Hackthissite/Realistic/Level6

From aldeid
Jump to navigation Jump to search

Description

  • Level: Realistic::6 (ToxiCo Industrial Chemicals)
  • URL: http://www.hackthissite.org/missions/realistic/6/
  • Difficulty :
  • Exercise: Decrypt a heavily encoded message from a CEO trying to bribe ecological inspectors investigating water pollution issues. Help environmentalists uncover corporations plotting to profit from the destruction of mother nature!

Message: Hello esteemed hacker, I hope you have some decent cryptography skills. I have some text I need decrypted. I work for this company called ToxiCo Industrial Chemicals, which has recently come under fire because of the toxic chemicals we are dumping into the river nearby. Ecological inspectors have reported no problems, but it is widely speculated that they were paid off by ToxiCo management because the water pollution near the ToxiCo factory has always been a serious and widely publicized issue. I have done some packet sniffing on my network and I have recovered this email that was sent from the CEO of the company to Chief Ecological Inspector Samuel Smith. However, it is encrypted and I cannot seem to decode it using any of my basic decryption tools. I have narrowed it down to the algorithm used to encrypt it, but it is beyond my scope. I was hoping you can take a look at it. Please check it out, more details are on the page. If you can unscramble it and reply to this message with the original text, it would be much appreciated. Thank you.

My solution

$ cat encrypted.txt
.296.294.255.268.313.278.311.270.290.305.322.252.276.286.301.305.264.301.251.269.274.311.304.
230.280.264.327.301.301.265.287.285.306.265.282.319.235.262.278.249.239.284.237.249.289.250.
282.240.256.287.303.310.314.242.302.289.268.315.264.293.261.298.310.242.253.299.278.272.333.
272.295.306.276.317.286.250.272.272.274.282.308.262.285.326.321.285.270.270.241.283.305.319.
246.263.311.299.295.315.263.304.279.286.286.299.282.285.289.298.277.292.296.282.267.245.304.
322.252.265.313.288.310.281.272.266.243.285.309.295.269.295.308.275.316.267.283.311.300.252.
270.318.288.266.276.252.313.280.288.258.272.329.321.291.271.279.250.265.261.293.319.309.303.
260.266.291.237.299.286.293.279.267.320.290.265.308.278.239.277.314.300.253.274.309.289.280.
279.302.307.317.252.261.291.311.268.262.329.312.271.294.291.291.281.282.292.288.240.248.306.
277.298.295.267.312.284.265.294.321.260.293.310.300.307.263.304.297.276.262.291.241.284.312.
277.276.265.323.280.257.257.303.320.255.291.292.290.270.267.345.264.291.312.295.269.297.280.
290.224.308.313.240.308.311.247.284.311.268.289.266.316.299.269.299.298.265.298.262.260.337.
320.285.265.273.307.297.282.287.225.302.277.288.284.310.278.255.263.276.283.322.273.300.264.
302.312.289.262.236.278.280.286.292.298.296.313.258.300.280.300.260.274.329.288.272.316.256.
259.279.297.296.283.273.286.320.287.313.272.301.311.260.302.261.304.280.264.328.259.259.347.
245.291.258.289.270.300.301.318.251.305.278.290.311.280.281.293.313.259.300.262.315.263.319.
285.282.297.283.290.293.280.237.234.323.289.305.279.314.274.291.309.273.294.249.283.262.271.
286.310.305.306.261.298.282.282.307.287.285.305.297.275.306.280.292.291.284.301.278.293.296.
277.301.281.274.315.281.254.251.289.313.307.244.256.302.301.317.305.239.316.274.277.296.269.
305.301.279.287.317.284.277.305.298.264.304.286.273.275.293.309.286.282.240.287.239.268.269.
267.315.311.292.270.271.272.336.282.237.275.316.306.239.305.314.240.296.306.270.247.245.302.
317.316.241.291.310.266.274.274.313.288.262.319.280.276.238.297.295.287.285.288.301.272.275.
247.305.292.286.272.310.291.301.322.256.315.298.263.281.276.237.294.284.296.284.302.273.298.
287.298.301.265.305.270.315.278.283.302.287.263.270.345.258.270.266.302.309.262.260.277.327.
263.277.254.283.276.239.272.264.276.279.264.267.298.264.244.245.273.292.289.273.248.259.263.
288.290.294.210.288.268.311.318.312.242.285.293.216.262.276.340.292.299.275.259.293.311.234.
266.294.278.307.286.267.307.285.269.310.288.274.270.326.273.276.311.304.267.302.318.265.299.
263.283.248.257.314.288.321.321.236.284.283.227.320.312.246.261.289.316.288.263.312.241.265.
288.298.286.287.274.306.279.276.289.307.303.293.281.298.317.252.312.283.278.263.304.305.258.
266.270.294.286.293.290.291.291.258.254.282.282.283.313.268.282.316.310.299.254.264.234.296.
270.265.326.288.292.293.321.305.250.320.299.253.270.296.297.298.266.312.234.273.287.309.286.
278.269.279.316.284.276.234.293.255.267.242.253.318.270.246.278.292.285.282.314.266.292.286.
263.313.249.290.255.289.264.292.301.299.278.291.292.225.250.261.283.303.262.264.264.303.299.
297.274.288.267.293.316.320.317.233.303.258.302.271.283.323.247.279.268.312.269.297.313.280.
280.273.266.332.276.313.284.281.316.279.290.273.313.308.305.260.302.306.273.234.279.281.284.
298.278.259.290.314.275.264.339.293.322.266.261.296.306.277.275.311.284.270.318.259.249.286.
292.301.285.280.303.283.287.299.277.273.293.228.311.283.272.304.292.277.271.306.302.278.298.
300.287.281.309.243.272.279.282.300.291.295.284.285.252.291.251.285.283.245.250.252.318.298.
277.235.288.259.263.278.274.307.261.260.350.250.288.256.282.316.261.285.295.292.300.298.264.
245.241.308.301.261.253.289.264.267.300.262.248.287.257.266.275.287.297.320.287.264.279.297.
232.231.256.288.243.252.277.274.245.256.253.229.290.263.305.278.260.294.312.283.301.275.276.
299.297.312.275.282.294.272.228.302.324.257.261.286.326.280.283.316.294.254.258.275.264.236.
240.277.255.231.258.286.242.277.253.296.290.250.314.320.239.292.313.261.294.261.317.273.285.
236.292.282.271.264.297.300.272.308.299.300.269.301.269.317.284.286.262.315.276.279.328.269.
254.252.232.272.268.309.273.264.296.305.272.267.291.324.302.297.268.268.263.298.300.261.312.
241.254.299.280.263.292.260.301.311.317.297.248.314.272.293.298.281.298.276.311.291.297.318.
261.274.300.293.297.267.295.261.275.334.289.238.267.289.283.257.300.262.304.311.278.274.265.
261.345.301.296.270.273.299.289.274.272.313.282.268.320.287.320.270
#!/usr/bin/env python
""" decrypt.py """
f = open('encrypted.txt')
tmp = []
arr = []
c = 0

for line in f:
    l = line.split('\n')[0]
    for i in l.split('.'):
        if i!='':
            tmp.append(int(i))
            c+=1
            if c%3==0:
                arr.append(sum(tmp))
                tmp = []

# Brute force
for diff in range(max(arr)-255, min(arr)+1):
    fn = 'bruteforce-%s.txt' % diff
    bf = open(fn, 'w')
    for i in arr:
        bf.write(chr(i-diff))
    bf.close()
$ cat bruteforce-762.txt 
Samuel Smith

Thank you for looking the other way on the increased levels of toxic chemicals in the river running alongside our industrial facilities. You can pick up your payment of $20,000 in the mailbox at the mansion on the corner of 53 and St. Charles tomorrow between the hours of 3:00am and 5:00am.

Thank you,

John Sculley
ToxiCo Industrial Chemicals

Solution posted by Cynapse

Relatively basic encyrption. Use the XECryption tool to discover that each character produces 3 numbers separated by a ".". Without a password the sum of these three characters equals the ASCII code of the character.

IE:

A = .13.-2.54.
13 + (-2) + 54 = 65
ASCII2TEXT(65) = A
AB = .10.32.23.39.4.23
(.10.32.23)(.39.4.23)

Summing the numbers in the brackets gets: (65)(66)

ASCII2TEXT(65)ASCII2TEXT(66) = AB

Next if you add a password of "A" you get a different result when encrypting AB:

AB[pw = A] = .57.15.58.54.43.34
(.57.15.58)(.54.43.34)

Summing the brackets gets: (120)(121)

So the codes have been modulated by +65 which coincidently happens to equate to ascii2text(65) = A (or your password!)

Now checking with password = AB

AB[pw = AB] = .57.53.86.82.80.35
(.57.53.86)(.82.80.35)

Summing the brackets: (196)(197)

The codes have been modulated this time by 121. This happens to be the sum of ASCII(A) + ASCII(B) or 65+66.

So it can be deduced that the crypt is a 3 digit allocation for each character of which the sum is equal to the ascii value of the character plus a password modulator which is equal to the sum of the ascii codes of the characters in the password.

Now you have this information what you have to do is separate the encyrpted file into allocations of the 3 digit characters. I did this by saving it to a text file then importing the data to MS Excel selecting delimited data with delimiter character of ".".

Then I wrote the following macro to separate the data out into the 3 digit characters with the sum of the three digits in the 4th col:

Sub SetTo3Columns()
'
' SetTo3Columns Macro
' Copy and paste raw number data to separate into just three columns
'
Dim intStartRowIndex As Integer
Dim intStartColIndex As Integer
Dim intCurrRowIndex As Integer
Dim intCurrColIndex As Integer
Dim intEndRowIndex As Integer
Dim intEndColIndex As Integer
Dim rCount As Integer
Dim cCount As Integer
Dim int3DigitSum As Integer

intStartRowIndex = 1
intStartColIndex = 1
intEndRowIndex = 48
intEndColIndex = 23
intCurrRowIndex = 1
intCurrColIndex = 1
int3DigitSum = 0

For rCount = intStartRowIndex To intEndRowIndex
   For cCount = intStartColIndex To intEndColIndex
       Sheets("RawData").Cells(rCount, cCount).Copy
       Sheets("SplitData").Cells(intCurrRowIndex, intCurrColIndex).Select
       ActiveSheet.Paste
       intCurrColIndex = intCurrColIndex + 1
       If intCurrColIndex = 4 Then
       'This if statement checks to see whether the number being pasted is the
       'last in the set of three therefore summing the three numbers in a new cell
       'then starting a new row
           For i = 1 To 3
               int3DigitSum = int3DigitSum + Sheets("SplitData").Cells(intCurrRowIndex, i).Value
           Next
           Sheets("SplitData").Cells(intCurrRowIndex, intCurrColIndex).Value = int3DigitSum
           int3DigitSum = 0
           intCurrColIndex = 1
           intCurrRowIndex = intCurrRowIndex + 1
       End If
   Next
Next

End Sub

Next you can place a Char formula for each 3 digit sum however this will be nonsense because the sum has been modulated by adding a password value.

So each 3digit sum is modulated back down by a value which you need to brute force. However the range of sensible modulators is small due to the fact you know you are trying to get back to an ascii value of roughly between 65 and 110.

Once you manage to find the answer (mine was modulator of 762 which equates to a possible pw of PASSWORD12$) you can combine the individual characters using the simple macro:

For r = 1 To 366
   strOutput = strOutput & Sheets("SplitData").Cells(r, 6).Value
Next

Sheets("Output").Cells(1, 1) = strOutput

You then get the following:


"Samuel Smith Thank you for looking the other way on the increased levels of toxic chemicals in the river running alongside our industrial facilities. You can pick up your payment of $20,000 in the mailbox at the mansion on the corner of 53 and St. Charles tomorrow between the hours of 3:00am and 5:00am.

Thank you,

John Sculley ToxiCo Industrial Chemical"


Comments