22nd June 2021
hack the box challenge crypto keys

Write-Up Keys

In this post, I’m writing a write-up for the challenge Keys from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

About Keys

This challenge is worth 40 points and is medium-difficult. The description of the challenge already triggers you to get started.

Own this challenge

I first downloaded the zip file and unzipped it with the password hackthebox. There are one .txt-file with the name keys.txt extracted from the archive.

~$ unzip keys.zip 
Archive:  keys.zip
[keys.zip] keys.txt password: 
  inflating: keys.txt      

I do a cat on the file:

~$ cat keys.txt 
hBU9lesroX_veFoHz-xUcaz4_ymH-D8p28IP_4rtjq0=
gAAAAABaDDCRPXCPdGDcBKFqEFz9zvnaiLUbWHqxXqScTTYWfZJcz-WhH7rf_fYHo67zGzJAdkrwATuMptY-nJmU-eYG3HKLO9WDLmO27sex1-R85CZEFCU=

After a short review of the code, a colleague of mine recognized directly the hash of the crypt as fernet.

Fernet

Fernet is symmetric encryption. Fernet guarantees that a message that is encrypted using fernet cannot be manipulated without the use of the key. Fernet is an implementation of symmetric authenticated cryptography.

Solution

To make sure it is a fernet encrypted message, I have tried to run the message through various hash checkers. But, none of them was able to detect the encryption. After a fast search on Google, I found on this website https://cryptography.io/en/latest/fernet/ the Python class the write an own Fernet decoder.

I wrote the script fernet_decoder.py:

from cryptography.fernet import Fernet
key = b"hBU9lesroX_veFoHz-xUcaz4_ymH-D8p28IP_4rtjq0="
f = Fernet(key, backend=None)
encrypted = b"gAAAAABaDDCRPXCPdGDcBKFqEFz9zvnaiLUbWHqxXqScTTYWfZJcz-WhH7rf_fYHo67zGzJAdkrwATuMptY-nJmU-eYG3HKLO9WDLmO27sex1-R85CZEFCU="
message = f.decrypt(encrypted)
print(message)

I directly passed the key and token in the script. I run the script and voila! I’ve got the flag: HTB{N0t_A_Fl1g!}.

~$ python3 fernet_decoder.py
b'Flag : HTB{N0t_A_Fl1g!}'

Do you have enjoyed this write-up? Please consider spending some respect points, my profile on Hack The Box: t13nn3s.

Happy hacking!

T13nn3s

I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *