Nuclear Sale | HackTheBox
Analysis
The file we are provided with is a pcap file, that when we open in WireShark, we see a series of packets.
Going to Statistics->Protocol Hierachy , we observe SMTP traffic, we therfor filter the packets by SMTP and follow the TCP Stream
We follow the TCP Streams (5) in total and can read the email messages which give us hints that the flag in encrypted using XOR.
On SMTP stream 2, we get the following email message
He is a high profile individual. His information is encrypted below:
6b65813f4fe991efe2042f79988a3b2f2559d358e55f2fa373e53b1965b5bb2b175cf039
You know what you have to do.Best Regards,Sales Dept
Copy
SMTP stream 3 has the below email:
Here is the ciphertext encrypted with our key.
fd034c32294bfa6ab44a28892e75c4f24d8e71b41cfb9a81a634b90e6238443a813a3d34Copy
SMPT stream 4 has the below email:
Encrypting again with our key...
de328f76159108f7653a5883decb8dec06b0fd9bc8d0dd7dade1f04836b8a07da20bfe70Copy
The two distinct cyphertexts are encrypted with the same XOR key. knowing this is important as we know in XOR:
if A ^ B = C, then C ^ B = A and C ^ A = B
hence, we can XOR the two encrypted messages with each other to get the Encryption Key and Use the Encryption key to Xor the encrypted flag and get our flag
Code Snippet below:
from binascii import unhexlifyenc_flag = unhexlify('6b65813f4fe991efe2042f79988a3b2f2559d358e55f2fa373e53b1965b5bb2b175cf039')
ct = unhexlify('fd034c32294bfa6ab44a28892e75c4f24d8e71b41cfb9a81a634b90e6238443a813a3d34')
ct2 = unhexlify('de328f76159108f7653a5883decb8dec06b0fd9bc8d0dd7dade1f04836b8a07da20bfe70')
flag = ''
#Note the length of all the above texts are 36 bytes after decoding from ascii
for i,j in enumerate(ct):
flag += chr(j ^ ct2[i] ^ enc_flag[i])print(flag)
