Now that we’re logged in, lets take a poke around and see what we’re dealing with. There appears to be sections to:
- Apply for leave, where we submit a text request. Maybe XSS or Injection on this?
- Staff Directory, details about different staff members.
- The “Network Administrator” has some binary in his profile. We’ll decode that later.
- There seems to also be a message board. Maybe XSS or Injection.
- There’s also a mail inbox.
Since this challenge is called love letters, lets focus on the mail.
We’ll send a message to ourself. We send the message:
When we go back to our inbox, we take a look at the received message.
Loading of the mail seemed very ajaxy. Lets look at our network inspector. We
notice a request made to
Inspecting the decryption, hosted in
notice it’s just a simple XOR with a key (after base64 decoding the message)
We stab around the mail endpoint looking for other users mail. We notice
we can load all other mail. We notice at
the subject is
Decrypt me to win!. It’s addressed to email@example.com
and encrypted for Spacetrip Riverbrother. Excellent.
To decrypt this message, we need to know the key to decrypt it. The decryption key is different for every user, hence, you can only decrypt your own mail.
There are numerous ways to crack the key for the message we want to decrypt.
The easiest method is to crib drag using the known phrase in every email:
IMPORTANT: This email remains the property of ECWI., however we won’t do
that. We’re going to do a known plaintext attack.
If we know the unencrypted text sent to the user, we simply XOR the known text with the encrypted text to give us the decrpytion key. The only thing we must ensure is that we send a message long enough to expose the entire key length.
We know a key is 32 characters long, looking at our own embeded in the /inbox html source.
Lets send a message to Spacetrip Riverbrother.
We go to the mail endpoint and load up the message, ensuring to find the copy encrypted for Spacetrip Riverbrother (and from us). For me, it was found at http://www.ecwi.cysca/mail/15, but your milage may vary.
Lets drop this into a python program and figure out the key. Knowing the symmetric decryption/encryption algorithm used, we craft the following python program:
From that, out pops the key used:
Let’s decrypt the message.
And out pops the flag