The latest articles on DEV Community by Edoardo (chap) (@edoardopigaiani). https://dev.to/edoardopigaiani https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F177331%2F24f3a3e6-7501-434c-a700-38e26aa3936b.jpg https://dev.to/edoardopigaiani en Edoardo (chap) Sat, 08 Jun 2019 06:41:04 +0000 https://dev.to/edoardopigaiani/htb-s-snake-writeup-12b6 https://dev.to/edoardopigaiani/htb-s-snake-writeup-12b6 <h2> Disclaimer </h2> <p>If you're uncomfortable with spoilers stop reading now.</p> <h2> Challenge </h2> <p>While waiting for <a href="https://www.hackthebox.eu/home/machines/profile/188" rel="noopener noreferrer">SwagShop</a>'s takedown in order to publish my writeup, I took a chance to solve a couple of challenges available on HackTheBox, starting from Snake.</p> <p>Snake is a reversing challenge by 3XPL017, you can find it <a href="https://www.hackthebox.eu/home/challenges/Reversing" rel="noopener noreferrer">here</a>.</p> <p>After downloading and unzipping the archive with the password provided we're presented with a Python script named <em>snake.py</em>, we'll try and run it:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2F07fOOYr.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2F07fOOYr.png" alt="Script running"></a></p> <p>After assigning us a random number is asks for a username and a password, we'll dig into that by taking a look at the code.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FrCzLtEc.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FrCzLtEc.png" alt="Script code"></a></p> <p>We can notice that there are a lot of variables declared, the one which stands out is <em>slither</em> since it seems to be the one required in order to be properly identified when prompted for the username.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>if user_input == slither: pass </code></pre> </div> <p>Therefore we can add:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>print slither </code></pre> </div> <p>In order to print the variable slither, which is the needed username. The script part will look like this:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FNqVSRMQ.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FNqVSRMQ.png" alt="Script code"></a></p> <p>Once we run it we get:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FJm9ktZt.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FJm9ktZt.png" alt="Script code"></a></p> <p>Yes, <em>anaconda</em> makes sense and it is indeed the needed username. </p> <p>Let's move on to the password, which is generated by this part of the script:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FPVqFSSa.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FPVqFSSa.png" alt="Script code"></a></p> <p>We can see that <em>passes</em> is compared to <em>(chr(char))</em></p> <p>Functions:</p> <ul> <li> <em>str()</em> – returns a string</li> <li> <em>chr()</em> – returns a character, after that takes in a parameter of a unicode digit</li> </ul> <p>Variables:</p> <ul> <li> <em>char</em> – one element in the array chars</li> <li> <em>chars</em> – initialized as an empty array</li> </ul> <p>The array chars contains:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>chars = [] </code></pre> </div> <p>And:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>for key in keys: keys_encrypt = lock ^ key chars.append(keys_encrypt) for chain in chains: chains_encrypt = chain + 0xA chars.append(chains_encrypt) </code></pre> </div> <p>There is also a <em>break</em> which terminates the loop even if a single character matches the user given input.</p> <p>The simplest way to solve this is to print the characters before being asked for the password, we can do this by modifying the script:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FPhNT3CP.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FPhNT3CP.png" alt="Script code"></a></p> <p>And, if we run it we get:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FcZLmLM2.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fimgur.com%2FcZLmLM2.png" alt="Script code"></a></p> <p>The password is working, and due to the fact that <em>keys</em> contains the first 10 characters of the password, we can assume we need to enter them in order to properly solve the challenge.</p> <p>The flag format is <em>HTB{user:password}</em>, so the proper way to enter it is <em>HTB{anaconda:udvvrjwa$$}</em>.</p> <p>Solved!</p> hackthebox