Overthewire: Krypton通关指引

OverTheWire的Wargame对于想要学习攻防技术的入门同学来说是非常好的游戏，通过练习wargame获得基本工具的使用技巧和思路。本文梳理了Wargame的Krypton一些通关技巧，旨在给一些刚开始的同学做一些思路上的整理，仅供参考。

OverTheWire的Krypton登录网址：

OverTheWire: Level Infohttps://overthewire.org/wargames/krypton/krypton0.htmlKrypton主要考察密码学知识，需要一定的密码学基础。

Krypton Level 0 → Level 1

Welcome to Krypton! The first level is easy. The following string encodes the password using Base64:
S1JZUFRPTklTR1JFQVQ=
Use this password to log in to krypton.labs.overthewire.org with username krypton1 using SSH on port 2231. You can find the files for other levels in /krypton/

第一关非常简单，用base64解S1JZUFRPTklTR1JFQVQ=，获得密码KRYPTONISGREAT

echo "S1JZUFRPTklTR1JFQVQ=" | base64 -d
KRYPTONISGREAT

Krypton Level 1 → Level 2

The password for level 2 is in the file ‘krypton2’. It is ‘encrypted’ using a simple rotation. It is also in non-standard ciphertext format. When using alpha characters for cipher text it is normal to group the letters into 5 letter clusters, regardless of word boundaries. This helps obfuscate any patterns. This file has kept the plain text word boundaries and carried them to the cipher text. Enjoy!

进入krypton2之后，cd到/krypton/krypton1目录下，有两个文件，先看README

提示是经典的ROT13，可以用tr命令进行解密，密文是

YRIRY GJB CNFFJBEQ EBGGRA

使用如下命令，得到密码 ROTTEN

cat ./krypton2 |tr 'A-Z' 'N-ZA-M'

Krypton Level 2 → Level 3

ROT13 is a simple substitution cipher.

Substitution ciphers are a simple replacement algorithm. In this example of a substitution cipher, we will explore a ‘monoalphebetic’ cipher. Monoalphebetic means, literally, “one alphabet” and you will see why.

This level contains an old form of cipher called a ‘Caesar Cipher’. A Caesar cipher shifts the alphabet by a set number. For example:
plain:  a b c d e f g h i j k ...
cipher: G H I J K L M N O P Q ...
In this example, the letter ‘a’ in plaintext is replaced by a ‘G’ in the ciphertext so, for example, the plaintext ‘bad’ becomes ‘HGJ’ in ciphertext.

The password for level 3 is in the file krypton3. It is in 5 letter group ciphertext. It is encrypted with a Caesar Cipher. Without any further information, this cipher text may be difficult to break. You do not have direct access to the key, however you do have access to a program that will encrypt anything you wish to give it using the key. If you think logically, this is completely easy.

One shot can solve it!

Have fun.

Additional Information:

The encrypt binary will look for the keyfile in your current working directory. Therefore, it might be best to create a working direcory in /tmp and in there a link to the keyfile. As the encrypt binary runs setuid krypton3, you also need to give krypton3 access to your working directory.

Here is an example:
krypton2@melinda:~$ mktemp -d
/tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:~$ cd /tmp/tmp.Wf2OnCpCDQ
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ln -s /krypton/krypton2/keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
keyfile.dat
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ chmod 777 .
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ /krypton/krypton2/encrypt /etc/issue
krypton2@melinda:/tmp/tmp.Wf2OnCpCDQ$ ls
ciphertext  keyfile.dat

ROT13是非常简单的，在本题中，仍然要继续使用凯撒密码的原理，题目给出了一个加密程序，也就是/krypton/krypton2/encrypt这个文件，这个程序是用来加密的，题目中给了一个示例，让我们把/etc/issue加密。我们跟着前面的步骤进行，如下

krypton2@krypton:/krypton/krypton2$ mktemp -d
/tmp/tmp.TfgyRIDd01
krypton2@krypton:/krypton/krypton2$ ls
encrypt  keyfile.dat  krypton3  README
krypton2@krypton:/krypton/krypton2$ cat krypton3
OMQEMDUEQMEK
krypton2@krypton:/krypton/krypton2$ cd /tmp/tmp.TfgyRIDd01
krypton2@krypton:/tmp/tmp.TfgyRIDd01$ ln -s /krypton/krypton2/keyfile.dat
krypton2@krypton:/tmp/tmp.TfgyRIDd01$ chmod 777 .

然后我们自己创建一个文件，把我们要加密的A-Za-z输入进去，然后用encrypt进行加密获得密文，然后用原文+密文对应的方法解密。

krypton2@krypton:/tmp/tmp.TfgyRIDd01$ vim alpha.txt
（在创建的文件里面输入ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz，保存退出）
krypton2@krypton:/tmp/tmp.TfgyRIDd01$ /krypton/krypton2/encrypt alpha.txt
krypton2@krypton:/tmp/tmp.TfgyRIDd01$ ls
alpha.txt  ciphertext  keyfile.dat
krypton2@krypton:/tmp/tmp.TfgyRIDd01$ cat ciphertext
MNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKL

然后我们写一个简单的python脚本来处理密码

#!/usr/bin/env python3
# coding:utf-8cipher='OMQEMDUEQMEK'
encrypted_data='MNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKL'
origin_data = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
e_dict = dict([x for x in zip(encrypted_data,origin_data)])
for i in cipher:decrypt_data.append(e_dict[i])
print(''.join(decrypt_data)

得到密码：CAESARISEASY

Krypton Level 3 → Level 4

Well done. You’ve moved past an easy substitution cipher.

The main weakness of a simple substitution cipher is repeated use of a simple key. In the previous exercise you were able to introduce arbitrary plaintext to expose the key. In this example, the cipher mechanism is not available to you, the attacker.

However, you have been lucky. You have intercepted more than one message. The password to the next level is found in the file ‘krypton4’. You have also found 3 other files. (found1, found2, found3)

You know the following important details:

The message plaintexts are in English (*** very important) - They were produced from the same key (*** even better!)

Enjoy.

本题提示我们要使用多个密文来推测原文，我们进入到目录去查看一下文件。

krypton3@krypton:/krypton/krypton3$ cat ./HINT*
Some letters are more prevalent in English than others.
"Frequency Analysis" is your friend.

查阅提示，是让我们用频率分析法，原文是英文（这个很重要），我们去百度一下英文字符在文章中出现的频率。

E是使用频率最高的,下面是英文字母使用频率表:(%) A 8.19 B 1.47 C 3.83 D 3.91 E 12.25 F 2.26 G 1.71 H 4.57 I 7.10 J 0.14 K 0.41 L 3.77 M 3.34 N 7.06 O 7.26 P 2.89 Q 0.09 R 6.85 S 6.36 T 9.41 U 2.58 V 1.09 W 1.59 X 0.21 Y 1.58 Z 0.08

我们把found所有文件读取出来

krypton3@krypton:/krypton/krypton3$ cat ./found*
CGZNL YJBEN QYDLQ ZQSUQ NZCYD SNQVU BFGBK GQUQZ QSUQN UZCYD SNJDS UDCXJ ZCYDS NZQSU QNUZB WSBNZ QSUQN UDCXJ CUBGS BXJDS UCTYV SUJQG WTBUJ KCWSV LFGBK GSGZN LYJCB GJSZD GCHMS UCJCU QJLYS BXUMA UJCJM JCBGZ CYDSN CGKDC ZDSQZ DVSJJ SNCGJ DSYVQ CGJSO JCUNS YVQZS WALQV SJJSN UBTSX COSWG MTASN BXYBU CJCBG UWBKG JDSQV YDQAS JXBNS OQTYV SKCJD QUDCX JBXQK BMVWA SNSYV QZSWA LWAKB MVWAS ZBTSS QGWUB BGJDS TSJDB WCUGQ TSWQX JSNRM VCMUZ QSUQN KDBMU SWCJJ BZBTT MGCZQ JSKCJ DDCUE SGSNQ VUJDS SGZNL YJCBG UJSYY SNXBN TSWAL QZQSU QNZCY DSNCU BXJSG CGZBN YBNQJ SWQUY QNJBX TBNSZ BTYVS OUZDS TSUUM ZDQUJ DSICE SGNSZ CYDSN QGWUJ CVVDQ UTBWS NGQYY VCZQJ CBGCG JDSNB JULUJ STQUK CJDQV VUCGE VSQVY DQASJ UMAUJ CJMJC BGZCY DSNUJ DSZQS UQNZC YDSNC USQUC VLANB FSGQG WCGYN QZJCZ SBXXS NUSUU SGJCQ VVLGB ZBTTM GCZQJ CBGUS ZMNCJ LUDQF SUYSQ NSYNB WMZSW TBUJB XDCUF GBKGK BNFAS JKSSG QGWDC USQNV LYVQL UKSNS TQCGV LZBTS WCSUQ GWDCU JBNCS UESGN SUDSN QCUSW JBJDS YSQFB XUBYD CUJCZ QJCBG QGWQN JCUJN LALJD SSGWB XJDSU COJSS GJDZS GJMNL GSOJD SKNBJ STQCG VLJNQ ESWCS UMGJC VQABM JCGZV MWCGE DQTVS JFCGE VSQNQ GWTQZ ASJDZ BGUCW SNSWU BTSBX JDSXC GSUJS OQTYV SUCGJ DSSGE VCUDV QGEMQ ESCGD CUVQU JYDQU SDSKN BJSJN QECZB TSWCS UQVUB FGBKG QUNBT QGZSU QGWZB VVQAB NQJSW KCJDB JDSNY VQLKN CEDJU TQGLB XDCUY VQLUK SNSYM AVCUD SWCGS WCJCB GUBXI QNLCG EHMQV CJLQG WQZZM NQZLW MNCGE DCUVC XSJCT SQGWC GJKBB XDCUX BNTSN JDSQJ NCZQV ZBVVS QEMSU YMAVC UDSWJ DSXCN UJXBV CBQZB VVSZJ SWSWC JCBGB XDCUW NQTQJ CZKBN FUJDQ JCGZV MWSWQ VVAMJ JKBBX JDSYV QLUGB KNSZB EGCUS WQUUD QFSUY SQNSU QVJDB MEDGB QJJSG WQGZS NSZBN WUXBN JDSYS NCBWU MNICI STBUJ ACBEN QYDSN UQENS SJDQJ UDQFS UYSQN SKQUS WMZQJ SWQJJ DSFCG EUGSK UZDBB VCGUJ NQJXB NWQXN SSUZD BBVZD QNJSN SWCGQ ABMJQ HMQNJ SNBXQ TCVSX NBTDC UDBTS ENQTT QNUZD BBVUI QNCSW CGHMQ VCJLW MNCGE JDSSV CPQAS JDQGS NQAMJ JDSZM NNCZM VMTKQ UWCZJ QJSWA LVQKJ DNBME DBMJS GEVQG WQGWJ DSUZD BBVKB MVWDQ ISYNB ICWSW QGCGJ SGUCI SSWMZ QJCBG CGVQJ CGENQ TTQNQ GWJDS ZVQUU CZUQJ JDSQE SBXUD QFSUY SQNST QNNCS WJDSL SQNBV WQGGS DQJDQ KQLJD SZBGU CUJBN LZBMN JBXJD SWCBZ SUSBX KBNZS UJSNC UUMSW QTQNN CQESV CZSGZ SBGGB ISTAS NJKBB XDQJD QKQLU GSCED ABMNU YBUJS WABGW UJDSG SOJWQ LQUUM NSJLJ DQJJD SNSKS NSGBC TYSWC TSGJU JBJDS TQNNC QESJD SZBMY VSTQL DQISQ NNQGE SWJDS ZSNST BGLCG UBTSD QUJSU CGZSJ DSKBN ZSUJS NZDQG ZSVVB NQVVB KSWJD STQNN CQESA QGGUJ BASNS QWBGZ SCGUJ SQWBX JDSMU MQVJD NSSJC TSUQG GSUYN SEGQG ZLZBM VWDQI SASSG JDSNS QUBGX BNJDC UUCOT BGJDU QXJSN JDSTQ NNCQE SUDSE QISAC NJDJB QWQME DJSNU MUQGG QKDBK QUAQY JCUSW BGTQL JKCGU UBGDQ TGSJQ GWWQM EDJSN RMWCJ DXBVV BKSWQ VTBUJ JKBLS QNUVQ JSNQG WKSNS AQYJC USWBG XSANM QNLDQ TGSJW CSWBX MGFGB KGZQM USUQJ JDSQE SBXQG WKQUA MNCSW BGQME MUJQX JSNJD SACNJ DBXJD SJKCG UJDSN SQNSX SKDCU JBNCZ QVJNQ ZSUBX UDQFS UYSQN SMGJC VDSCU TSGJC BGSWQ UYQNJ BXJDS VBGWB GJDSQ JNSUZ SGSCG ASZQM USBXJ DCUEQ YUZDB VQNUN SXSNJ BJDSL SQNUA SJKSS GQGWQ UUDQF SUYSQ NSUVB UJLSQ NUACB ENQYD SNUQJ JSTYJ CGEJB QZZBM GJXBN JDCUY SNCBW DQISN SYBNJ SWTQG LQYBZ NLYDQ VUJBN CSUGC ZDBVQ UNBKS UDQFS UYSQN SUXCN UJACB ENQYD SNNSZ BMGJS WQUJN QJXBN WVSES GWJDQ JUDQF SUYSQ NSXVS WJDSJ BKGXB NVBGW BGJBS UZQYS YNBUS ZMJCB GXBNW SSNYB QZDCG EQGBJ DSNSC EDJSS GJDZS GJMNL UJBNL DQUUD QFSUY SQNSU JQNJC GEDCU JDSQJ NCZQV ZQNSS NTCGW CGEJD SDBNU SUBXJ DSQJN SYQJN BGUCG VBGWB GRBDG QMANS LNSYB NJSWJ DQJUD QFSUY SQNSD QWASS GQZBM GJNLU ZDBBV TQUJS NUBTS JKSGJ CSJDZ SGJMN LUZDB VQNUD QISUM EESUJ SWJDQ JUDQF SUYSQ NSTQL DQISA SSGST YVBLS WQUQU ZDBBV TQUJS NALQV SOQGW SNDBE DJBGB XVQGZ QUDCN SQZQJ DBVCZ VQGWB KGSNK DBGQT SWQZS NJQCG KCVVC QTUDQ FSUDQ XJSCG DCUKC VVGBS ICWSG ZSUMA UJQGJ CQJSU UMZDU JBNCS UBJDS NJDQG DSQNU QLZBV VSZJS WQXJS NDCUW SQJDDSNSM YBGVS ENQGW QNBUS KCJDQ ENQIS QGWUJ QJSVL QCNQG WANBM EDJTS JDSAS SJVSX NBTQE VQUUZ QUSCG KDCZD CJKQU SGZVB USWCJ KQUQA SQMJC XMVUZ QNQAQ SMUQG WQJJD QJJCT SMGFG BKGJB GQJMN QVCUJ UBXZB MNUSQ ENSQJ YNCPS CGQUZ CSGJC XCZYB CGJBX ICSKJ DSNSK SNSJK BNBMG WAVQZ FUYBJ UGSQN BGSSO JNSTC JLBXJ DSAQZ FQGWQ VBGEB GSGSQ NJDSB JDSNJ DSUZQ VSUKS NSSOZ SSWCG EVLDQ NWQGW EVBUU LKCJD QVVJD SQYYS QNQGZ SBXAM NGCUD SWEBV WJDSK SCEDJ BXJDS CGUSZ JKQUI SNLNS TQNFQ AVSQG WJQFC GEQVV JDCGE UCGJB ZBGUC WSNQJ CBGCZ BMVWD QNWVL AVQTS RMYCJ SNXBN DCUBY CGCBG NSUYS ZJCGE CJ

把这些读出来的文本用频率分析法分析，写个python脚本来处理这些文本。

#!/usr/bin/env python3
#coding:utf-8encrypted_data = 'CGZN...' #密文，自己替换为所有密文，不在此浪费篇幅#生成频率统计用的字典
keys = [chr(x) for x in range(ord('A'),ord('Z')+1)]
values = [0]*26
frequency = dict([x for x in zip(keys,values)])#统计所有字符的次数
for alpha in encrypted_data:frequency[alpha] = frequency[alpha]+1#计算频率
for each_key in frequency:frequency[each_key] = round(frequency[each_key]/3526.0,4)

得到每个字符的频率，对字符进行排序，就可以找到对应的字符：

#输出的结果
{'A': 0.0156, 'B': 0.0698, 'C': 0.0644,  'D': 0.0596,  'E': 0.0182, 'F': 0.0079, 'G': 0.0644, 'H': 0.0011, 'I': 0.0054, 'J': 0.0854, 'K': 0.019, 'L': 0.017, 'M': 0.0244, 'N': 0.0681, 'O': 0.0034, 'P': 0.0006, 'Q': 0.0964, 'R': 0.0011, 'S': 0.1293, 'T': 0.0213, 'U': 0.0729, 'V': 0.0369, 'W': 0.0366, 'X': 0.0201, 'Y': 0.0238, 'Z': 0.0374}#排序结果
[('P', 0.0006), ('H', 0.0011), ('R', 0.0011), ('O', 0.0034), ('I', 0.0054),
('F', 0.0079), ('A', 0.0156), ('L', 0.017), ('E', 0.0182), ('K', 0.019),
('X', 0.0201), ('T', 0.0213), ('Y', 0.0238), ('M', 0.0244), ('W', 0.0366),
('V', 0.0369), ('Z', 0.0374), ('D', 0.0596), ('C', 0.0644), ('G', 0.0644),
('N', 0.0681), ('B', 0.0698), ('U', 0.0729), ('J', 0.0854), ('Q', 0.0964),
('S', 0.1293)]#字母频率排序
[('Z', 0.08), ('Q', 0.09), ('J', 0.14), ('X', 0.21), ('K', 0.41), ('V', 1.09),
('B', 1.47), ('Y', 1.58), ('W', 1.59), ('G', 1.71), ('F', 2.26), ('U', 2.58),('P', 2.89), ('M', 3.34), ('L', 3.77), ('C', 3.83), ('D', 3.91), ('H', 4.57),('S', 6.36), ('R', 6.85), ('N', 7.06), ('I', 7.1), ('O', 7.26), ('A', 8.19),('T', 9.41), ('E', 12.25)]

根据之前所列的频率，我们确定一下每个字符对应的英文字符，因为样本不够大，所以还是不能完全对应，我们要自己进行推测，在样本中，要能组成一个单词，我们确定S对应的是E，D对应的H，推测J对应的是T，可以组成THE，是一个单词，后续也可以进行排序后的微调，最后得到一种可能性：BOIHGKNQVTWYURXZAJEMSLDFPC

krypton3@krypton:/krypton/krypton3$ cat ./krypton4 |tr 'A-Z' 'BOIHGKNQVTWYURXZAJEMSLDFPC'
WELLDONETHELEVELFOURPASSWORDISBRUTE

得到密码：BRUTE

持续更新中…

Overthewire: Krypton通关指引相关推荐

OverTheWire:Wargame-Natas通关指引
OverTheWire的Wargame系列有很多,Natas是关于web渗透的wargame,通过Natas的训练,掌握基本的Web渗透技巧,Web渗透学习的书很多,推荐一本<Web安全测试&g ...
OverTheWire: Bandit通关指引
OverTheWire的Wargame对于想要学习攻防技术的入门同学来说是非常好的游戏,通过练习wargame获得基本工具的使用技巧和思路.本文梳理了Wargame入门的Bandit的一些通关技巧,旨 ...
OverTheWire:Bandit通关WriteUp（2019.01.17完）
OverTheWire:Bandit通关全攻略WriteUp 背景通关过程 Level 0 Level 0-->Level 1 Level 1 - Level 2 Level 2 - Leve ...
明日之后1月14日服务器维护,《明日之后》1月14日更新内容汇总 1月14日新增内容介绍...
导读明日之后11月14日更新了什么?在本次的更新中全新钓鱼玩法上线,具体更新了哪些内容呢?九游的小编为大家带来了详细的介绍,感兴趣的玩家快来看看吧! 11月14日更新内容汇总: [全新钓鱼玩法] ...
明日之后服务器什么时候维护好,明日之后11月14日维护什么时候结束
明日之后在今天早上6点半开启了停服维护,目前服务器还未开启,来看看9k9k小编rayxx带来的明日之后11月14日维护什么时候结束. 亲爱的幸存者, 我们将于11月14日(周三)早上6点30分进行例行 ...
明日之后1月14日服务器维护,明日之后11月14日停机更新公告：更新内容有哪些？...
在明日之后手游中,为了让玩家们更好的体验游戏.明日之后于11月14日对游戏进行了停机更新,本次都更新了哪些内容?很多玩家还不知道,下面就和小编一起去了解一下吧. 明日之后11月14日停机更新公告: 1 ...
独家下载！《零售数据中台通关指南》，带你玩转新零售
简介:阿里CIO学堂独家出品,零售课程实录公开.<零售数据中台通关指南>来啦!速度来pick. 复制该链接到浏览器完成下载或分享:https://developer.aliyun.com/ ...
linux练习平台WarGame之bandit通关日志
前言~ Bandit是一个学习linux命令的闯关游戏平台,比较类似于ctf,通过闯关的模式,不断的学习新的命令,对于程序员亦或者安全爱好者来说都是一个不错的学习平台传送门目录导航 Level 0 ...
面试宝典：破解最难回答的23个问题及8大面试通关考题
面试常遇到一些纠结的问题,回答稍有不慎,就跳进面试陷阱,让你落败.以下总结了面试中最难回答的23个问题,帮助你在面试中游刃有余. 1.介绍你自己这个问题通常是一个面试的开始的第一个问题,要额外的小心 ...

Overthewire: Krypton通关指引

Krypton Level 0 → Level 1

Krypton Level 1 → Level 2

Krypton Level 2 → Level 3

Krypton Level 3 → Level 4

Overthewire: Krypton通关指引相关推荐

最新文章

热门文章