top of page
cosmodiumcs.png
  • Writer's pictureC0SM0

UNIMOD

// A NahamCon CTF 2022 Challenge...


Hey Hackers! This is the write up for the UNIMOD challenge from NahamCon CTF 2022. I will attach a video walk through of the challenge in case if you to visually see how it was executed.

 
 

// Starting Off:

The challenge gives us a program which is inspired off of the Rotation 13 [ROT13] cipher.

import random

flag = open('flag.txt', 'r').read()
ct = ''
k = random.randrange(0,0xFFFD)
for c in flag:
    ct += chr((ord(c) + k) % 0xFFFD)

open('out', 'w').write(ct)

They also give us an output file containing the encrypted flag.

饇饍饂饈饜餕饆餗餙饅餒餗饂餗餒饃饄餓饆饂餘餓饅餖饇餚餘餒餔餕餕饆餙餕饇餒餒饞飫

// Analysis:

After analyzing the code, i started to understand what it was doing. It picked a random number from 0 to 65,533 [0xFFFD = 65,533] and used it as the encryption key. Iterated through each character in the flag and encrypted it using the following algorithm.

ct += chr((ord(c) + k) % 0xFFFD)

For those of you who took our Breaking Ciphers course, you should immediately recognize this algorithm. For those who don't, it is the algorithm that powers the caesar cipher/ROT13. Here is an example of that same algorithm, decrypting uppercase text.

c += chr((ord(letter) - key - 65) % 26 + 65)

I have a separate article explaining how this works here if you are interested. Regardless, all we need to do is figure out what key they are using and decrypt.


// Key Discovery:

We can discover the key in two main ways. First, you could attempt to decrypt the flag with each key ranging form 1 to 65,533, and filter any out put that starts with "flag". Alternatively, you can do what we did.

I called up Fyzz for help to tag team the challenge. He was able to discover the key that was being used by developing this script.

# Fyzz's code to discover the key
for i in range(0,65533):
    ct = chr((ord('f') + i) % 0xFFFD)
    print(i)
    if ct == '饇':
        print(f'----------------------------{i}')
        break 

The output of this code told us that the key being used was "39137". All we had to do was reformat the code and plug in the key.


// Decryption:

I changed up the code a bit to be able to decrypt our flag using our new found key.

import random

flag = open('flag.txt', 'r').read()
ct = ''

k = 39137
attempt = ''
for c in flag:
    attempt += chr((ord(c) - k) % 39137)
print(attempt)
ct += f'{attempt}\n'

open('out',  'w').write(ct)

Upon executing the code we get our flag outputted to our out file.

flag{4e68d16a61bc2ea72d5f971344e84f11}

Thanks for reading, and as always,


Happy Hacking!


// Socials:

© 2022 by Cosmodium CyberSecurity LLC

145 views0 comments

Recent Posts

See All

Comments


bottom of page