Due Friday, October 21st
Worth 60 points
This project focuses on cryptography and reverse engineering. It is divided into 4 parts. For each part you're given a file containing a unique string that you need to submit.
To retrieve these files, set up port forwarding for netsec-projects.cs.northwestern.edu:7000 through hamsa and then connect to localhost:9000 using a web browser:
ssh -L 9000:netsec-projects:7000 email@example.com
Part 1: The goal is simple. Crack the password. It is an MD5 hash, known to John the Ripper as
format=raw-md5. Feel free to use your own password list and whatever strategy you're most comfortable with. The password is 6-12 characters long and consists of alphanumerics and at most 1 symbol. As an additional challenge, the file is compiled into a .pyc.
Part 2: Find the string from the binary, probably using gdb. It is generated as the program runs.
Part 3: This is an x86 ELF executable run through an 8-byte XOR cipher, as if it is a packed payload. The string for this part of the project is the exit code of the original program. To find that, you must determine the 8-byte key, decipher the program, run it, and view the exit code. The UNIX command
$?prints the exit code of the last program run.
Where to start: Running
fileon the original program (before it was ciphered and you downloaded it) yielded the following:
a.out: ELF 32-bit invalid byte order (SYSV). This is because some of the ELF Identification header fields are invalid, starting with the endianness byte. Possible values for these header fields are listed in the official specification: https://refspecs.linuxbase.org/elf/TIS1.1.pdf. This should give you an idea of what the ELF header looked like before it was run through the cipher.
Part 4: This is base64 encoded encrypted text under 128 bit AES in CBC mode. It is not padded. The IV is the first 16 bytes of the encrypted text. The 128 bit AES encryption key is
h4ckth1sk3yp4d16. Submit the decrypted text.
- John the Ripper