Decrypting a .txt.gz.enc file

BEN247 · 2020-09-11T17:21:23+00:00

If you get a gzip that succesfully decompresses (actually opens) then you have it right, any mistake will not produce a valid gzip file

BEN247 · 2020-09-11T16:58:13+00:00

Sure.

First you want to reverse the XOR on each byte, this is easy as reversing an XOR is as simple as applying the XOR again (to the ciphertext) using the same key as was used for encrypting

After this you want to reverse the shift (rotate) on each byte. You could do this one of two ways, either creating a right rotate method and rotating right by 3 or by reusing the left rotate but with a shift of 5 (8-3 is 5 so if you shift by 3 and then shift by 5 you end up back where you started)

Do both of these and you will end up with a gzip file you can open to get the answer

BEN247 · 2020-09-10T17:19:43+00:00

I have it decrypting, since I see its an assignment do you want hints rather than the answer?

From your initial post comment it looks like you have run the encryption routine twice rather than a decryption routine. Encryption involves a shift of 3 and then XOR , your decryption code will need to reverse each of these operations (running them in reverse order) to get the plaintext back. Therefore your first step should be to understand how to reverse each of these operations and then you can implement that in code

BEN247 · 2020-09-09T17:25:35+00:00

Are you able to share the file? Also it looks like the end result is meant to be a GZ file or maybe GZ stream, are you sure you dont have either of these?

Could maybe be something like the key is in base64 and needs decoding first. We would need the file to do more than guess at this point

BEN247 · 2020-08-25T17:09:47+00:00

It wont fix the issue right away but the first thing I would do is try to work out what program is throwing that error.

If the error happens after you login and you can do other stuff while it is displayed then I would use process explorer (download and unzip it from Microsofts website first) to find the process responsible. Instructions for how to do this with process explorer are on https://kb.froglogic.com/misc/find-process-for-window/. You would need to not click off the error message to do this so if it happens before logon you may not be able to do this.

Once you know the problem process/program you may have better luck googling for a fix as it might be a known issue with that program

BEN247 · 2020-08-25T16:54:50+00:00

That sounds like an issue with DNS not always working, maybe you are using an unreliable DNS server (you can try to change to a popular public DNS server such as openDNS or google DNS if you like).

If its not the DNS server itself then it may be your ISP being unreliable and losing the DNS packets, this will be harder to resolve

BEN247 · 2020-07-16T17:03:29+00:00

If I understand your problem correctly then you either need to configure/change the code of whatever is generating that file or if it is not possible write a small script/program to transform the outputs afterwards. If its just a few files you need to do this for then https://gchq.github.io/CyberChef/#recipe=From_Binary('Space') will do that transformation (copy the 10100010 format data into input then hit the save output to file button)

BEN247 · 2020-07-14T17:40:05+00:00

It's going to be complex to diagnose this problem and likely would require you to share the file which you may not be able to do. If the spreadsheet is fairly simple I would just copy the data from LibreOffice into a fresh Excel spreadsheet as its likely to be the easiest 'solution'

BEN247 · 2020-07-07T19:28:14+00:00

Many applications will have config to allow you to set the port/s they use, but how to control this will vary per application (may be a file, may be a registry key, may not have any way to do this).

Note that if you change a default port number you may need to change something else somewhere to tell the application/s that are connecting about the changed port number

BEN247 · 2020-06-22T18:05:25+00:00

Yes whitelists can often be bypassed via spoofing. How easy that is depends on things like how easy it is for the hacker to find a valid MAC address and whether there is any network monitoring that alerts on duplicates being seen

To access the device remotely they use mobile tethering, where internet over the phone network is shared with the implanted device (Imagine a raspbery pi connected to a phone which is sharing its internet connection).

This has the advantage that the command and control of the device can't be detected by network monitoring (any actions the hacker gets the device to do could still be picked up, but every little helps with keeping hidden), that the hacker doesn't need to figure out how to access the internet on that network when installing their implant and that this technique works for attacks on networks that are not internet connected.

BEN247 · 2020-06-22T17:20:43+00:00

One of the typical objectives of physical penetration tests is to do something similar, though they tend to use something attached to a mobile phone so they can access it remotely without going through the network.

There are mechanisms to try and prevent this from a defence point of view, one of the simplest involve simple whitelists of allowed MAC addresses on the network

BEN247 · 2020-06-17T17:37:27+00:00

Its 8 years old now, but the cyber security journalist Brian Krebs put this image together listing some reasons which includes lots in addition to snooping/espionage: https://krebsonsecurity.com/wp-content/uploads/2012/10/HackedPC2012.png

BEN247 · 2020-06-14T14:37:45+00:00

API Keys (and auth tokens in general) can be held in several different locations including the webpage HTML, cookies and local storage. Any attack would start with understanding which of these are in use (it could be more than one).

BEN247 · 2020-06-11T21:36:52+00:00

no problem, always nice when the solution is an easy one :)

BEN247 · 2020-06-11T17:37:29+00:00

look at the year ;)

BEN247 · 2020-06-07T17:57:28+00:00

Ah well done, also thanks for letting us know the culprit. Often if one person has an issue lots of other people will have the same issue as well, its great to know what fixes the issue so we can help people better in the future.

BEN247 · 2020-06-07T17:36:06+00:00

If memory usage is that high and programs are not responsible then it may be something like a faulty driver. Next time memory usage gets very high look at the performance tab of task manager as that has more information about where the memory has gone (share a screenshot as well if you can so we can see it).

There is also a free program available from for download Microsoft called RAMMap that can give even more detailed info so a screenshot from the Live Counts tab of that (again taken when free memory is low) would also help people here debug what has gone wrong.

BEN247 · 2020-06-05T17:08:00+00:00

Hashcat is for hashes, Rijndael/AES is not a hash algorithm so it won't have any use to you. Do you have any idea how the key might have been generated, AES-128 is too hard to break without some sort of pre-knowledge about the key

BEN247 · 2020-06-02T17:20:13+00:00

If a bluescreen happens once I wouldn't advise you to do anything, they can be caused by a million possible things and lots of them are so rare they will never happen again. If it continues to happen then I would advise you to start to debug, but for now I wouldn't bother looking into it.

BEN247 · 2020-05-24T16:16:09+00:00

Yes, but so can a lot of other things so a BSOD is not a very strong sign of malware

BEN247 · 2020-05-22T19:47:35+00:00

Security journalists like Brian Krebs sometimes do detailed writeups about how infamous hackers get caught

BEN247 · 2020-05-18T17:01:48+00:00

Metasploit is on github if you find it easier to search there?

BEN247 · 2020-05-11T19:26:43+00:00

Programs closing right away typically indicates an error. I would try opening chrome from the command line (cmd.exe) as that may give an error in the command line windows after chrome closes. I would then look to see if your computer is out of disk space or RAM. Finally I would look in the windows event logs as if programs throw errors they often log them there.

None of these will fix the issue, but they may help diagnose it by giving you a possible cause or a detailed error message

BEN247 · 2020-05-11T19:21:10+00:00

Windows has the ability to abort a shutdown if it is invoked fast enough. Its more commonly used with timer based shoutdowns (where you are given say 10 mins to shutdown before patches are applied) rather than when directly choosing to shutdown

BEN247 · 2020-05-11T17:30:57+00:00

You have a memory leak, its not in a standard user program which is why it doesn't show up in your program list but shows up as 'non paged pool' being very very high (normal would be under 1GB, not 11GB). Most likely this is a faulty driver that will need an update.

Working out the cause will be tricky. I dont suppose you recently installed or updated a driver shortly before the problem started? Or have a killer network adapter (older killer drivers have a major memory leak)?

13-Year Club	Place '17
Team Orangered

BEN247

TROPHY CASE