Posts tagged krypton

Krypton Walkthrough
posted on 2015-01-22 03:24:30

http://overthewire.org/wargames/krypton/ is just as much fun as bandit or leviathan, which I covered in earlier posts here or here.

prerequisites

Just go and have a look at the bandit post mentioned above

solutions

Here is what I have found by now.

level 0

[root@jerrylee /home/jl]# echo "S1JZUFRPTklTR1JFQVQ=" | base64 -d
KRYPTONISGREAT

This is only locally.

level 1

Here you have to login with 'krypton1'. In case you have already been on the server, you can see this here:

leviathan7@melinda:~$ grep krypton /etc/passwd
krypton1:x:8001:8001:krypton level 1:/home/krypton1:/bin/bash
krypton2:x:8002:8002:krypton level 2:/home/krypton2:/bin/bash
krypton3:x:8003:8003:krypton level 3:/home/krypton3:/bin/bash
krypton4:x:8004:8004:krypton level 4:/home/krypton4:/bin/bash
krypton5:x:8005:8005:krypton level 5:/home/krypton5:/bin/bash
krypton6:x:8006:8006:krypton level 6:/home/krypton6:/bin/bash
krypton7:x:8007:8007:krypton level 7:/home/krypton7:/bin/bash
leviathan7@melinda:~$

So, after connecting first lets see where our file is:

krypton1@melinda:~$ find / -iname '*krypton2*' | less

In less, do again the &krypton2 + Enter trick:

/games/krypton/krypton1/krypton2
/games/krypton/krypton2
/home/krypton2
~
~
~
~
~
~
~
& (END)

krypton1@melinda:~$ cat /games/krypton/krypton1/krypton2 | tr 'A-Za-z' 'N-ZA-Mn-za-m' LEVEL TWO PASSWORD ROTTEN ### level 2 krypton2@melinda:~$ ls -lah total 20K
drwxr-xr-x   2 root root 4.0K Nov 14 10:32 .
drwxr-xr-x 167 root root 4.0K Jan 12 17:44 ..
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
krypton2@melinda:~$ cd /games/krypton/
krypton2@melinda:/games/krypton$ ls
krypton1  krypton2  krypton3  krypton4  krypton5  krypton6
krypton2@melinda:/games/krypton$ cd krypton2
krypton2@melinda:/games/krypton/krypton2$ ls -lah
total 15K
drwxr-xr-x 2 root     root     1.0K Nov 14 10:32 .
drwxr-xr-x 8 root     root     1.0K Nov 14 10:32 ..
-rw-r----- 1 krypton2 krypton2 1.1K Nov 14 10:32 README
-rwsr-x--- 1 krypton3 krypton2 8.8K Nov 14 10:32 encrypt
-rw-r----- 1 krypton3 krypton3   27 Nov 14 10:32 keyfile.dat
-rw-r----- 1 krypton2 krypton2   13 Nov 14 10:32 krypton3

So far, so nice. But the encrypt file does not work due to file permissions, it seems.

Lets hack up a really, really whacky bash script:

#!/bin/bash

## basically this converts the chars to their ascii code and back
## this is likely not the best solution, but everything else would have been even worse

## first read the file contents into an array
a=0
while read -n1 j
do
    ((a++))
    current[$a]=$(LC_CTYPE=C printf '%d ' "'$j")
done < <( cat ./krypton3 )## HERE PROCESS SUBSTITUTION IS NEEDED!
echo

## now iterate over the array we created and increment each item by 1
for i in {1..25}
do
    echo "OFFSET BY "${i}
    for l in $(seq 1 $((a-1)))
    do
        ## here is the most important part:
        ## since 'A' is 65 in ascii, substract 64
        ## such that 'A' becomes '1', and 'Z' becomes '26'
        ## then increment by one, take the modulo 26
        ## (else you have numbers bigger than 26)
        ## and aftwards add 64, so the ascii conversion can take place again
        ## the 'mod 26' trick works since we assume the pw is written in CAPSLOCK
        current[$l]=$(( $(( $((  $(( current[$l] - 64 )) + 1 )) % 26 )) + 64 ))
    done

    ## now print the current result by iterating again and converting to characters again
    for ((b=0; b<${#current[@]}; b++))
    do
        printf "\x$(printf %x ${current[$b]})"
    done
    echo
    echo
done

Uah, this was ugly. I did that just as a proof of concept, use a proper scripting language in case you want to do it yourself. But I disgress.

Lets just use this monster as a one-liner:

krypton2@melinda:/games/krypton/krypton2$ a=0; while read -n1 j; do ((a++)); current[$a]=$(LC_CTYPE=C printf '%d ' "'$j"); done < <( cat ./krypton3 ); for i in {1..25}; do echo "OFFSET BY "${i}; for l in $(seq 1 $((a-1))); do current[$l]=$(( $(( $((  $(( current[$l] - 64 )) + 1 )) % 26 )) + 64 )); done; for ((b=0; b<${#current[@]}; b++)); do printf "\x$(printf %x ${current[$b]})"; done; echo; echo; done
OFFSET BY 1
PNRFNEVFRNFL

OFFSET BY 2
QOSGOFWGSOGM

OFFSET BY 3
RPTHPGXHTPHN

OFFSET BY 4
SQUIQHYIUQIO

OFFSET BY 5
TRVJRI@JVRJP

OFFSET BY 6
USWKSJAKWSKQ

OFFSET BY 7
VTXLTKBLXTLR

OFFSET BY 8
WUYMULCMYUMS

OFFSET BY 9
XV@NVMDN@VNT

OFFSET BY 10
YWAOWNEOAWOU

OFFSET BY 11
@XBPXOFPBXPV

OFFSET BY 12
AYCQYPGQCYQW

OFFSET BY 13
B@DR@QHRD@RX

OFFSET BY 14
CAESARISEASY

OFFSET BY 15
DBFTBSJTFBT@

OFFSET BY 16
ECGUCTKUGCUA

OFFSET BY 17
FDHVDULVHDVB

OFFSET BY 18
GEIWEVMWIEWC

OFFSET BY 19
HFJXFWNXJFXD

OFFSET BY 20
IGKYGXOYKGYE

OFFSET BY 21
JHL@HYP@LH@F

OFFSET BY 22
KIMAI@QAMIAG

OFFSET BY 23
LJNBJARBNJBH

OFFSET BY 24
MKOCKBSCOKCI

OFFSET BY 25
NLPDLCTDPLDJ

Looks like offset '14' is our winner:

CAESARISEASY

This would have been quite easier if the encrypter just worked...

level 3

krypton3@melinda:~$ ls -alhF
total 20K
drwxr-xr-x   2 root root 4.0K Nov 14 10:32 ./
drwxr-xr-x 167 root root 4.0K Jan 12 17:44 ../
-rw-r--r--   1 root root  220 Apr  9  2014 .bash_logout
-rw-r--r--   1 root root 3.6K Apr  9  2014 .bashrc
-rw-r--r--   1 root root  675 Apr  9  2014 .profile
krypton3@melinda:~$ cd /games/krypton/krypton
krypton1/ krypton2/ krypton3/ krypton4/ krypton5/ krypton6/
krypton3@melinda:~$ cd /games/krypton/krypton3
krypton3@melinda:/games/krypton/krypton3$ ls -lah
total 12K
drwxr-xr-x 2 root     root     1.0K Nov 14 10:32 .
drwxr-xr-x 8 root     root     1.0K Nov 14 10:32 ..
-rw-r----- 1 krypton3 krypton3   56 Nov 14 10:32 HINT1
-rw-r----- 1 krypton3 krypton3   37 Nov 14 10:32 HINT2
-rw-r----- 1 krypton3 krypton3  785 Nov 14 10:32 README
-rw-r----- 1 krypton3 krypton3 1.6K Nov 14 10:32 found1
-rw-r----- 1 krypton3 krypton3 2.1K Nov 14 10:32 found2
-rw-r----- 1 krypton3 krypton3  560 Nov 14 10:32 found3
-rw-r----- 1 krypton3 krypton3   42 Nov 14 10:32 krypton4

Using the contents of 'found1' to 'found3' with frequency analysis tools found on the web, I can get this: (the last column / line is the frequency in english language from most to fewest)

 s : 155 s : 243 s : 58   |    e
 c : 107 q : 186 q : 48   |    t
 q : 106 j : 158 j : 41   |    a
 j : 102 n : 135 g : 35   |    o
 u : 100 u : 130 c : 34   |    i
 b : 87  b : 129 n : 31   |    n
 g : 81  d : 119 b : 30   |    s
 n : 74  g : 111 u : 27   |    h
 d : 69  c : 86  d : 22   |    r
 z : 57  w : 66  v : 21   |    d
 v : 56  z : 59  z : 16   |    l
 w : 47  v : 53  w : 16   |    c
 y : 42  m : 45  e : 13   |    u
 t : 32  t : 37  m : 12   |    m
 x : 29  e : 34  k : 12   |    w
 m : 29  y : 33  x : 9    |    f
 l : 27  x : 33  y : 9    |    g
 k : 25  k : 30  a : 9    |    y
 a : 20  l : 27  t : 6    |    p
 e : 17  a : 26  l : 6    |    b
 f : 11  i : 14  f : 5    |    v
 o : 7   f : 12  i : 3    |    k
 h : 2   o : 3   o : 2    |    j
 i : 2   h : 2   p : 1    |    x
 r : 1   r : 2   r : 1    |    q
 p : 0   p : 1   h : 0    |    z

 SCQJUBGNDZVWYTXMLKAEFOHIRP
 SQJNUBDGCWZVMTEYXKLAIFOHRP
 SQJGCNBUDVZWEMKXYATLFIOPRH

 ETAOINSHRDLCUMWFGYPBVKJXQZ

Using this on the server:

krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SCQJUBGNDZVWYTXMLKAEFOHIRP] [ETAOINSHRDLCUMWFGYPBVKJXQZ]
krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SCQJUBGNDZVWYTXMLKAEFOHIRP] [ETAOINSHRDLCUMWFGYPBVKJXQZ]; echo
YELLC NSEOR ELEXE LWNFH UAIIY NHCTI PHFOE
krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SQJNUBDGCWZVMTEYXKLAIFOHRP] [ETAOINSHRDLCUMWFGYPBVKJXQZ]; echo
YECCD NHEAS ECEVE CGNUO FTIIY NODRI BOUAE
krypton3@melinda:/games/krypton/krypton3$ cat krypton4 | tr [SQJGCNBUDVZWEMKXYATLFIOPRH] [ETAOINSHRDLCUMWFGYPBVKJXQZ]; echo
WEDDC SOEAR EDEKE DFSMN GTHHW SNCIH YNMAE

Well, this could be better. But by now I lost my motivation, so this stops here. If I will continue, the following steps will be put up here into this post.

This blog covers .csv, .htaccess, .pfx, .vmx, /etc/crypttab, /etc/network/interfaces, /etc/sudoers, /proc, 10.04, 14.04, AS, ASA, ControlPanel, DS1054Z, GPT, HWR, Hyper-V, IPSEC, KVM, LSI, LVM, LXC, MBR, MTU, MegaCli, PHP, PKI, R, RAID, S.M.A.R.T., SNMP, SSD, SSL, TLS, TRIM, VEEAM, VMware, VServer, VirtualBox, Virtuozzo, XenServer, acpi, adaptec, algorithm, ansible, apache, apachebench, apple, arcconf, arch, architecture, areca, arping, asa, asdm, awk, backup, bandit, bar, bash, benchmarking, binding, bitrate, blackarmor, blowfish, bochs, bond, bonding, booknotes, bootable, bsd, btrfs, buffer, c-states, cache, caching, ccl, centos, certificate, certtool, cgdisk, cheatsheet, chrome, chroot, cisco, clamav, cli, clp, clush, cluster, coleslaw, colorscheme, common lisp, console, container, containers, controller, cron, cryptsetup, csync2, cu, cups, cygwin, d-states, database, date, db2, dcfldd, dcim, dd, debian, debug, debugger, debugging, decimal, desktop, df, dhclient, dhcp, diff, dig, display manager, dm-crypt, dmesg, dmidecode, dns, docker, dos, drivers, dtrace, dtrace4linux, du, dynamictracing, e2fsck, eBPF, ebook, efi, egrep, emacs, encoding, env, error, ess, esx, esxcli, esxi, ethtool, evil, expect, exportfs, factory reset, factory_reset, factoryreset, fail2ban, fbsd, fedora, file, filesystem, find, fio, firewall, firmware, fish, flashrom, forensics, free, freebsd, freedos, fritzbox, fsck, fstrim, ftp, ftps, g-states, gentoo, ghostscript, git, git-filter-branch, github, gitolite, gnutls, gradle, grep, grml, grub, grub2, guacamole, hardware, haskell, hdd, hdparm, hellowor, hex, hexdump, history, howto, htop, htpasswd, http, httpd, https, i3, icmp, ifenslave, iftop, iis, imagemagick, imap, imaps, init, innoDB, innodb, inodes, intel, ioncube, ios, iostat, ip, iperf, iphone, ipmi, ipmitool, iproute2, ipsec, iptables, ipv6, irc, irssi, iw, iwconfig, iwlist, iwlwifi, jailbreak, jails, java, javascript, javaws, js, juniper, junit, kali, kde, kemp, kernel, keyremap, kill, kpartx, krypton, lacp, lamp, languages, ldap, ldapsearch, less, leviathan, liero, lightning, links, linux, linuxin3months, lisp, list, livedisk, lmctfy, loadbalancing, locale, log, logrotate, looback, loopback, losetup, lsblk, lsi, lsof, lsusb, lsyncd, luks, lvextend, lvm, lvm2, lvreduce, lxc, lxde, macbook, macro, magento, mailclient, mailing, mailq, manpages, markdown, mbr, mdadm, megacli, micro sd, microsoft, minicom, mkfs, mktemp, mod_pagespeed, mod_proxy, modbus, modprobe, mount, mouse, movement, mpstat, multitasking, myISAM, mysql, mysql 5.7, mysql workbench, mysqlcheck, mysqldump, nagios, nas, nat, nc, netfilter, networking, nfs, nginx, nmap, nocaps, nodejs, numberingsystem, numbers, od, onyx, opcode-cache, openVZ, openlierox, openssl, openvpn, openvswitch, openwrt, oracle linux, org-mode, os, oscilloscope, overview, parallel, parameter expansion, parted, partitioning, passwd, patch, pdf, performance, pfsense, php, php7, phpmyadmin, pi, pidgin, pidstat, pins, pkill, plesk, plugin, posix, postfix, postfixadmin, postgres, postgresql, poudriere, powershell, preview, profiling, prompt, proxmox, ps, puppet, pv, pvecm, pvresize, python, qemu, qemu-img, qm, qmrestore, quicklisp, r, racktables, raid, raspberry pi, raspberrypi, raspbian, rbpi, rdp, redhat, redirect, registry, requirements, resize2fs, rewrite, rewrites, rhel, rigol, roccat, routing, rs0485, rs232, rsync, s-states, s_client, samba, sar, sata, sbcl, scite, scp, screen, scripting, seafile, seagate, security, sed, serial, serial port, setup, sftp, sg300, shell, shopware, shortcuts, showmount, signals, slattach, slip, slow-query-log, smbclient, snmpget, snmpwalk, software RAID, software raid, softwareraid, sophos, spacemacs, spam, specification, speedport, spi, sqlite, squid, ssd, ssh, ssh-add, sshd, ssl, stats, storage, strace, stronswan, su, submodules, subzone, sudo, sudoers, sup, swaks, swap, switch, switching, synaptics, synergy, sysfs, systemd, systemtap, tar, tcpdump, tcsh, tee, telnet, terminal, terminator, testdisk, testing, throughput, tmux, todo, tomcat, top, tput, trafficshaping, ttl, tuning, tunnel, tunneling, typo3, uboot, ubuntu, ubuntu 16.04, udev, uefi, ulimit, uname, unetbootin, unit testing, upstart, uptime, usb, usbstick, utf8, utm, utm 220, ux305, vcs, vgchange, vim, vimdiff, virtualbox, virtualization, visual studio code, vlan, vmstat, vmware, vnc, vncviewer, voltage, vpn, vsphere, vzdump, w, w701, wakeonlan, wargames, web, webdav, weechat, wget, whois, wicd, wifi, windowmanager, windows, wine, wireshark, wpa, wpa_passphrase, wpa_supplicant, x2x, xfce, xfreerdp, xmodem, xterm, xxd, yum, zones, zsh

View posts from 2017-03, 2017-02, 2017-01, 2016-12, 2016-11, 2016-10, 2016-09, 2016-08, 2016-07, 2016-06, 2016-05, 2016-04, 2016-03, 2016-02, 2016-01, 2015-12, 2015-11, 2015-10, 2015-09, 2015-08, 2015-07, 2015-06, 2015-05, 2015-04, 2015-03, 2015-02, 2015-01, 2014-12, 2014-11, 2014-10, 2014-09, 2014-08, 2014-07, 2014-06, 2014-05, 2014-04, 2014-03, 2014-01, 2013-12, 2013-11, 2013-10


Unless otherwise credited all material Creative Commons License by sjas