-
Notifications
You must be signed in to change notification settings - Fork 1
(Challenge 4) Pickled Snakes
We get given some information about how to connect to a server:
Username: tom, Password: securityishard, Host: challenge.ctf.hackthemidlands.com, Port: 2022, Protocol: ?
The port number given here is quite a big hint - we can guess that 2022 might be running a very similar service to a service on port 22 - which we know is SSH. We can verify this guess using nmap:
$ nmap challenge.ctf.hackthemidlands.com -p 2022 -sV -Pn
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-27 13:41 GMT
Nmap scan report for challenge.ctf.hackthemidlands.com (34.89.77.205)
Host is up (0.013s latency).
rDNS record for 34.89.77.205: 205.77.89.34.bc.googleusercontent.com
PORT STATE SERVICE VERSION
2022/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.65 seconds
Now we can connect over ssh:
$ ssh tom@challenge.ctf.hackthemidlands.com -p 2022
tom@challenge.ctf.hackthemidlands.com's password:
_ _ _ _____ _ __ __ _ _ _ _
| | | | __ _ ___| | _|_ _| |__ ___| \/ (_) __| | | __ _ _ __ __| |___
| |_| |/ _` |/ __| |/ / | | | '_ \ / _ \ |\/| | |/ _` | |/ _` | '_ \ / _` / __|
| _ | (_| | (__| < | | | | | | __/ | | | | (_| | | (_| | | | | (_| \__ \
|_| |_|\__,_|\___|_|\_\ |_| |_| |_|\___|_| |_|_|\__,_|_|\__,_|_| |_|\__,_|___/
Wecome to the HackTheMidlands central file storage server!
This is where we'll store ALLLL the files for everything we build. This means
we don't have to use google docs or anything hard like that. Also, doing our
own security is so easy.
Just make sure that you don't leave any personal files around or one of the
admins might be able to find them... muhahahaha!
- Tom
Last login: Sun Oct 27 13:37:43 2019 from 148.253.179.74
$
Looking around our current directory using ls, we can find flag.unknown and download it onto our computer for later analysis.
If we read the file, we get:
$ cat flag.unknown
�]q(XOthis file is fully encrypted using the pickled snakes method we talked about!!!q]q(KXHq�qKXTq�qKXMq�KX{q �q
KX7q
�q
KXeq�qKXrq�qXEq�qK X5q�qK
X_q�qK
X4q�qK
h�qXnq�qKh�qKXkq�q Kh�q!Kh�q"KX1q#�q$Kh�q%Kh�q&KXmq'�q(KXyq)�q*Kh�q+KX8q,�q-K�X0q.�q/K.�q0Kh
�q1KX}q2�q3ee.
Using our knowledge of different programming languages, we can guess that the "snake" involved here is Python! Python comes with a pickle module, which can convert python objects to and from binary data.
We can write a quick and dirty python script to try and read in and print out the contents of this file:
# solution.py
import pickle
with open('flag.unknown', 'rb') as f:
result = pickle.load(f)
print(result)Running it gives:
$ python solution.py
['this file is fully encrypted using the pickled snakes method we talked about!!!', [(0, 'H'), (1, 'T'), (2, 'M'), (3, '{'), (4, '7'), (5, 'H'), (6, 'e'), (7, 'r'), (8, 'E'), (9, '5'), (10, '_'), (11, '4'), (12, '_'), (13, '5'), (14, 'n'), (15, '4'), (16, 'k'), (17, 'E'), (18, '_'), (19, '1'), (20, 'n'), (21, '_'), (22, 'm'), (23, 'y'), (24, '_'), (25, '8'), (26, '0'), (27, '0'), (28, '7'), (29, '}')]]
With our array, we can read the second character of each tuple to give our flag, HTM{7HerE5_4_5n4kE_1n_my_8007}.