HackTheBox – BabyEncryption Write-up

Hi everyone!

Today’s post is one BabyEncryption, a very easy Cryptography challenge on HackTheBox. This challenge was released on 29 May 2021. In this challenge, we will be focusing on decrypting a set of bytes in strings encrypted by modulus. Let’s get started!

Fig 1. BabyEncryption challenge on HackTheBox

Files provided

Analysis

chall.py

The chall.py consists of a Python code that was used to encrypt a message and stored in msg.enc. The content of chall.py can be seen here:

import string
from secret import MSG

def encryption(msg):
    ct = []
    for char in msg:
        ct.append((123 * char + 18) % 256)
    return bytes(ct)

ct = encryption(MSG)
f = open('./msg.enc','w')
f.write(ct.hex())
f.close()

Based on the code, what we know is:

  1. The secret module is “implement” by the criminal hence we won’t have access to it. What we know is that MSG is the message that contains characters of delivery time and the flag.
  2. We can see that each character of the message/MSG is multiplied by 123 and added with 18. Modulus 256 is done to ensure the character remains within the ASCII range.
  3. hex() is used to ensure hexadecimal values of each character of the new encrypted message is stored in msg.enc.

msg.enc

Since we know that hexadecimal is stored in msg.enc, this means every two characters we see inside msg.enc is actually one byte.

6e0a9372ec49a3f6930ed8723f9df6f6720ed8d89dc4937222ec7214d89d1e0e352ce0aa6ec82bf622227bb70e7fb7352249b7d893c493d8539dec8fb7935d490e7f9d22ec89b7a322ec8fd80e7f8921

Based on the content in msg.enc above, the 1st two characters, 6e, belong to a byte which is the letter ‘n’ in ASCII.

Decrypting the message

As modulus is used, it means we have to brute-force as modulus is a one-way function. For example, 0x6e from the 1st two characters in msg.enc is actually 110 in decimal from the ASCII table. To derive 110 after modulus 256, there can be many possibilities to get 110.

Since we know it is within the ASCII range, we can brute-force characters within a range of 33 to 126 as those are possible letters in the flag. This will give us the following decryption algorithm which I have written in Python. You may also download my file here.

fd = open('./msg.enc','r')

secret = fd.read()
ct = bytes.fromhex(secret)

decrypted_str = ""

for char in ct:
	for brute_val in range(33, 126):
		if ((123 * brute_val + 18) % 256) == char:
			decrypted_str += chr(brute_val)
			break

print(decrypted_str)

Running the code, we will get the delivery time and our flag.

cmd>python3 decrypter.py
Th3nucl34rw1ll4rr1v30nfr1d4y.HTB{l00k_47_y0u_r3v3rs1ng_3qu4710n5_c0ngr475}

I hope these tabs have been helpful to you. Feel free to leave any comments below. Do remove your ad-blocker to support my blog. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction and the cost of hosting the website as well as the domain name fee. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.