{"id":325,"date":"2023-04-30T11:43:07","date_gmt":"2023-04-30T16:43:07","guid":{"rendered":"https:\/\/binaryblisters.com\/?p=325"},"modified":"2023-04-30T11:43:07","modified_gmt":"2023-04-30T16:43:07","slug":"hack-the-box-weak-rsa-walkthrough","status":"publish","type":"post","link":"https:\/\/binaryblisters.com\/?p=325","title":{"rendered":"Hack The Box &#8211; Weak RSA Walkthrough"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"413\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-82-1024x413.png\" alt=\"\" class=\"wp-image-326\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-82-1024x413.png 1024w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-82-300x121.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-82-768x310.png 768w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-82-1536x620.png 1536w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-82-2048x826.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I have to give HTB some credit for their labs. I always walk into them thinking that I totally know how to finish them. 3-4 hours later, I have learned some new subject\/tools and have had to read up on a few other walkthroughs to finish them.<\/p>\n\n\n\n<p>This one was unfortunately no different in that case.<\/p>\n\n\n\n<p>I learned a lot though about RSA and OpenSSL, the difference between symmetric and asymmetric encryption, and a new tool called <a href=\"https:\/\/github.com\/RsaCtfTool\/RsaCtfTool?ref=technicalciso.com\">RsaCtfTool<\/a>.<\/p>\n\n\n\n<p>As always here is the link to my original <a href=\"https:\/\/app.gitbook.com\/o\/ZNh1XyD82SjFTw9WbexW\/s\/lcxVqdgOGpkobti7mzML\/machines\/easy-machines\/weak-rsa\">notes<\/a> if you want to take a look at the different paths I explored. I also <a href=\"https:\/\/www.twitch.tv\/videos\/1806786755\">streamed<\/a> some of this lab. <\/p>\n\n\n\n<p>Let&#8217;s get started.<\/p>\n\n\n\n<p>When opening up the lab, you&#8217;ll be given a downloadable zip file that can be extracted on your computer with the following password:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>zip password --> hackthebox<\/code><\/pre>\n\n\n\n<p>When you have downloaded the zip file, you can confirm it&#8217;s the correct file with the following SHA256 HASH:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>1cbf890e7a0fe8b404597b565da96c388e5653937631e2dc8710ede9d15bdb7d <\/code><\/pre>\n\n\n\n<p>After extracting the contents of the zip file you&#8217;ll be given two files. An encrypted flag file called <strong>flag.enc<\/strong> and a public key file named <strong>key.pub<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"616\" height=\"64\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-83.png\" alt=\"\" class=\"wp-image-327\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-83.png 616w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-83-300x31.png 300w\" sizes=\"auto, (max-width: 616px) 100vw, 616px\" \/><\/figure>\n\n\n\n<p>Checking out what is in the key.pub file, we find it to be a &#8220;short&#8221; public key. Note, I am using Kali to analyze and work with the files.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat &#91;Path to key.pub]<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"925\" height=\"343\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-84.png\" alt=\"\" class=\"wp-image-328\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-84.png 925w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-84-300x111.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-84-768x285.png 768w\" sizes=\"auto, (max-width: 925px) 100vw, 925px\" \/><\/figure>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN PUBLIC KEY-----\r\nMIIBHzANBgkqhkiG9w0BAQEFAAOCAQwAMIIBBwKBgQMwO3kPsUnaNAbUlaubn7ip\r\n4pNEXjvUOxjvLwUhtybr6Ng4undLtSQPCPf7ygoUKh1KYeqXMpTmhKjRos3xioTy\r\n23CZuOl3WIsLiRKSVYyqBc9d8rxjNMXuUIOiNO38ealcR4p44zfHI66INPuKmTG3\r\nRQP\/6p5hv1PYcWmErEeDewKBgGEXxgRIsTlFGrW2C2JXoSvakMCWD60eAH0W2PpD\r\nqlqqOFD8JA5UFK0roQkOjhLWSVu8c6DLpWJQQlXHPqP702qIg\/gx2o0bm4EzrCEJ\r\n4gYo6Ax+U7q6TOWhQpiBHnC0ojE8kUoqMhfALpUaruTJ6zmj8IA1e1M6bMqVF8sr\r\nlb\/N\r\n-----END PUBLIC KEY-----\r<\/code><\/pre>\n\n\n\n<p>Next, I&#8217;ll check out the <strong>flag.enc<\/strong> file.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat flag.enc<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"76\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-85-1024x76.png\" alt=\"\" class=\"wp-image-329\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-85-1024x76.png 1024w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-85-300x22.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-85-768x57.png 768w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-85-1536x113.png 1536w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-85.png 1544w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Makes sense that the file would be a bunch of gobblygoop as it is encrypted. I won&#8217;t walk you down all of the hopeless paths I took but will outline some of them just for reference:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Looked at the binary with a <a href=\"https:\/\/hexed.it\/\">hex editor<\/a>.<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Thought I could do something with magic numbers.<\/li>\n\n\n\n<li>Spent way too much time with <a href=\"https:\/\/github.com\/openwall\/john\">John The Ripper<\/a> thinking I could do something with it.<\/li>\n<\/ul>\n\n\n\n<p>Finally, I gave up and looked through another person&#8217;s walkthrough. Actually, I looked through quite a few walkthroughs because I wanted to see if someone had solved the lab with John. Unfortunately, the three I went through all used the same tool. I really wanted John to be the answer for some reason.<\/p>\n\n\n\n<p>It appeared that everyone else&#8217;s walkthroughs used a tool called <a href=\"https:\/\/github.com\/RsaCtfTool\/RsaCtfTool?ref=technicalciso.com\">RsaCtfTool<\/a> to create a private key.<\/p>\n\n\n\n<p>It&#8217;s a pretty handy tool and I will keep it accessible for future use. Check out the Github page for it above and they&#8217;ll have instructions for downloading the tool and using it for other purposes.<\/p>\n\n\n\n<p>I won&#8217;t try to bother explaining how the tool works here as it is so far past my level of comprehension on crypto that I would sound like an idiot. I keep seeing common words though like factorization. <\/p>\n\n\n\n<p><strong>A new goal of mine &#8211;> Learn what factorization means.<\/strong><\/p>\n\n\n\n<p>Besides that, once the tool is downloaded, it is capable of breaking &#8220;Weak&#8221; public keys to create the private key. This is an important note though as it is able to do this with &#8220;Weak&#8221; keys. For those familiar with RSA keys, the one given to us is really small.<\/p>\n\n\n\n<p>So let&#8217;s begin:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>.\/RsaCtfTool.py --publickey &#91;Path to public key] --private<\/code><\/pre>\n\n\n\n<p>This will generate a private key for us which we can save to its own file called <strong>key.priv<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"969\" height=\"500\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-86.png\" alt=\"\" class=\"wp-image-331\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-86.png 969w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-86-300x155.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-86-768x396.png 768w\" sizes=\"auto, (max-width: 969px) 100vw, 969px\" \/><\/figure>\n\n\n\n<p>The next command we will use is the Openssl command to decrypt the <strong>flag.enc<\/strong> file with the newly generated private key.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>openssl pkeyutl -decrypt -in &#91;Path to encrypted file] -out myfile_decrypted.txt -inkey &#91;Path to key.priv]<\/code><\/pre>\n\n\n\n<p>This will generate a decrypted file called <strong>myfile_decrypted.txt<\/strong>.<\/p>\n\n\n\n<p>You should now be able to view the decrypted text file and get the answer.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>Once you know what to do, it is a pretty easy lab. I however was too focused on using the tools I did know how to use instead of searching for new tools. A quick Google search at the beginning could have told me about RsaCtfTools and helped solve this problem much more quickly. <\/p>\n\n\n\n<p>Lesson learned.<\/p>\n\n\n\n<p>As always, thanks for reading and catch you all later.<\/p>\n\n\n\n<p>-sgtdiddlywink<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I have to give HTB some credit for their labs. I always walk into them thinking that I totally know how to finish them. 3-4 hours later, I have learned some new subject\/tools and have had to read up on a few other walkthroughs to finish them. This one was unfortunately no different in that [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":332,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,79,3],"tags":[94,71,93,92,83,82,18,80,62,95,91,90],"class_list":["post-325","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-htb","category-updates","tag-crypto","tag-cryptography","tag-decryption","tag-encryption","tag-hack","tag-hack-the-box","tag-hacking","tag-htb","tag-john-the-ripper","tag-openssl","tag-rsa","tag-rsactftools"],"_links":{"self":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/325","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=325"}],"version-history":[{"count":2,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/325\/revisions"}],"predecessor-version":[{"id":333,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/325\/revisions\/333"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/media\/332"}],"wp:attachment":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=325"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=325"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=325"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}