Let's Talk Encryption

Vigenère cipher is an method of encrypting message by using series of different Caesar ciphers based on the letters of a keyword. Basically to encrypt a message using the Vigenère cipher you first need to choose a keyword. After that repeat this keyword over and over until it is the same length as your secret message.

Now for each plaintext letter, you find the letter on the left-vertical row of the tabula recta. Then you take the corresponding letter from your keyword, and find it at the top-horizontal row of the table. Where these two lines cross in the table is the ciphertext letter you use.

tabula-recta

Tabula Recta

Let's encrypt message - hello with a keyword boom.

  • Since our message is 5 letters and keyword is only 4 we have to repeat it until it's same length as message - in this example keyword will be boomb.
  • Now we have to take the first letter from the message and find it on the left-vertical row of the table.
  • Next get the first letter of the keyword and also get its position, now on the upper-horizontal row.
  • After that find where lines, in which were those letters cross and write down the letter you get.
  • Repeat for each letter.

When you finish you should get the encrypted message: iszxp

As you now may suspect - decrypting is just reversing the process on encryption - but knowing the ciphertext (places where lines cross) and keyword - upper row of the table.

  • Get the keyword and repeat it until it's same length (boomb) as ciphertext (iszxp).
  • Get the first letter of a keyword from the upper-horizontal row of the table
  • Get the first letter of a ciphertext and find it in the same row that the letter from the previous step.
  • Finally find the letter from the left-vertical row that is in the same line as the letter from the previous step.
  • Repeat for each letter.

And that's it! We can easilly encrypt and decrypt the messages with Vigenère cipher.

History behind Vigenère cipher

tabula-recta

A reproduction of the Confederacy's cipher disk

This cipher was originally invented by Giovan Battista Bellaso in 1553, in book called La cifra del. Sig. Giovan Battista Bellaso, but is called after Blaise de Vigenère. Blaise published the stronger version of a cipher in 1586 which was later in 19th century misattributed to Vigenère. This cipher gained the reputation of being strong, even some mathematicians called it 'unbreakable' but in 19th Friedrich Kasiski published a method of deciphering a Vigenère cipher.

Nowadays there are couple of ways of deciphering the cipher.

  • Kasiski examination
  • Friedman test
  • Frequency analysis
  • Key elimination

Read More

Let's Talk Encryption

The Caesar cipher, also called Caesar's code, shift cipher or Caesar shift, is one of the simplest and most known forms of encryption. It is a substitution cipher where each letter in the plaintext (original message) is replaced with a letter corresponding to a certain number of letters up or down in the alphabet creating a cipher text.

Vulnhub.com - Mr.Robot 1

This VM is a great way to celebrate the upcoming of a season 2 of Mr. Robot. As it's designed for beginners-intermediate it will be fun challenge and opportunity to learn something new. Our task is to find three different keys located somewhere in the machine.

Let's get started!

How to join the #fsociety?

Firstly, let's find out what IP address is assigned to this VM using nmap, in addition we can scan for the OS version of this machine, and are there any open ports.

nmap -Pn -A 10.0.2.0/24

-Pn – will scan hosts even if they ignore us

-A – will determine operating system of the host

mr-robot-nmap

From what we can see, IP of the machine is 10.0.2.4 and has two open ports: port 80 (http) and port 443 (https). What that means, is that it's hosting web site, using Apache web server. Let's check what it is!

After typing the IP address to the web browser, we can see well known interactive commercial for the new season.

mr-robot-view

Always remember to check the robots.txt file as it may be hiding some useful information, which may come handy for us.

In this one we've got a rule dissalowing web crawlers from indexing 2 files: key-1-of-3.txt and fsocity.dic.

mr-robot-robotstxt

We can get these files by using wget commands (very useful one!).

wget 10.0.2.4/key-1-of-3.txt
wget 10.0.2.4/fsocity.dic

Yeah! We've got the first key, two more to go!

Second file is a dictionary, and I assume we will have to use it in the future brute force attack.

mr-robot-filesfromrobots

Now let's use nmap script - http-enum which may reveal some more useful information.

mr-robot-httpenum

Script showed us a lot more that we've asked for. It's based on WordPress, and we may use this information to preform many attacks. Now let's focus on the readme file and the wp-login.php site.

Readme won't help us :(

mr-robot-readme

But will login page help us?

Most common login and passwords pairs like admin:admin haven't worked but remeber that we have the dictionary, to perform an attack. Now, we have to find the username.

And actually, elliot is correct username! I tried it, by simply typing the names of the characters in this show :)

mr-robot-elliot

Our next task is to brute force this page, using provided dictionary and the wpscan tool.

wpscan -u 10.0.2.4 --wordlist ~/fsocity.dic --username elliot

And after roughly 5 hours, password is ER28-0652 - one of the last ones in the word list.

mr-robot-werein

But what to do next?

We can try to upload a reverse shell to gain access to the server.

Simplest way would be to edit some .php file in order to get shell. I’ll try with page.php and use the code from:

PenTestMonkey

Then let’s create blank page.

Last essential step would be setting up listener and after that just the visit our blank page.

nc -lvp 3344

And we’re in the server, as elliot user. Now let’s see if there’s anything interesting in the home directory.Most promising folder was ‘robot’ containing 2 files: key-2-of-2.txt and password.raw-md5

Unfortunately we don’t have permission to cat the .txt file but let’s look at the m5 file which gives us: robot:c3fcd3d76192e4007dfb496cca67e13b – probable login and password pair . Cracking it with CrackStation, gives us abcdefghijklmnopqrstuvwxyz. In the next step let's try to login in Mr.Robot vulnerable machine.

mr-robot-robot

After that we're able to view the second key, one more to go!

mr-robot-key2of2

822c73956184f694993bede3eb39f959

One last part - privilage escalation - we have to get to the root account.

We can find any misconfigured executable files that can provide us what we want.

find / -perm -u=s -type f 2>/dev/null

mr-robot-nmapstart

Which gives information that nmap is installed on this server with root privileges. Let’s try to exploit nmap –interactive.

mr-robot-key3of3

And yes, we've got the last key!

It was great challenge to fulfill my knowledge hungry brain :). Thanks for Jason for creating such a great boot2root machine!

Jason

Overthewire.org - Leviathan

Today we're gonna give a try Leviathan wargame which requires some common sense and a little bit of knowledge about Unix commands.

Let's get started!