#decryption

PREPARE FOR HIS COMING (link to B&N)

The audio base is interstitial music from "Monty Python and the Holy Grail" - "Intermission (Neil Innes) (EMI 1975)".

(UPDATED) MORSE inside the music cracked by Reddit: THREE SIDES TO EVERY STORY THREE SIDES TO EV

So fine, I will give you an ask.

Can you decode this very easy to decode message.

_[<

!=÷

/&÷

;÷@/

&!:÷

!

%[[#

#!_

(Hint: D is #)

Yeah no you're right that's deceptively easy

0d 0a 66 6f 72 20 74 72 75 74 68 20 77 69 6c 6c 20 6e 6f 74 20 6f 6e 6c 79 20 6d 65 6e 64 20 79 6f 75 72 20 70 65 72 73 70 65 63 74 69 76 65 2c 20 62 75 74 20 61 6c 73 6f 20 72 65 73 68 61 70 65 20 79 6f 75 72 20 72 65 61 6c 69 74 79 2e 2e 2e 22"

- The Resurrected

Cryptography is a field that often thrives on complexity. From the basic Caesar cipher to the historically mysterious Zodiac cipher, these encrypted messages challenge the solver to think critically, analyze patterns, and decode information. However, in many cases, applying Occam’s Razor—the principle that the simplest solution is often the best—could help strip away the unnecessary complexity…

Cracking the Book of Bill!

Part 1 - Cosmic Cipher

I explain how I differentiated between different ciphers, and solved this one completely from scratch, without knowing any of the translations to guide me.

Spoilers Below!!!

Hello everyone, it's been a while. :)

Haven't been posting much recently as I haven't really done anything noteworthy- I've just been working on methodologies for different types of penetration tests, nothing interesting enough to write about!

However, I have my methodologies largely covered now and so I'll have the time to do things again. There are a few things I want to look into, particularly binary exploit development and OS level security vulnerabilities, but as a bit of a breather I decided to root Morpheus from VulnHub.

It is rated as medium to hard, however I don't feel there's any real difficulty to it at all.

Initial Foothold

Run the standard nmap scans and 3 open ports will be discovered:

Port 22: SSH

Port 80: HTTP

Port 31337: Elite

I began with the web server listening at port 80.

The landing page is the only page offered- directory enumeration isn't possible as requests to pages just time out. However, there is the hint to "Follow the White Rabbit", along with an image of a rabbit on the page. Inspecting the image of the rabbit led to a hint in the image name- p0rt_31337.png. Would never have rooted this machine if I'd known how unrealistic and CTF-like it was. *sigh*

The above is the landing page of the web server listening at port 31337, along with the page's source code. There's a commented out paragraph with a base64 encoded string inside.

The string as it is cannot be decoded, however the part beyond the plus sign can be- it decodes to 'Cypher.matrix'.

This is a file on the web server at port 31337 and visiting it triggers a download. Open the file in a text editor and see this voodoo:

Upon seeing the ciphertext, I was immediately reminded of JSFuck. However, it seemed to include additional characters. It took me a little while of looking around before I came across this cipher identifier.

I'd never heard of Brainfuck, but I was confident this was going to be the in-use encryption cipher due to the similarity in name to JSFuck. So, I brainfucked the cipher and voila, plaintext. :P

Here, we are given a username and a majority of the password for accessing SSH apart from the last two character that were 'forgotten'.

I used this as an excuse to use some Python- it's been a while and it was a simple script to create. I used the itertools and string modules.

The script generates a password file with the base password 'k1ll0r' along with every possible 2-character combination appended. I simply piped the output into a text file and then ran hydra.

The password is eventually revealed to be 'k1ll0r7n'. Surely enough this grants access to SSH; we are put into an rbash shell with no other shells immediately available. It didn't take me long to discover how to bypass this- I searched 'rbash escape' and came across this helpful cheatsheet from PSJoshi. Surely enough, the first suggested command worked:

The t flag is used to force tty allocation, needed for programs that require user input. The "bash --noprofile" argument will cause bash to be run; it will be in the exec channel rather than the shell channel, thus the need to force tty allocation.

Privilege Escalation

With access to Bash commands now, it is revealed that we have sudo access to everything, making privilege escalation trivial- the same rbash shell is created, but this time bash is directly available.

Thoughts

I did enjoy working on Morpheus- the CTF element of it was fun, and I've never came across rbash before so that was new.

However, it certainly did not live up to the given rating of medium to hard. I'm honestly not sure why it was given such a high rating as the decoding and decryption elements are trivial to overcome if you have a foundational knowledge of hacking and there is alot of information on bypassing rbash.