Author:
ripfaceless

Language:
C/C++

Upload:
11:14 AM 08/09/2024

Download

Platform
Unix/linux etc.

Difficulty:
3.0

Quality:
2.6

Arch:
x86-64

Description

For linux terminal passowrd crackme - level Two ..... Enjoy

• Comments
• Solutions

jnth on 8:11 AM 09/02/2024: could you give us a hint?

dev0 on 5:22 PM 09/02/2024: I have two questions on this. I think there are two bugs that make this a bit difficult to solve. The first is that fgets with a size of 64 will only accept 63 bytes of input and null terminate the 64th byte. This is problematic as now you are attempting to match a 64 byte input with a 63 byte input both being AES encrypted with the same key and iv. The key is also a problem with aes-256 being used. The key in aes-256 will be 32 bytes long but in the EVP_EncryptInit_ex the author sets the key parameter to offset 16 in the key buffer on the stack. This then includes the 16 bytes that follow the key buffer on the stack which happen to be the EVP_CIPHER_CTX and I believe the return address. If this was intended, then I think the difficulty should be much higher as you are again trying to take to different length plain texts and generate the same cipher text. And in this case since I believe the input would be a string with length 63 and AES has block size 16, the output cipher lengths will be different at 64 bytes to 80 bytes respectively. I believe AES will apply padding for the 63 byte input to make it 64. The 64 byte input will be padded to 80.

jeffli6789 on 6:01 PM 09/26/2024: Hi @dev0, yeah for the very same reason I think the challenge is busted and cannot be solved. I have tried to contact the author on this but have not been successful yet

mustafolins on 2:34 AM 09/30/2024: It's not broken and this one can be solved with a pretty basic Linux command.

mov_rax_rax on 2:39 PM 10/11/2024: Incredibly easily. Yeah, as the other user said, you can run a single command and get the answer. You can also easily see what it is if you decompile it.

dev0 on 3:42 PM 10/13/2024: Yes the correct input is hardcoded in the binary and you can run that linux command to get the value BUT if you attempt to run the binary as is and use that key, which is supposed to be the correct key, you will never get the correct message because of the two bugs listed above.

alxxx on 10:04 AM 10/29/2024: Why does a random string come out every time the password is encrypted?

thisguyneedsabeer on 2:20 AM 11/07/2024: I entered a password that I pulled from RAX encrypting the plaintext string, and it worked once, the second time it did not. No file patching or modifications have taken place. Is this a bug? ┌──(kali㉿kali2024)-[~/CTF/CrackMes/ripfaceless's_Level_Two_Crackme_Password] └─$ ./crackme666adv INSERT PASSWORD: 7a4baaac9cc258c33b7459113da21360ef68864859cdb4dc389b20e24513c11 VERY GOOOOOOD PASSWORD CORRECT!!! ┌──(kali㉿kali2024)-[~/CTF/CrackMes/ripfaceless's_Level_Two_Crackme_Password] └─$ ./crackme666adv INSERT PASSWORD: 7a4baaac9cc258c33b7459113da21360ef68864859cdb4dc389b20e24513c11 PASSWORD INCORRECT - GAME OVER!

You must me logged to submit a solution