Krypton · OverTheWire

Krypton Level 3 → Level 4

Level 3

Username : krypton3
Password : CAESARISEASY
SSH : krypton.labs.overthewire.org:2222

Level Info

Well done. You’ve moved past an easy substitution cipher.

The main weakness of a simple substitution cipher is repeated use of a simple key. In the previous exercise you were able to introduce arbitrary plaintext to expose the key. In this example, the cipher mechanism is not available to you, the attacker.

However, you have been lucky. You have intercepted more than one message. The password to the next level is found in the file ‘krypton4’. You have also found 3 other files. (found1, found2, found3)

You know the following important details:

The message plaintexts are in English (*** very important) – They were produced from the same key (*** even better!)
Enjoy.

Solution

To solve this level, we first ssh into the krypton3 server using the credentials provided above.

Screenshot from 2017-07-20 22-38-00.png

Screenshot from 2017-07-20 22-38-26.png

We can see the content of the files and the hints given. On looking into the frequency of letters in english text, I came across the following image:

7-21-2017 1-47-52 PM.png

To understand the frequency of letters in the found files, I wrote a small python module to find it.

Screenshot from 2017-07-21 13-42-23.png

As we can see above, the letter “S” seems to be the most occurring letter in all the three files followed closely by letters “Q” and “J”. While searching for most common two letter words in english, I came across this link.  Based on this, we now know the frequency of two letter words and three letter words. We can use this information to complete a mapping of ciphertext letters to plaintext letters.

Ciphertext    : a b c d e f g h i j k l m n o p q r s t u v w x y z
Plaintext     : b o i h g k n q v t w y u r x z a j e m s l d f p c

Based on the above mapping, we can decrypt the password file.

” WELL DONE THE LEVEL FOUR PASSWORD IS BRUTE ”

Level 4

Username : krypton4
Password : BRUTE
SSH : krypton.labs.overthewire.org:2222 
Krypton · OverTheWire

Krypton Level 2 → Level 3

Level 2

Username : krypton2
Password : ROTTEN
SSH : krypton.labs.overthewire.org:2222

Level Info

ROT13 is a simple substitution cipher.

Substitution ciphers are a simple replacement algorithm. In this example of a substitution cipher, we will explore a ‘monoalphebetic’ cipher. Monoalphebetic means, literally, “one alphabet” and you will see why.

This level contains an old form of cipher called a ‘Caesar Cipher’. A Caesar cipher shifts the alphabet by a set number. For example:

plain: a b c d e f g h i j k …
cipher: G H I J K L M N O P Q …
In this example, the letter ‘a’ in plaintext is replaced by a ‘G’ in the ciphertext so, for example, the plaintext ‘bad’ becomes ‘HGJ’ in ciphertext.

The password for level 3 is in the file krypton3. It is in 5 letter group ciphertext. It is encrypted with a Caesar Cipher. Without any further information, this cipher text may be difficult to break. You do not have direct access to the key, however you do have access to a program that will encrypt anything you wish to give it using the key. If you think logically, this is completely easy.

One shot can solve it!

Have fun.

Additional Information:

The encrypt binary will look for the keyfile in your current working directory. Therefore, it might be best to create a working direcory in /tmp and in there a link to the keyfile. As the encrypt binary runs setuid krypton3, you also need to give krypton3 access to your working directory.

Here is an example:

krypton2@melinda:~$ mktemp -d
/tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:~$ cd /tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ln -s /krypton/krypton2/keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ chmod 777 .
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ /krypton/krypton2/encrypt /etc/issue
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
ciphertext keyfile.dat

Solution

To solve this level, we first ssh into the krypton2 server using the credentials provided above. We can see the files mentioned in the level information. To understand the working of the encryption executable, let’s follow the steps mentioned above.

Screenshot from 2017-07-20 16-50-45 - Copy.png

As we can see above, I created a temporary file which contains the english alphabet. We’ll now use this file as the plaintext to understand how the encrypt executable works.

Screenshot from 2017-07-20 22-22-49.png

As we can see, the encryption is ROT-12, therefore, we can create a script similar to the last level to decrypt the krypton3 password file.

Screenshot from 2017-07-20 22-24-45.png

Level 3

Username : krypton3
Password : CEASARISEASY
SSH : krypton.labs.overthewire.org:2222 
Krypton · OverTheWire

Krypton Level 1 → Level 2

Level 1

Username : krypton1
Password : KRYPTONISGREAT
SSH : krypton.labs.overthewire.org:2222

Level Info

The password for level 2 is in the file ‘krypton2’. It is ‘encrypted’ using a simple rotation. It is also in non-standard ciphertext format. When using alpha characters for cipher text it is normal to group the letters into 5 letter clusters, regardless of word boundaries. This helps obfuscate any patterns. This file has kept the plain text word boundaries and carried them to the ciphertext. Enjoy!

Solution

To solve this level, we first ssh into the krypton1 server using the credentials provided above.

Screenshot from 2017-07-20 13-07-48.png

As the level information mentioned that the encryption is a simple rotation, my first impression was to try the ROT13 cipher. ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple letter substitution cipher that replaces a letter with the letter 13 letters after it in the alphabet. ROT13 is a special case of the Caesar cipher, developed in ancient Rome. For more information on ROT13, read this page.

To solve this, I am going to utilize the ” tr ” command to implement a ROT13 cipher. Therefore, “A” would map to “N” and “Z” would map to “M”. The mapping for lower-case alphabets would be similar.

Screenshot from 2017-07-20 13-09-08.png

As we can see in the image above, the password for the next level is ” ROTTEN “. If the password wasn’t a ROT13 cipher, we would have tried other ROTn substitution ciphers to find the password.

Level 2

Username : krypton2
Password : ROTTEN
SSH : krypton.labs.overthewire.org:2222 
Krypton · OverTheWire

Krypton Level 0 → Level 1

Level 0

Username : krypton0
Password : Tith4cokei
SSH : krypton.labs.overthewire.org:2222

Level Info

Welcome to Krypton! The first level is easy. The following string encodes the password using Base64: S1JZUFRPTklTR1JFQVQ=
Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH on port 2222. You can find the files for other levels in /krypton/.

Solution

As we know that the password for the next level is the base64 decoding of the string provided, we can run the decoder on it and find the password.

Screenshot from 2017-07-19 22-55-32.png

Level 1

Username : krypton1
Password : KRYPTONISGREAT
SSH : krypton.labs.overthewire.org:2222 
Leviathan · OverTheWire

Leviathan Level 6 → Level 7

Level 6

Username : leviathan6
Password : Tith4cokei
SSH leviathan.labs.overthewire.org:2223

Solution

To solve this level, we first ssh into the leviathan6 server using the credentials provided above.

Screenshot from 2017-07-19 15-03-37.png

As we can see, the server contains an executable which requires a 4 digit code and probably compares it with something. If the number matches what the executable expects, we will hopefully be able to access our password file. Let’s run gdb on the executable to learn more about it. The application uses function atoi() and then compares the value returned with our input. If we can learn the number, we can enter the same number and allow the executable to proceed further.

Screenshot from 2017-07-19 14-50-33.png

As we can see, the number is 7123. Let’s see what happens if we use that number in the argument.

Screenshot from 2017-07-19 14-46-36.png

As we can see, the executable logs us in as leviathan7 and now we can access the password file.

Level 7

Username : leviathan7
Password : ahy7MaeBo9
SSH : leviathan.labs.overthewire.org:2223 
Leviathan · OverTheWire

Leviathan Level 5 → Level 6

Level 5

Username : leviathan5
Password : Tith4cokei
SSH leviathan.labs.overthewire.org:2223

Solution

To solve this level, we first ssh into the leviathan5 server using the credentials provided above.

Screenshot from 2017-07-19 11-29-02.png

As we can see, there is an executable named ” leviathan5 ” which checks for the existence of ” /tmp/file.log ” file. Let’s see how the executable works by using the ltrace command and putting some content in the file ” /tmp/file.log “.

Screenshot from 2017-07-19 11-38-09.pngAs we can see, the executable opens the file ” /tmp/file.log “, get’s a character, prints it on the screen until end of file has been reached. It then gets the real uid of the user, sets the uid of the file to the real uid and unlinks the file. To read more about unlink(), click here.

As the executable prints the content of the file, let’s create a symbolic link between the file and the password file and see if the executable prints it.

Screenshot from 2017-07-19 11-38-43.png

As we can see above, the executable prints the password due to the symbolic link existing between the file without checking proper access permission.

 

Level 6

Username : leviathan6
Password : UgaoFee4li
SSH : leviathan.labs.overthewire.org:2223 
Leviathan · OverTheWire

Leviathan Level 4 → Level 5

Level 4

Username : leviathan4
Password : vuH0coox6m
SSH leviathan.labs.overthewire.org:2223

Solution

To solve this level, we first ssh into the leviathan4 server using the credentials provided above.

Screenshot from 2017-07-19 00-49-55.png

As we can see, the server contains a hidden folder, ” .trash ” which contains an executable named ” bin “. The executable prints binary digits which looks like ASCII values. On converting them to ASCII, we get our password for the next level.

Level 5

Username : leviathan5
Password : Tith4cokei
SSH : leviathan.labs.overthewire.org:2223