W1seguy - TryHackme
Tryhackme easy machine with source code analysis, brute forcing and decoding.
A w1se guy 0nce said, the answer is usually as plain as day.
Source Code explanation
For this machine we will have the source code of the service running in the port “1337”. I’ll briefly go over this source code so we can understand what is going on:
- Opens a TCP listener on port 1337 and serves it forever ( always listening, nonstop )
- As we can see in the image above, the class RequestHandler is being passed to the object “server”. Just looking at the name of the class we can deduce that this class is going to have everytime the methods for the basic functionality of the TCP server , so let’s look that class.
- We can see that this class has the method “handle” ( probably for handling request, duh ) and this function is calling another function called “start”. This function is defined above of the RequestHandler definition.
- And this is the function where all the functionality of the server relies. Now we can get an idea of what is going on here. Looks like is going to be using XOR encoding for the value of the “flag 1”.
- At the begining is generating the random 5 length key then, is calling the “setup” function. This is very simple function that does basic XOR encoding procedure at the begining and, at the end, encodes it to bytes and transform it to a hex string.
- And finally the server sends it to us so we eventually get to this:
The Way
So now that we have an idea of what is going on. We know now that this line:
322e261d415707070845231e1f27451252080d5227081955500a2a120e641412125644141e24144c
Is the first flag XOR encoded, encoded into bytes and tranformed into a hex string.
Alright! Easy AF we should be able to reproduce the same steps but backwards: We transform the hex string into bytes, decode it and then just XOR decode it with the ke….y? Wait something is missing here:
1
xored += chr(ord(flag[i]) ^ ord(key[i%len(key)])) # This for encoding flag
1
key += chr(ord(flag[i]) ^ ord(xored[i])) # this is for getting the key
Alright, the server is asking us for the key and we have the xored key and… NOTHING MORE??? How tf are we suposed to resolve a linear ecuation with to unknows??
Well my friends, this was me 30 minutes back but, no worries, yes there is a solution and the name is bruteforcing. We maybe don’t know the key nor the flag but we do know that the first characters of the flag are, NO DOUBT, “THM{“. Also we know that the key is being generated with random characters and numbers with a length of 5.
This get us to the point that we are able to test all posibles characters to the first character of the xored key to see if we get the letter “T”, then the same with the second character, then the third… and so on.
This way we are going to be able to get the first 4 characters of the key. For the last one we know that the length of the xored key ( remember, after tranforming the hex string back to bytes and decoding it) is 40 and we know that the last character of the flag is “}”. Thankfully, the length of the key is 5 so the 40th character is going to be xored with the 5th character of the key so we are able to get the value of the 5th character of the key this way. Let’s put some ligth to this looking at the code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
flag = "YOUR_XORED_FLAG_HERE"
initial = "THM{"
trailing = "}"
brute = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
content = bytes.fromhex(flag)
final = content.decode()
key = ""
count = 0
i = 0
# brute force first 4 digits of the key
while True:
val = chr(ord(final[count]) ^ ord(brute[i]))
if (initial[count] == val):
print("founded: " + brute[i])
key+=brute[i]
i = 0
count+=1
if count == 4:
break
continue
i+=1
# last part
for i in brute:
val = chr(ord(final[-1]) ^ ord(i))
if (trailing == val):
print("founded last: " + i)
key+=i
break
print("KEY: " + key)
Yeah, i know, this is not good code ( don’t fucking care )
So hopefullly you are able to understand the flow of what is going on here. I think is self explanatory, if not, go ask fucking ChatGPT.
Easy as that we are able to bruteforce the key so after that we can decode the first flag normally:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
flag = "YOUR_XORED_FLAG_HERE"
key = "YOUR_BRUTEFORCED_FLAG_HERE"
content = bytes.fromhex(flag)
final = content.decode()
print(final)
res = ""
for i in range(0, len(final)):
res += chr(ord(final[i]) ^ ord(key[i%len(key)]))
print("decoded: " + res)
Just like that we get the flags:
We get the key:
We decode the flag:
Send key and get second flag:
FLAG1: “THM{p1alntExtAtt4ckcAnr3alLyhUrty0urxOr}” FLAG2: “THM{BrUt3_ForC1nG_XOR_cAn_B3_FuN_nO?}”