好的,我现在要帮用户总结这篇文章的内容。首先,我需要仔细阅读文章,理解其主要观点和步骤。 文章讲的是如何通过Bitwise XOR加密来解密两个flag。作者提到,第一个flag是用Bitwise XOR加密并hex编码后输出的。然后,用户需要连接到指定端口,输入一个随机生成的密钥来获取第二个flag。 接下来,文章分析了Bitwise XOR加密的缺点:如果知道明文的一部分,就可以推断出密钥的一部分。因为Flag XOR Key = Xored_value,所以Xored_value XOR Flag = Key。这样密钥就不再安全了。 作者指出,密钥长度是5个字符,并且在加密过程中会循环使用密钥。已知flag的前四个字符是THM{,最后一个字符是}。通过将THM{与加密值进行XOR操作,可以得到密钥的前四个字符。然后推测最后一个字符可能用于加密}。 接下来需要将hex编码的字节解码为原始字节,再进行XOR操作得到密钥。输入正确的密钥到服务器就能得到第二个flag。同时,用同样的XOR操作解密整个加密输出就能得到第一个flag。 最后,作者提供了一个脚本自动化这个过程,并提醒不能直接使用示例中的密钥,因为每次运行都会生成新的随机密钥。 总结一下,文章主要介绍了利用Bitwise XOR加密的漏洞来解密两个flag的过程,并提供了一个自动化脚本。 </think> 文章描述了通过Bitwise XOR加密和hex编码获取两个flag的过程。第一个flag通过XOR加密并hex编码输出;第二个flag需输入随机生成的密钥获取。利用XOR特性可推断出5位长的密钥,并循环使用解密整个内容以获得第一个flag。 2026-1-4 06:31:21 Author: infosecwriteups.com(查看原文) 阅读量:6 收藏
Press enter or click to view image in full size
I am keeping this simple, first of all you get access to the source code.
Download it and examine to get an understanding of what’s going on.
The key points to note here are:
- Bitwise XOR encryption is used and then the bytes are hex encoded.
- The first flag is encrypted this way, and output to you when you connect to port 1337 of the machine.
- A key value is randomly generated, which the server expects you to input. If input correctly, you get the second flag.
nc <machine_ip_address> 1337The flaw with bitwise XOR encryption is that
Flag XOR Key = Xored_value
Xored_value XOR Flag= Key
So the key is not really protected.
Get Trikto’s stories in your inbox
Join Medium for free to get updates from this writer.
We know that the key is of length 5 upon inspecting the source code. The bitwise XOR operation goes on for each character of the flag but you may remember that the key is of length 5. Now the flag length and the key length do not match. To overcome this issue, the key is repeatedly used for the XOR operation every time it’s characters run out during the operation.
The first 4 characters of the flag are THM{ and the last character is }.
So if we perform the XOR operation on THM{ with the encrypted value, we get the first 4 characters of the key. I am taking a guess that the last character of the flag was used to encrypt }.
But first we need to decode the bytes from hex, and then perform the above operation to get the key. Input it to the server. And there you go with the second flag!
Once you get the key, use the same XOR operation against the entire encrypted output (hex decode it) from the server. Now you get the decrypted value which is the first flag!
Below is a script that I prepared to automate the entire process:
hex_string = input("Enter hex string: ") # Take hex input from userhex_encoded = hex_string
xored_original = bytes.fromhex(hex_encoded).decode('utf-8')
def xor_encrypt(text):
if len(text) < 5:
raise ValueError("Input string must be at least 5 characters long.")
keys = ['T', 'H', 'M', '{','}'] # 4 keys for first 4 characters
output = []
# XOR first 4 characters
for i in range(4):
output.append(chr(ord(text[i]) ^ ord(keys[i])))
# XOR last character with }
last_char = text[-1]
output.append(chr(ord(last_char) ^ ord(keys[4])))
return "".join(output)
# Key
print(xor_encrypt(xored_original))
key=xor_encrypt(xored_original)
flag=xored_original
xored=""
for i in range(0,len(flag)):
xored += chr(ord(flag[i]) ^ ord(key[i%len(key)]))
print(xored)
No, you can’t use the same key as below 😂 because it’s auto-generated to an arbitrary value every time.
Press enter or click to view image in full size
如有侵权请联系:admin#unsafe.sh