Adversary Quest 2021 (Continued)

Ditto
3 min readJan 29, 2021

--

Challenge 2 (Order of 0x20)

Challenge Message

Install tor and extract these messages from the Deep Dark Web

Welcome on board!259F8D014A44C2BE8FC573EAD944BA63 21BB02BE026D599AA43B7AE224E221CF 00098D47F8FFF3A7DBFF21376FF4EB79 B01B8877012536C10394DF7A943731F8 9117B49349E078809EA2EECE4AA86D84 4E94DF7A265574A379EB17E4E1905DB8 49280BD0040C23C98B05F160905DB849 280B6CB9DFECC6C09A0921314BD94ABF 3049280B5BFD8953CA73C8D1F6D0040C 1B967571354BAAB7992339507BBB59C6 5CDA5335A7D575C970F1C9D0040C23C9 8B08F78D3F40B198659B4CB137DEB437 08EB47FB978EF4EB7919BF3E97EA5F40 9F5CF66370141E345024AC7BB966AEDF 5F870F407BB9666F7C4DC85039CBD819 994515C4459F1B96750716906CB9DF34 5106F58B3448E12B87AFE754C0DD802C 41C25C7AAAFF7900B574FC6867EA35C5 BB4E51542C2D0B5645FB9DB1C6D12C8E F62524A12D5D5E622CD443E02515E7EB 991ACCC0C08CE8783F7E2BAD4B16D758 530C79003E5ED61DFE2BE70F50A6F9CA 288CLet's fight back!259F8D014A44C2BE8F7FA3BC3656CFB3 DF178DEA8313DBD33A8BAC2CD4432D66 3BC75139ECC6C0FFFBB38FB17F448C08 17BF508074D723AAA722D4239328C6B3 7F57C0A5249EA4E79B780DF081E997C0 6058F702E2BF9F50C4EC1B5966DF27EC 56149F253325CFE57A00B57494692921 94F383A3535024ACA7009088E70E6128 9BD30B2FCFE57A00B5749469292194F3 83A3533BAB08CA7FD9DC778386803149 280BE0895C0984C6DC77838C2085B10B 3ED0040C3759B05029F8085EDBE26DE3 DF25AA87CE0BBBD1169B780D1BCAA097 9A6412CCBE5B68BD2FB780C5DBA34137 C102DBE48D3F0AE471B77387E7FA8BEC 305671785D725930C3E1D05B8BD884C0 A5246EF0BF468E332E0E70009CCCB4C2 ED84137DB4C2EDE078807E1616AA9A7F 4055844821AB16F842FLAGZ!259F8D014A44C2BE8FC50A5A2C1EF0C1 3D7F2E0E70009CCCB4C2ED84137DB4C2 EDE078807E1616C266D5A15DC6DDB60E 4B7337E851E739A61EED83D2E06D6184 11DF61222EED83D2E06D612C8EB5294B CD4954E0855F4D71D0F06D05EE

Looking at crypter.py and playing around with it a while, there are 2 main options (-e vs no -e). With the -e flag, we will be encoding the message, while without it, we will be decoding the message.

Running with the -e flag, we need to supply a ‘private’ key. There are certain checks for a valid private key. After verifying that the key is valid, the program asks for another hex string input and subsequently output a long hex ‘encrypted’ string. The line (53504143 … 41414141) is my input while the (CE43E … C498) is the output.

Example Output

Then running without the -e flag, we will be decrypting the message. Note that we have to supply the same key in order to decode that stream of hex output above. This will output ‘SPACEARMY’

Looking at the decryption function, I notice that the first 9 decrypted characters have to be SPACEARMY. We have the encoded message, but not the key. I attempted to brute force it but there are too many so I went with the hard manual way of reversing it. The main part of the challenge is about this. From reversing, I understand that the key is 9 characters and the byte stream that gives the key is also 9 characters.

Therefore assuming that the key = abcdefghi and byte stream = 11 22 33 44 55 66 77 88 99, the encoding algo looks like this:

a*11 + b*22 + c*33 → S

d*11 + e*22 + f*33 → P

g*11 + h*22 + i*33 → A

Flag!

Script can be found here:

--

--