Post

HackTheBox ElElGamal Writeup

Explore the basics of cybersecurity in the ElElGamal Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/379

Description

After some minor warnings from IDS, you decide to check the logs to see if anything suspicious is happening. Surprised by what you see, you realise that one of your honeypots has been compromised with a cryptominer. As you look at the processes, you discover a backdoor attached to one of them. The backdoor retrieves the private key from the /key route of a C2. It establishes a session by sending an encrypted initilazation sequence. After the session is established, it waits for commands. The commands are encrypted and executed by the source code you found. Unfortunately, the IDS could not detect the request to /key and the machine was rebooted after the compromise, so the key cannot be found on the stack. Can you find out if any data was exfiltrated from the honeypot to mitigate future attacks?

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
#!/usr/bin/env python3
from Crypto.Util.number import bytes_to_long, long_to_bytes, inverse
import base64
import re

def decrypt_message(ciphertext: str, s: int, q: int) -> str:
    try:
        _, c2 = ciphertext.split("|")
        c2 = bytes_to_long(base64.b64decode(c2))
        m = (c2 * inverse(s, q)) % q
        return long_to_bytes(m).decode()
    except Exception as e:
        return f"[Decryption failed: {str(e)}]"

def main():
    q = 855098176053225973412431085960229957742579395452812393691307482513933863589834014555492084425723928938458815455293344705952604659276623264708067070331
    s = 804519413946339833036807676236425366393713828575772089253931453873946915064743259014634759406656096586184230449849670884334808422167611972326858050206
    ciphertexts = [
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|EtJdz4TGpsPRxpCfSU1EzHCdn7dwx/wM5ddhCA4PpiGZTUpytbe6qYbNgrtJNmB3aTGCMiaxFr1jQfjtonk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|ApmwM0ox37numDswK1IMAD5I9sD1OLnV4hCEtv6+j/2kF0wIZeckbfZNas/wczb85jEhV8cmRpgRfOy8SYGu",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|zfdAT+azces+LVK57G+oYrdBA9/A30LMnAFhVG5T21jkLgDRayGHw1yilT90GJ9a0wSsfNbxsmJPqqo1B1U=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AhTIGaZxjVa/UARA76g2ECDoeAUvC0btVMnRo0/HxyS7E0MqmyyJcSttPf9kfGjbN06FrFj56NJrILbGf4K2",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|RHOqLQjEjbID7TyPTp+p/OOznHzyuNI9QaLj8F2/vAZpCDUK1//yFaJO78UwjjgzcQWY9yv2hkgY8ACge/c=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AQZrbR9r7dO+CdPHp8I4SgDP/0MOA0NkvWWcaDImB5HPhubKGbNS9OnNcs2ShdXXJ9+pygF7M1hBgIWWuZYR",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|exHMS0Jj51CnO2Ai2lES3P7Upsfvi33Km/GZ3I0XbAo2aqs4xnNoRaLtV0DwcjI/MgRar2UGSoPTt3oJGu0=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|2x692eZegFskxXnptM8btDeLb0S2foSlo1iKV09bNXWZUuIyzfcYrR3mX0SP9UBeNOz8eRFOwPy2K0Lyc2A=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|gQ83O8Sg19BC4HnMFEknUGHQGOMyGFRX22UUe1YB1yZtYx+aAq6n/4M0gl/GpWZvXURqfaERc25o9Tg2pFE=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|exHMS0Jj51CnO2Ai2lES3P7Upsfvi33Km/GZ3I0XbAo2aqs4xnNoRaLtV0DwcjI/MgRar2UGSoPTt3oJGu0=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AuCkgVY/lWBG5XFgfYwCNC9nOZjI2ncCHKfTcl2K2Ie5Bo6EaShdUsQP4rUMy4t5ZEK1cM0ZB+KdHfCZUiUQ",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A6S0OgAtdvQ4YIheDtCHvgDCDoB+DV0jUnXzOSu2KV9nHu/zAn18M7ou8V25BsGiqW6IyDCPNFXTRHN4FtnP",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AiZ95CrjFfQQstT8aU+H1t9dUH4i7OlQ1nVkx8SmaTcIGXbZXghaFkOE07+4aK20BuUi3rRhxwjwFh7K5Zmq",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Mp5n6bs2QtuyR6//cxsqQMzBoXhFqotQBZqeN44geBUHxDAmfw61rZ/GclXTy+SrWNDcM6vhOOTg28Sm6AQ=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A6Mcdavba6LTd+t2mCiW38A5/1lYamiLLPkFIdjWsXvoIPPrE15R021C4wbaPKWTgXdtRwtDzBL6UxXdLIGe",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A24NpCGdnRip3aKRE3HvBos6Fc7ywzStdsozn0OzvyLENqyD/IOVdLpW7RYXb1pSBxNrT/eOCjTR9tcHN4oy",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AXUFQXwvC9UmYYv+s4Fp4uZIvRJNsYTpo39EE454rqYJXSExNV/IzeDhq9HTFtyvSpe7tQ/m7iSn7GRBNfMH",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Ab70nelzVaGrGSreMo7TE3I477UnXwdJnFhiwhKOUONkXFIJqwRPH4ntqtgHTJXIUb3l4IlXl0bDePN834aZ",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|KHShTHH+sId0qHwxjmTjn2J/jc3jVTZdc/9WQmsDHv9ecoMJrl6If7pF7kjdhyNPTTUtVSUChUWE67/xnUU=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A+wzDdGTsLp8pFbwrG0AqBg3ZErY+Smq9HFV5DOzfcqPoctKhul5RjWlKQzxyF6PyogYc8oiGbzzyBEEvFR0",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AwnfyYhOeJOBGDewNw21q5h6rkqmklF3twyk6RfEw1kLlBxlVjkY/wa9RrH5UKQELFg3b9L6BHe9iz5Z4QtM",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A1e13VqBQhTFFV0f53Up3gJdexBo1y8CxIuXUhfavnaOG60SDmpywm5qF6CsgdTQlOAPWOpvdzFb2dCbq+Gb",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|K1zTtrfRe/7m9zq2KLEx+TpCe6oDzKXowhWx/Qte+Pm1e8MCcCXyxZXGObSsPfV/LQwEr8/QMhBOtollXfA=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Ahnm8a3aF3MpjcpMITSCF2/B82sIOhJlizpCv36pi3gJWxxUZOfBSeEuhQVXHRcZPB4zETnWRsXOpV0mlMCF",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AYBg6cwatQfYX/C77xd3gO+LGJaX38iNImpBJ8Uh2RVQOSQ/ZNa727ABEop14ASj2JYwHGV1YRfznGh+CzGE",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AmnmFxw/D1tDDGgeA88kCbkoplBsQkmbP0JJrIkyAC/Pjgz+ZEItIEpvhnY2CHPHJoC40dRaX09beLbZdjcn",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AqABsE2xVZ5n7pGxZmNJVHbo5NQCWKFM5+LlfBdUVHCJQswC+dl+iUE5s3Wf7WSerRHuSAAB1OlBGPUX0i4F",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|BC05EGpSllh0wVHiq8xKZ9XG6LS6wYP/nBaPVtTyl2z1UeNBivNlJ5/t+sM9H5q51B7H9J3lDw/w/lJrtWMT",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AgbGDeskwl6G9K9IsiESe/Sd5Hf/Fcy7wHLf6VEUGO1hzMtdy2UVRNWoPCZV0gM4l7kmfUfSwmKrGH8CORXS",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|+SoF4PFex5x0UnYa0EXb3oBbQ622fHyCNCA9+Lx1GYmVP9AtWUJpRXRC/TxsaMwtBwZV1iNg2xgISeU0Hro=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|ARvSDNTKA21WJuF2wJYmT/fHpwdA17ptvgZKWqPfaPkwDFFXMHibS/7r4Jd6SoQ7AwPOJe51TrVc25uoFPnb",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|A1dGzEQIwMFvsUgxkkusJij1wIfWdJkS6NhluzZkm9w/g9iA6DuXa73NdfKGW5HUYBv3p+zzjdy/9sB41ktd",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|hmbmiCbLKjFYa4YkYBVYxEY/RtJY9i7CnqsaZq5JBOorWolAVktFzEnMSkpbjlWNxAV0UbfoKEBkuW8FOmo=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|EI3rF7Eil+O+Q1ZnMLf3i2tml78mojCya4ddJVfuGDT5fOxgMfd3KokAQawpWH2XZXTjINmprN764RhmWbg=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AnTO1nIF7gCoaIIh+BZ8Rd8tH3pZQeHvgXYwpWxG2gqysFEFq4l364BVRnI7kM3zMSwFUzFbV2egqHgzWw2p",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|yx/r6WE8+zYUYEAgCzl30g7Nld0g/GJhKzUNzZ4auS9YVHSSAAbHN/+5vCCQiEh3J+JPIxmstjYveJZoLuk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|qU3/SEDVdBlyZF4HwrBzYQDyqqwnBQG2bABUh9KPnwawixN47EhnemUJEq5QVA1+jT0ZmsFbi2T+XAyzdxA=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AvlVyNw8FpRvZwtB3Gq6BCB60zBdKzpL7EUN737p8WS7pGUBJC0O0MiLc5k0Vz80yLiQwOwbXtHVADoQ4nz7",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Awm9WN3jiTex3fuDBElIyWPm4UoUCt1K2+N99GuQxJT+hOHgFlEHAsKcGxOIu5ZQHoPcR5ELv7kWbEf5KVLs",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|yx/r6WE8+zYUYEAgCzl30g7Nld0g/GJhKzUNzZ4auS9YVHSSAAbHN/+5vCCQiEh3J+JPIxmstjYveJZoLuk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AZ2UTDvCOY9utPTr7/4N1DhlNgT/hB00aVANw60OJLMXW+xpbkoa6PH5DP3GKqOgUTw7QEZbJVUsu/kIpzIo",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|zcoCxUfT9ruiJVY1MipXLNhoXv1tQh5zaBE3M7QJOWzRPn5lMMEnQTRGjm0DabyyB8DGDWFiniMGI5/5pBE=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|yx/r6WE8+zYUYEAgCzl30g7Nld0g/GJhKzUNzZ4auS9YVHSSAAbHN/+5vCCQiEh3J+JPIxmstjYveJZoLuk=",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|Ar3Kf8wSBKazztCh/ZUN8O/9c6Mb3GlhS/pkdW/R1lii+9suAvhF71TrlORl5zaKJgxYwpFEoWB2UVWSjSIs",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|At2fiWhVfIhl5b64S0Gt6VN23undOdTUxKtb9/fnjf+4dU76qu5CJg13qiy8KDFvSXtoLg732h1hpJYWtjZ+",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|ARPAb/qbCo2R0emUhbEd/DjGw2P6YXZUuj+BiD1burllUucNh1Hd3YXkH9gGyvcSPca0pOBa/Qhct6aV1s3F",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AjEcwHtXwrHxi0vXXvBZ8k24PrW7k9To/nAQcNOX+UbGmXTzwbUEFFixEdJUF7HViJA91luh1da9mOSRcj1I",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AXWLri4wwhHtSLu2B6Yl43lRxOkWA8QhgxCot/4Rlrf39DTiLvgTGUN7yFKEES5Uqqs0iDWTzrvLrTomrSwQ",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AhY1sFJfeqiTfUcuMwmLlTcFdB8KnFC4rDb21Z6YR6Yn8yXNE7fHcN58UNOJF5FzUFJJvR1n7wHso4PzZcbm",
        "43zIOhk1ayUoiAXipAm3tdNPwgyzIhZjRUcRc7fw5PiSUN1b3ICzHEFbNhiti2aB2jdvs4uYHUqN1YdZtyY=|AbvkqKFzC9dbZtD/mg0UGhQAa2iI9DfcuVHzGGzb8i+DqFiiLs3KwpSpGdadxyVBtc28VNA5XTnJr/LywwWG",
    ]
    for i, ct in enumerate(ciphertexts, 1):
        decrypted = decrypt_message(ct, s, q)
        print(f"{decrypted}")

if __name__ == "__main__":
    main()

Summary

The ElElGamal Challenge on Hack The Box focuses on exploiting vulnerabilities in the ElGamal encryption scheme. Participants analyze the implementation to identify weaknesses, such as reused randomness or insecure key generation. By leveraging mathematical techniques like the greatest common divisor (GCD) and properties of modular arithmetic, they decrypt the message and retrieve the flag. This challenge offers a hands-on opportunity to deepen understanding of cryptographic protocols and their practical flaws.

This post is licensed under CC BY 4.0 by the author.