In this article, we break the permutation and Vigenere ciphers, decrypt the password saved in the Mozilla Firefox browser, deal with the Android blocking and deal with the Bit-Flipping attack. Previous parts:
Part 1 - Encodings, shift cipher, brute hashes and image creation using PIL python.
Part 2 - Crypt, XOR, unencrypted ZIP and PRNG cracking.
Organizational information
, - , :
, , , .
, , Telegram . , , .
. , - , .
- PWN;
- (Crypto);
- c (Network);
- (Reverse Engineering);
- (Stegano);
- WEB-.
, , , .
, , Telegram . , , .
. , - , .
Mozilla Firefox Password
We need to find the user's password. Download and open the archive containing the .mozilla directory. This directory contains a folder with extensions and a folder with the name of the browser.
Since we are not interested in extensions, we go to the diu-browser. There is a profile configuration file and one more directory.
We go into the folder and view the files.
All passwords stored in the database are encrypted, so you won't be able to see them just like that. You can use this script for decryption .
python3 firefox_decrypt.py ~//.mozilla/firefox/o0s0xxhl.default/
Vigenère cipher
We have been given an encrypted text, and we need to find its author. Since this is a Vigenère cipher, we will use an online decoder .
We choose automatic mode.
And we get the plain text and the key. It remains to google the text and find the author.
Android lock pattern
We are given a dump of the android file system and asked to find the password. This is very easy to do with access to the filesystem. The password hash (SHA1) is located in the /data/system/gesture.key file.
We can either take and twist the hash, or use androidpatternlock .
Found both password and pattern.
Permutation cipher
We are given an encrypted message and asked to decrypt it. Since this is a Rail Fence cipher, we will use the already familiar online decoder .
And now, among the proposed decryptions, we need to choose the one that has a meaningful text.
And we get the answer.
AES CBC - Bit-Flipping Attack
We are given a host and port to connect to. Let's connect using netcat.
We are provided with options for action - register or login. Let's register first.
And we were provided with a partially open and encrypted text. Now we log in with this token.
But after logging in, we cannot access the data, since we are not a member of the group.
With the task sorted out, now let's deal with the Bit-Flipping attack. This attack usually occurs when the encryption function takes some input, appends a random string, and appends another string to it before encrypting it (our case).
Below is a diagram for decrypting a message using the AES CBC algorithm.
The fact is that the previous block of the ciphertext is xorsed with the next block, in order to remove the text overlay, as a result we have the decrypted text.
Thus, if we change one byte of ciphertext in the previous block, then one byte of plaintext in the next block will change.
Now let's get back to the task. The clear text has the is_member = false parameter. It's hard to imagine how to change. But since we have the symbols of the equation, in order for the entire text to be a multiple of the block size, we can change them so that when decrypted, the string is_member = true is obtained.
Let's figure out how to do this. This line should be obtained during decryption in the last block - EvilP2. To do this, we need to collect the EvilC1 block.
How to do it: We have CC1 and PP2. By proxying them together, we can get DC2. Since we know that EvilP2 contains “; is_member = false]” and we know DC2, proxying them among ourselves, you can get EvilC1.
Let's register again.
We initialize the initial parameters.
Now we get the blocks we know.
Now we get new blocks.
We collect the load.
Trying to log in.
And nothing came of it, they found us. This is most likely due to the presence of two identical parameters. Let's kill the first one.
And now we successfully log in and take the token.
You can join us on Telegram... Let's gather a community, in which there will be people who are versed in many areas of IT, then we can always help each other on any IT and information security issues.