In Level14 we are given an encrypted token: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW. and the cipher.

We can try to reverse the cipher but lets play with it and see if we can find out the encryption routine:

[email protected]:/home/flag14$./flag14 -e aaaaaaaaaaaaaaaaa abcdefghijklmnopq  [email protected]:/home/flag14$ ./flag14 -e
abcdefg
acegikm


Ok, so it looks pretty simple, we shift a given characters a number of positions in the ASCII table where the key is the position of the character to encrypt. So we will shift the first character 0 positions, the second character 1 position, the third chracter 2 positions …

We can code a simple decrypter in python:

import sys

def decrypt(ciphertext):
count = 0
result = []
for c in ciphertext:
result.append(chr((ord(c) - count)))
count +=1
print("Decrypting: " + ciphertext + " -> " + "".join(result))
return("".join(result))

decrypt(sys.argv[1])


If we run the decrypter:

[email protected]:~$python crack.py 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW. Decrypting: 857:g67?5ABBo:BtDA?tIvLDKL{MQPSRQWW. -> 8457c118-887c-4e40-a5a6-33a25353165  Let’s try it: [email protected] ~/Development> ssh [email protected] _ __ __ __ / | / /__ / /_ __ __/ /___ _ / |/ / _ \/ __ \/ / / / / __ / / /| / __/ /_/ / /_/ / / /_/ / /_/ |_/\___/_.___/\__,_/_/\__,_/ exploit-exercises.com/nebula For level descriptions, please see the above URL. To log in, use the username of "levelXX" and password "levelXX", where XX is the level number. Currently there are 20 levels (00 - 19). [email protected]'s password: Welcome to Ubuntu 11.10 (GNU/Linux 3.0.0-12-generic i686) * Documentation: https://help.ubuntu.com/ Your Ubuntu release is not supported anymore. For upgrade information, please visit: http://www.ubuntu.com/releaseendoflife New release '12.04.3 LTS' available. Run 'do-release-upgrade' to upgrade to it. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. [email protected]:~$ id
uid=985(flag14) gid=985(flag14) groups=985(flag14)
[email protected]:~\$ getflag
You have successfully executed getflag on a target account
`

Voila!!