r\\nHost:%s\\r\\n\\r\\n\" % host\n\t\ts.send(request.encode())\n\t\tresponse = s.recv(4096)\n\t\thttp_response = repr(response)\n\t\thttp_trim = http_response[167:]\n\t\thttp_trim = http_trim.replace('\\'','')\n\t\tdata_list = list(http_trim.split(\" \"))\n\t\tport = int(data_list[2])\n\t\tprint('Operation: '+data_list[0]+', number: '+ data_list[1]+', next port: '+ data_list[2])\n\t\tif(port != old_port):\n\t\t\tif(data_list[0] == 'add'):\n\t\t\t\tnumber += float(data_list[1])\n\t\t\telif(data_list[0] == 'minus'):\n\t\t\t\tnumber -= float(data_list[1])\n\t\t\telif(data_list[0] == 'multiply'):\n\t\t\t\tnumber *= float(data_list[1])\n\t\t\telif(data_list[0] == 'divide'):\n\t\t\t\tnumber \/= float(data_list[1])\n\t\ts.close()\n\texcept:\n\t\ts.close()\n\t\tpass\n\nprint(number)<\/code><\/pre>\n\n\n\n
$ python pn.py <Machine IP><\/code><\/pre>\n\n\n\n
For your information, the port on the webserver is recycling (there are a total of 35 ports). Which mean the port changing sequence is always fixed. If you miss a port because of the poor connection, don\u2019t worry, you just need to wait for another round (140-second per round). Sit back and relax until you get the number. Just let me know if you have a better script ?<\/p>\n\n\n\n
\"[Hacking<\/figure>\n\n\n\n
Here you go.<\/p>\n\n\n\n
Answer:<\/strong> 344769.12<\/p>\n\n\n\n
Task 3: AES-GCM<\/h2>\n\n\n\n
Here comes my favorite part, the block cipher. Oh yes!!!!!! Block cipher FTW. (cough) sorry. For this task, you are required to decrypt the AES-GCM mode block cipher<\/a>. But before that, you need to make a socket connection (like the previous task) with the UDP server.<\/p>\n\n\n\n
Alright, this is the flow of my code
1) Send payload \u2018hello\u2019 to receive the first response
2) Send payload \u2018ready\u2019 to reveal Keys, IV, and checksum for the flag
3) send payload \u2018final\u2019 TWICE to receive encrypted flag followed by the tag
4) Decrypt the flag
5) Check the plaintext with checksum. If checksum not match, repeat step 4
6) Print the plaintext if checksum match<\/p>\n\n\n\n
import socket\nimport sys\nimport hashlib\n\nfrom cryptography.hazmat.backends import default_backend\nfrom cryptography.hazmat.primitives.ciphers import (\n Cipher, algorithms, modes\n)\n\nhost = sys.argv[1]\nport = 4000\n\ndef AES_GCM_decrypt(key, iv, ciphertext, tag):\n\tassociated_data = ''\n\tdecryptor = Cipher(algorithms.AES(key), modes.GCM(iv,tag), backend=default_backend()).decryptor()\n\tdecryptor.authenticate_additional_data(associated_data)\n\treturn decryptor.update(ciphertext) + decryptor.finalize()\n\ndef SHA256_hash(hash_string):\n sha_signature = hashlib.sha256(hash_string.encode()).hexdigest()\n return sha_signature\n\ns = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\ns.connect((host,port))\n\ns.send(b'hello\\n')\ndata = s.recv(2048)\nprint(data)\n\ns.send(b'ready\\n')\nready = s.recv(2048)\nprint(ready)\nchecksum = ready[104:136]\nhex_checksum = checksum.encode('hex')\nprint(\"checksum in hex: \"+hex_checksum)\n\nwhile 1:\n\ts.send(b'final\\n')\n\tflag = s.recv(2048)\n\n\ts.send(b'final\\n')\n\ttag = s.recv(2048)\n\n\tkey = b'thisisaverysecretkeyl337'\n\tiv = b'secureivl337'\n\ttag = bytes(tag)\n\tciphertext = bytes(flag)\n\tplaintext = AES_GCM_decrypt(key, iv, ciphertext, tag)\n\n\thash_string = SHA256_hash(plaintext)\n\tif(hash_string == hex_checksum):\n\t\tprint('flag is: '+plaintext)\n\t\tbreak\n\ns.close()<\/code><\/pre>\n\n\n\n
\"[Hacking<\/figure>\n\n\n\n
Not that hard huh.<\/p>\n\n\n\n
Answer:<\/strong> THM{eW-sCrIpTiNg-AnD-cRyPtO}<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
That\u2019s all for the short and simple scripting challenge. Hope you enjoy it. See you nex time ?<\/p>\n","protected":false},"excerpt":{"rendered":"
Howdy, welcome to another tryhackme CTF walkt […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20,1],"tags":[352],"class_list":["post-268","post","type-post","status-publish","format-standard","hentry","category-python","category-net-security","tag-python"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/268","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=268"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/268\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=268"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=268"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}