1

I'm on an ethical hacking challenge. Which I asked here before. But I need a hint on solving this puzzle.

Note: I do not need the problem resolved, just a hint.

URI=3b6e6e3b6675707d7b7c7175703b767875777f3b676075663a7c607978

When converting this from HEX editor values it returns me this.

;nn;fup}{|qup;vxuw;g`uf:|`yx

So I tried somthing like letter combination. But nothing. And rearranging like this:

URI = ;nn;fup;www;numberValuesOfEach;.com:SomePort

based on their values. And

HOST=14160116180503165914181a591505

HEX leaves me to this:

....Y...Y...
S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
  • 1
    It may be worth looking into [frequency analysis](https://en.wikibooks.org/wiki/Cryptography/Frequency_analysis). Your value doesn't look terribly mangled, so it may end up being something like a simple XOR cipher. You should also dig around to see if you can find what decodes the URI and see if you can reverse engineer that instead. – Mr. Llama Jul 14 '18 at 16:51
  • 1
    @Mr.Llama I imagine frequency analysis would be a little difficult on such a short input. – forest Jul 15 '18 at 09:25
  • 2
    One of your edits here has made it hard to help - looking in the edit history, `3b6e6e3b6675707d7b7c7175703b767875777f3b676075663a7c607978` is present, which can be decoded with a little experimentation with https://gchq.github.io/CyberChef/ – Matthew Jul 16 '18 at 13:06
  • @Duskwuff I almost rejected your edit. Fortunately I knew you're not one to deliberately introduce grammatical errors, so I checked the history of this post. You're doing a good job, but may I ask that you take care not to re-introduce grammatical errors, when putting back the original values in the question? – S.L. Barth Jul 18 '18 at 06:53
  • Possible duplicate of [How to determine what type of encoding/encryption has been used?](https://security.stackexchange.com/questions/3989/how-to-determine-what-type-of-encoding-encryption-has-been-used) – forest Jul 20 '18 at 23:08

1 Answers1

4

As requested, here is a hint:

Both the URI and host are encoded in hexadecimal, with each character XORed against the same value. (That is, it's a simple "XOR cipher".)

The URI ends with the letters html.

I'll let you figure out the host yourself. Trial and error is a valid method.

  • So i tried using xoortool, but it doesnt give me back what you said, can you point me where should I use it? –  Jul 16 '18 at 12:12
  • 2
    Thanks to duskwuff's hint, you know that the URI ends with "html". So you know the ciphertext C and the message M while looking for the key K. `M XOR K = C`, XOR can be reversed easily by calculating `C XOR M = K` for every bit. Try finding the key-bits for the last 4 letter and maybe you see a pattern. Knowing plain text **and** cipher text breaks some XOR encryptions. For the host: Maybe you know a few characters of common hostname schemes? This message is so short, you can do your calculations on paper using a hex-binary-converter and an ASCII table (just did it myself). – GxTruth Jul 17 '18 at 11:15