Vortex 14, 15
Continuing previous series of vortex here.
1: vortex 13
Based on something seen in the “real world”, it has weak encryption usage, used over a TCP/IP connection. This level requires you to apply some logic to the challenge at hand. You must login to vortex.labs.overthewire.org to complete this level.
The > indicates traffic “from the server, to the client”, and the < indicates traffic “from the client, to the server”.
If you need some hints, consider how you can divide and conquer the problem. For example, does it look like symmetric encryption, or asymmetric encryption? How can you further classify them?
So we get this file
We can split The lines form the beginning of > and < to see what was sent/recieved, and we get three files, a,b, and c.
This says we recieved a from server and sent b then recieved c. This data is encrypted. The first one is probably the authentication/key. After some testing with various ciphers I find that the used one is RC4 and the key is in a after the username/plaintext which is 50db5b096ccef698. We use the key to decrypt the rest
and result is
You have found an encrypted file, decrypt it (some reversing, crypt and general analysis needed, and if you’re lazy, the password is 8-bytes long and contains values between A and Z). You must login to vortex.labs.overthewire.org to complete this level.
I connect and I find a binary that does encryption/decryption and an encrypted file ending with .tar.Z. This extension refer to a file compressed with tar and the older utility compress not to mix it with gzip it uses a slightly different format.
Let us take a look at how it does encryption/decryption.
so it opens a file, reads its content, taking each byte doing a ~ then xoring it with a key[i&7]. The &7 tell us that the password is 8 bytes long. So we need to find a password 8 bytes long that does the decryption. How ? Well, let us take a look at how a regular tar.z file of similar size "469 bytes" look like.
So if we take an encrypted file and ~ every byte then xor it with a sample. This will result in the key used to encrypt. Code that does this.
we run and see the output
So where is the key ? Well first to know exactly what does it start with we look the beginning that causes the header to be a valid compress format and it starts with ZQ then somewhere around the end of each entry or file, we'll have a the key repeating due to similarities/padding/..etc. We find 8 bytes of a repeating pattern that starts with ZQ. Key is ZQSQADCA