NDH2k15 updator writeup

Updator[1] was an exploitation challenge worth 200 pts. A URL is given when we access it we're asked to enter a username/password, and there's a link to http://updator.challs.nuitduhack.com/update.py We can access the update.pyc file from http://updator.challs.nuitduhack.com/update.pyc which is a compiled version of the module. Reverse engineering/decompiling the bytecode and getting the following

1: http://updator.challs.nuitduhack.com/

This shows an algorithim used to encrypt and decrypt using some xoring. Anyway this doesn't help much so we search for more files in the website we find the following folder http://updator.challs.nuitduhack.com/temp/ which contains file log.py.encrypt This is an encrypted file we need to decrypt it but since we don't have the key we need to analyse the algorithim above.

This algorithim is a cyclic xoring with previous xored. Meaning

and so on. A normal xor attack on analysis of key and most frequent character will not be very useful here due to the way we use the previous xored. Anyway what we know now is that key length is 8 bytes and we know that log.py.encrypted is possibly a python script which means we can assume what it starts with: it may start with something like :

so knowing these things allows us to bruteforce the first few bytes of the encrypted file and reveal the key. We use the decrypting code. We write a bruteforce code that tries with key[0] from 0 to 0xff and decrypt with a key of length 8 and check the result file if it starts with i then key[0] = x is correct, and we move to key[1] doing the same but for m until key[7] trying all of import .

this will reveal that the first bytes are import d... and the log.py is

using this we access

login with the mentioned password to get the flag.

Proxied content from gemini://0x80.org/gemlog/2015-04-05-ndh2k15-updator-writeup.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
Status code