DVWA Cryptography Low Sec - Red Team
In this final DVWA Low Sec blog post I demonstrate how to decode the secret “Encrypted” message. I also introduce how you can use CyberChef to help identify if a string is encrypted or just encoded by it’s ‘randomness’ factor or Shannon entropy.
Video
Prerequisites
If you don’t currently have a Damn Vulnerable Web Application (DVWA) instance you can follow along at home with a simple git clone & vagrant up if your host system meets the minimum specs.
Red team only deploys Opnsense, DVWA, and Kali.
Cryptography - Red Team
The final challenge we will be looking at today. The challenge consists of decoding a message to get the ‘password’.
Basic Browser
Navigating to the page we are presented with the below.
Example crypto main page
Ooo look some base64, this is gonna be easy…
Decoding the base64 in CyberChef we get the answer sadness
Example crypto b64 message decoded in cyberchef
Again not as easy as we thought! Back to the DVWA.
Lets try encode something asdf gets encoded to FhIHDg==
Example crypto encode asdf
In CyberChef encoding asdf in base64 yields YXNkZg== so there must be something else going on before the string is encoded. What makes me think it’s base64? The padding characters == or = are a signature of base64, if the sting doesn’t fit within the correct length (divisible by 4) it has to be padded by those characters, giving it away.
What might happen to make the output look so “strange” at first you might think an encryption algorithm, however we can test this by getting the “cipher-text” Shannon entropy. The higher the Shannon entropy the more likely we are dealing with encrypted data, in this case our (albeit short) cipher-text has an entropy of 4.6
Example crypto shannon entropy of the text
This leads me to believe it’s not encrypted, just encoded in a strange format, we can test this out by encoding a longer string and observing if the entropy drastically changes:
1
I thought what I'd do was, I'd pretend I was one of those deaf-mutes
Encodes to
1
PkEXABsCCAcGRAAJAhxUPkgLUgAYQRQJB1tPJlUAVxERDQASAQtSLVcWAhtUGAEKUgsRQRcAGwQKTxYBFgdOBQEDChw=
Example crypto shannon entropy of a longer quote
Intresting it’s still within the acceptable range, if we tried to encrypt the quote with AES-128 we get an entropy of 6.0
Example crypto shannon entropy of a longer quote in aes
Much more entropy, so what other mechanisms could course the output data to look so strange, lets try XOR the data. Lets take the encoded strings as the XOR key in base64 and the original quote as the input.
Example crypto xor quote with encoded value
Interesting we get wachtwoord repeated over and over again. Could this be the key? Add a new operation From Base64 above the XOR op, replace the input with our captured message and change the XOR key to ‘wachtwoord’. The full recipe is here
Example crypto xor decode the cipher text
Now we can try the new password
Example crypto login
Bonus Round
You can just place the intercepted message in the message box and hit decode, but where is the fun in that? :)
Example crypto decode lazy
Credits
Image thanks to Nasa AS11-44-6549
Icon thanks to Encrypted data icons created by juicy_fish - Flaticon