- Level: Realistic::6 (ToxiCo Industrial Chemicals)
- URL: http://www.hackthissite.org/missions/realistic/6/
- Difficulty :
- Exercise: Decrypt a heavily encoded message from a CEO trying to bribe ecological inspectors investigating water pollution issues. Help environmentalists uncover corporations plotting to profit from the destruction of mother nature!
Message: Hello esteemed hacker, I hope you have some decent cryptography skills. I have some text I need decrypted. I work for this company called ToxiCo Industrial Chemicals, which has recently come under fire because of the toxic chemicals we are dumping into the river nearby. Ecological inspectors have reported no problems, but it is widely speculated that they were paid off by ToxiCo management because the water pollution near the ToxiCo factory has always been a serious and widely publicized issue. I have done some packet sniffing on my network and I have recovered this email that was sent from the CEO of the company to Chief Ecological Inspector Samuel Smith. However, it is encrypted and I cannot seem to decode it using any of my basic decryption tools. I have narrowed it down to the algorithm used to encrypt it, but it is beyond my scope. I was hoping you can take a look at it. Please check it out, more details are on the page. If you can unscramble it and reply to this message with the original text, it would be much appreciated. Thank you.
$ cat encrypted.txt .296.294.255.268.313.278.311.270.290.305.322.252.276.286.301.305.264.301.251.269.274.311.304. 230.280.264.327.301.301.265.287.285.306.265.282.319.235.262.222.214.171.124126.96.36.1999.250. 282.240.256.287.303.310.314.242.302.289.268.315.264.293.261.298.310.242.253.299.278.272.333. 272.295.306.276.317.286.250.272.272.274.282.308.262.285.326.321.285.270.270.241.283.305.319. 246.263.311.299.295.315.263.304.279.286.286.299.282.285.289.298.277.292.296.282.267.245.304. 322.252.265.313.288.310.281.272.266.243.285.309.295.269.295.308.275.316.267.283.311.300.252. 270.318.288.266.276.252.313.280.288.258.272.329.321.291.271.279.250.265.261.293.319.309.303. 260.266.291.237.299.286.293.279.267.320.290.265.308.278.239.277.314.300.253.274.309.289.280. 279.302.307.317.252.261.291.311.268.262.329.312.271.294.291.291.281.282.292.2188.8.131.526. 277.298.295.267.312.284.265.294.321.260.293.310.300.307.263.304.297.276.262.291.241.284.312. 277.276.265.323.280.257.257.303.320.255.291.292.290.270.267.345.264.291.312.295.269.297.280. 290.224.308.313.240.308.311.247.284.311.268.289.266.316.299.269.299.298.265.298.262.260.337. 320.285.265.273.307.297.282.287.225.302.277.288.284.310.278.255.263.276.283.322.273.300.264. 302.312.289.262.236.278.280.286.292.298.296.313.258.300.280.300.260.274.329.288.272.316.256. 259.279.297.296.283.273.286.320.287.313.272.301.311.260.302.261.304.280.264.328.259.259.347. 245.291.258.289.270.300.301.318.251.305.278.290.311.280.281.293.313.259.300.262.315.263.319. 285.282.297.283.290.293.2184.108.40.2063.289.305.279.314.274.291.309.273.294.249.283.262.271. 286.310.305.306.261.298.282.282.307.287.285.305.297.275.306.280.292.291.284.301.278.293.296. 277.301.281.274.315.2220.127.116.119.313.307.244.256.302.301.317.305.239.316.274.277.296.269. 305.301.279.287.317.284.277.305.298.264.304.286.273.275.293.309.286.282.240.287.239.268.269. 267.315.311.292.270.271.272.336.282.237.275.316.306.239.305.314.240.296.306.218.104.22.1682. 317.316.241.291.310.266.274.274.313.288.262.319.280.276.238.297.295.287.285.288.301.272.275. 247.305.292.286.272.310.291.301.322.256.315.298.263.281.276.237.294.284.296.284.302.273.298. 287.298.301.265.305.270.315.278.283.302.287.263.270.345.258.270.266.302.309.262.260.277.327. 263.277.254.283.276.239.272.264.276.279.264.267.298.222.214.171.1243.292.289.273.248.259.263. 288.290.294.210.288.268.311.318.312.242.285.293.216.262.276.340.292.299.275.259.293.311.234. 266.294.278.307.286.267.307.285.269.310.288.274.270.326.273.276.311.304.267.302.318.265.299. 263.283.248.257.314.288.321.321.236.284.283.227.320.312.246.261.289.316.288.263.312.241.265. 288.298.286.287.274.306.279.276.289.307.303.293.281.298.317.252.312.283.278.263.304.305.258. 266.270.294.286.293.290.291.291.258.254.282.282.283.313.268.282.316.310.299.254.264.234.296. 270.265.326.288.292.293.321.305.250.320.299.253.270.296.297.298.266.312.234.273.287.309.286. 278.269.279.316.284.276.234.293.255.2126.96.36.1998.270.246.278.292.285.282.314.266.292.286. 263.313.249.290.255.289.264.292.301.299.278.291.2188.8.131.521.283.303.262.264.264.303.299. 297.274.288.267.293.316.320.317.233.303.258.302.271.283.323.247.279.268.312.269.297.313.280. 280.273.266.332.276.313.284.281.316.279.290.273.313.308.305.260.302.306.273.234.279.281.284. 298.278.259.290.314.275.264.339.293.322.266.261.296.306.277.275.311.284.270.318.259.249.286. 292.301.285.280.303.283.287.299.277.273.293.228.311.283.272.304.292.277.271.306.302.278.298. 300.287.281.309.243.272.279.282.300.291.295.284.285.252.291.251.285.2184.108.40.206.318.298. 277.235.288.259.263.278.274.307.261.260.350.250.288.256.282.316.261.285.295.292.300.298.264. 245.241.308.301.261.253.289.264.267.300.262.248.287.257.266.275.287.297.320.287.264.279.297. 232.231.256.2220.127.116.117.274.245.218.104.22.1680.263.305.278.260.294.312.283.301.275.276. 299.297.312.275.282.294.272.228.302.324.257.261.286.326.280.283.316.294.254.258.275.264.236. 240.222.214.171.1248.286.242.277.253.296.290.250.314.320.239.292.313.261.294.261.317.273.285. 236.292.282.271.264.297.300.272.308.299.300.269.301.269.317.284.286.262.315.276.279.328.269. 254.252.232.272.268.309.273.264.296.305.272.267.291.324.302.297.268.268.263.298.300.261.312. 241.254.299.280.263.292.260.301.311.317.297.248.314.272.293.298.281.298.276.311.291.297.318. 261.274.300.293.297.267.295.261.275.334.289.238.267.289.283.257.300.262.304.311.278.274.265. 261.345.301.296.270.273.299.289.274.272.313.282.268.320.287.320.270
#!/usr/bin/env python """ decrypt.py """ f = open('encrypted.txt') tmp =  arr =  c = 0 for line in f: l = line.split('\n') for i in l.split('.'): if i!='': tmp.append(int(i)) c+=1 if c%3==0: arr.append(sum(tmp)) tmp =  # Brute force for diff in range(max(arr)-255, min(arr)+1): fn = 'bruteforce-%s.txt' % diff bf = open(fn, 'w') for i in arr: bf.write(chr(i-diff)) bf.close()
$ cat bruteforce-762.txt Samuel Smith Thank you for looking the other way on the increased levels of toxic chemicals in the river running alongside our industrial facilities. You can pick up your payment of $20,000 in the mailbox at the mansion on the corner of 53 and St. Charles tomorrow between the hours of 3:00am and 5:00am. Thank you, John Sculley ToxiCo Industrial Chemicals
Solution posted by Cynapse
Relatively basic encyrption. Use the XECryption tool to discover that each character produces 3 numbers separated by a ".". Without a password the sum of these three characters equals the ASCII code of the character.
A = .13.-2.54. 13 + (-2) + 54 = 65 ASCII2TEXT(65) = A
AB = .10.32.23.39.4.23 (.10.32.23)(.39.4.23)
Summing the numbers in the brackets gets: (65)(66)
ASCII2TEXT(65)ASCII2TEXT(66) = AB
Next if you add a password of "A" you get a different result when encrypting AB:
AB[pw = A] = .126.96.36.199.43.34 (.57.15.58)(.54.43.34)
Summing the brackets gets: (120)(121)
So the codes have been modulated by +65 which coincidently happens to equate to ascii2text(65) = A (or your password!)
Now checking with password = AB
AB[pw = AB] = .188.8.131.52.80.35 (.57.53.86)(.82.80.35)
Summing the brackets: (196)(197)
The codes have been modulated this time by 121. This happens to be the sum of ASCII(A) + ASCII(B) or 65+66.
So it can be deduced that the crypt is a 3 digit allocation for each character of which the sum is equal to the ascii value of the character plus a password modulator which is equal to the sum of the ascii codes of the characters in the password.
Now you have this information what you have to do is separate the encyrpted file into allocations of the 3 digit characters. I did this by saving it to a text file then importing the data to MS Excel selecting delimited data with delimiter character of ".".
Then I wrote the following macro to separate the data out into the 3 digit characters with the sum of the three digits in the 4th col:
Sub SetTo3Columns() ' ' SetTo3Columns Macro ' Copy and paste raw number data to separate into just three columns ' Dim intStartRowIndex As Integer Dim intStartColIndex As Integer Dim intCurrRowIndex As Integer Dim intCurrColIndex As Integer Dim intEndRowIndex As Integer Dim intEndColIndex As Integer Dim rCount As Integer Dim cCount As Integer Dim int3DigitSum As Integer intStartRowIndex = 1 intStartColIndex = 1 intEndRowIndex = 48 intEndColIndex = 23 intCurrRowIndex = 1 intCurrColIndex = 1 int3DigitSum = 0 For rCount = intStartRowIndex To intEndRowIndex For cCount = intStartColIndex To intEndColIndex Sheets("RawData").Cells(rCount, cCount).Copy Sheets("SplitData").Cells(intCurrRowIndex, intCurrColIndex).Select ActiveSheet.Paste intCurrColIndex = intCurrColIndex + 1 If intCurrColIndex = 4 Then 'This if statement checks to see whether the number being pasted is the 'last in the set of three therefore summing the three numbers in a new cell 'then starting a new row For i = 1 To 3 int3DigitSum = int3DigitSum + Sheets("SplitData").Cells(intCurrRowIndex, i).Value Next Sheets("SplitData").Cells(intCurrRowIndex, intCurrColIndex).Value = int3DigitSum int3DigitSum = 0 intCurrColIndex = 1 intCurrRowIndex = intCurrRowIndex + 1 End If Next Next End Sub
Next you can place a Char formula for each 3 digit sum however this will be nonsense because the sum has been modulated by adding a password value.
So each 3digit sum is modulated back down by a value which you need to brute force. However the range of sensible modulators is small due to the fact you know you are trying to get back to an ascii value of roughly between 65 and 110.
Once you manage to find the answer (mine was modulator of 762 which equates to a possible pw of PASSWORD12$) you can combine the individual characters using the simple macro:
For r = 1 To 366 strOutput = strOutput & Sheets("SplitData").Cells(r, 6).Value Next Sheets("Output").Cells(1, 1) = strOutput
You then get the following:
"Samuel Smith Thank you for looking the other way on the increased levels of toxic chemicals in the river running alongside our industrial facilities. You can pick up your payment of $20,000 in the mailbox at the mansion on the corner of 53 and St. Charles tomorrow between the hours of 3:00am and 5:00am.
John Sculley ToxiCo Industrial Chemical"